Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde won't go [RESOLVED]


  • This topic is locked This topic is locked

#1
NAVYVET

NAVYVET

    Member

  • Member
  • PipPip
  • 18 posts
I have no idea where I got it but I do. I have tried Ad Aware-Didn't find it; CCCleaner-Didn't find it; Spybot Search and Destroy-Found it and when I tell it to clean it, I get BSD. I tried Combofix-no joy. I tried VirtumondoBeGone-No joy. That actually got me a BSD as well when I started the laptop. I tried VunoFix-No joy. As you an tell I am getting VERY frustrated. Trend Micro PCCillin won't remove it either.


VirtumundoBeGone results

[05/21/2008, 18:24:10] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Charles Norris\Desktop\VirtumundoBeGone.exe" )
[05/21/2008, 18:24:13] - Detected System Information:
[05/21/2008, 18:24:13] - Windows Version: 5.1.2600, Service Pack 2
[05/21/2008, 18:24:14] - Current Username: Charles Norris (Admin)
[05/21/2008, 18:24:14] - Windows is in SAFE mode with Networking.
[05/21/2008, 18:24:14] - Searching for Browser Helper Objects:
[05/21/2008, 18:24:14] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[05/21/2008, 18:24:14] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/21/2008, 18:24:14] - BHO 3: {42e4688b-3dfe-4554-86ec-a20dc17acaaf} ()
[05/21/2008, 18:24:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:14] - Checking for HKLM\...\Winlogon\Notify\fabxmtrd
[05/21/2008, 18:24:14] - Key not found: HKLM\...\Winlogon\Notify\fabxmtrd, continuing.
[05/21/2008, 18:24:14] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/21/2008, 18:24:14] - BHO 5: {57DBEE26-C909-4358-94F3-60F9D1F049B5} ()
[05/21/2008, 18:24:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:14] - Checking for HKLM\...\Winlogon\Notify\hgghFxuU
[05/21/2008, 18:24:14] - Key not found: HKLM\...\Winlogon\Notify\hgghFxuU, continuing.
[05/21/2008, 18:24:14] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/21/2008, 18:24:14] - BHO 7: {714FEA2B-78FC-4CCC-9144-651EE0FC8E4A} ()
[05/21/2008, 18:24:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:14] - Checking for HKLM\...\Winlogon\Notify\ssqNHwTJ
[05/21/2008, 18:24:14] - Key not found: HKLM\...\Winlogon\Notify\ssqNHwTJ, continuing.
[05/21/2008, 18:24:14] - BHO 8: {72D225A9-E3B8-48DF-8D25-BA53624901E8} ()
[05/21/2008, 18:24:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:14] - Checking for HKLM\...\Winlogon\Notify\pmnnMfFy
[05/21/2008, 18:24:14] - Key not found: HKLM\...\Winlogon\Notify\pmnnMfFy, continuing.
[05/21/2008, 18:24:14] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/21/2008, 18:24:14] - BHO 10: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/21/2008, 18:24:15] - BHO 11: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[05/21/2008, 18:24:15] - BHO 12: {E243A8E7-6244-49E0-A361-22DBF30FD46C} ()
[05/21/2008, 18:24:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:15] - Checking for HKLM\...\Winlogon\Notify\hggHyWpp
[05/21/2008, 18:24:15] - Found: HKLM\...\Winlogon\Notify\hggHyWpp - This is probably Virtumundo.
[05/21/2008, 18:24:15] - Assigning {E243A8E7-6244-49E0-A361-22DBF30FD46C} MSEvents Object
[05/21/2008, 18:24:15] - BHO list has been changed! Starting over...
[05/21/2008, 18:24:15] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[05/21/2008, 18:24:15] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/21/2008, 18:24:15] - BHO 3: {42e4688b-3dfe-4554-86ec-a20dc17acaaf} ()
[05/21/2008, 18:24:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:15] - Checking for HKLM\...\Winlogon\Notify\fabxmtrd
[05/21/2008, 18:24:15] - Key not found: HKLM\...\Winlogon\Notify\fabxmtrd, continuing.
[05/21/2008, 18:24:15] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/21/2008, 18:24:15] - BHO 5: {57DBEE26-C909-4358-94F3-60F9D1F049B5} ()
[05/21/2008, 18:24:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:15] - Checking for HKLM\...\Winlogon\Notify\hgghFxuU
[05/21/2008, 18:24:15] - Key not found: HKLM\...\Winlogon\Notify\hgghFxuU, continuing.
[05/21/2008, 18:24:15] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/21/2008, 18:24:15] - BHO 7: {714FEA2B-78FC-4CCC-9144-651EE0FC8E4A} ()
[05/21/2008, 18:24:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:15] - Checking for HKLM\...\Winlogon\Notify\ssqNHwTJ
[05/21/2008, 18:24:15] - Key not found: HKLM\...\Winlogon\Notify\ssqNHwTJ, continuing.
[05/21/2008, 18:24:15] - BHO 8: {72D225A9-E3B8-48DF-8D25-BA53624901E8} ()
[05/21/2008, 18:24:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:15] - Checking for HKLM\...\Winlogon\Notify\pmnnMfFy
[05/21/2008, 18:24:15] - Key not found: HKLM\...\Winlogon\Notify\pmnnMfFy, continuing.
[05/21/2008, 18:24:15] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/21/2008, 18:24:15] - BHO 10: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/21/2008, 18:24:15] - BHO 11: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[05/21/2008, 18:24:15] - BHO 12: {E243A8E7-6244-49E0-A361-22DBF30FD46C} (MSEvents Object)
[05/21/2008, 18:24:15] - ALERT: Found MSEvents Object!
[05/21/2008, 18:24:16] - BHO 13: {F9A76A93-D5B8-4492-9710-0D00BF3FE2D8} ()
[05/21/2008, 18:24:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:16] - Checking for HKLM\...\Winlogon\Notify\ddCUoMcY
[05/21/2008, 18:24:16] - Key not found: HKLM\...\Winlogon\Notify\ddCUoMcY, continuing.
[05/21/2008, 18:24:16] - Finished Searching Browser Helper Objects
[05/21/2008, 18:24:16] - *** Detected MSEvents Object
[05/21/2008, 18:24:16] - Trying to remove MSEvents Object...
[05/21/2008, 18:24:17] - Terminating Process: IEXPLORE.EXE
[05/21/2008, 18:24:17] - Terminating Process: RUNDLL32.EXE
[05/21/2008, 18:24:17] - Disabling Automatic Shell Restart
[05/21/2008, 18:24:17] - Terminating Process: EXPLORER.EXE
[05/21/2008, 18:24:17] - Suspending the NT Session Manager System Service
[05/21/2008, 18:24:18] - Terminating Windows NT Logon/Logoff Manager
[05/21/2008, 18:24:18] - Re-enabling Automatic Shell Restart
[05/21/2008, 18:24:18] - File to disable: C:\WINDOWS\system32\hggHyWpp.dll
[05/21/2008, 18:24:18] - Renaming C:\WINDOWS\system32\hggHyWpp.dll -> C:\WINDOWS\system32\hggHyWpp.dll.vir
[05/21/2008, 18:24:18] - File successfully renamed!
[05/21/2008, 18:24:18] - Removing HKLM\...\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}
[05/21/2008, 18:24:18] - Removing HKCR\CLSID\{E243A8E7-6244-49E0-A361-22DBF30FD46C}
[05/21/2008, 18:24:18] - Adding Kill Bit for ActiveX for GUID: {E243A8E7-6244-49E0-A361-22DBF30FD46C}
[05/21/2008, 18:24:18] - Deleting ATLEvents/MSEvents Registry entries
[05/21/2008, 18:24:18] - Removing HKLM\...\Winlogon\Notify\hggHyWpp
[05/21/2008, 18:24:18] - Searching for Browser Helper Objects:
[05/21/2008, 18:24:18] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[05/21/2008, 18:24:18] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/21/2008, 18:24:18] - BHO 3: {42e4688b-3dfe-4554-86ec-a20dc17acaaf} ()
[05/21/2008, 18:24:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:19] - Checking for HKLM\...\Winlogon\Notify\fabxmtrd
[05/21/2008, 18:24:19] - Key not found: HKLM\...\Winlogon\Notify\fabxmtrd, continuing.
[05/21/2008, 18:24:19] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/21/2008, 18:24:19] - BHO 5: {57DBEE26-C909-4358-94F3-60F9D1F049B5} ()
[05/21/2008, 18:24:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:19] - Checking for HKLM\...\Winlogon\Notify\hgghFxuU
[05/21/2008, 18:24:19] - Key not found: HKLM\...\Winlogon\Notify\hgghFxuU, continuing.
[05/21/2008, 18:24:19] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/21/2008, 18:24:19] - BHO 7: {714FEA2B-78FC-4CCC-9144-651EE0FC8E4A} ()
[05/21/2008, 18:24:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:19] - Checking for HKLM\...\Winlogon\Notify\ssqNHwTJ
[05/21/2008, 18:24:19] - Key not found: HKLM\...\Winlogon\Notify\ssqNHwTJ, continuing.
[05/21/2008, 18:24:19] - BHO 8: {72D225A9-E3B8-48DF-8D25-BA53624901E8} ()
[05/21/2008, 18:24:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:19] - Checking for HKLM\...\Winlogon\Notify\pmnnMfFy
[05/21/2008, 18:24:19] - Key not found: HKLM\...\Winlogon\Notify\pmnnMfFy, continuing.
[05/21/2008, 18:24:19] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/21/2008, 18:24:19] - BHO 10: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/21/2008, 18:24:19] - BHO 11: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[05/21/2008, 18:24:19] - BHO 12: {F9A76A93-D5B8-4492-9710-0D00BF3FE2D8} ()
[05/21/2008, 18:24:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/21/2008, 18:24:19] - Checking for HKLM\...\Winlogon\Notify\ddCUoMcY
[05/21/2008, 18:24:20] - Key not found: HKLM\...\Winlogon\Notify\ddCUoMcY, continuing.
[05/21/2008, 18:24:20] - Finished Searching Browser Helper Objects
[05/21/2008, 18:24:20] - Finishing up...
[05/21/2008, 18:24:20] - A restart is needed.
[05/21/2008, 18:24:20] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[05/21/2008, 18:24:25] - Attempting to Restart via STOP error (Blue Screen!)


Panda Acive Scan Results

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-05-21 22:01:10
PROTECTIONS: 1
MALWARE: 24
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Trend Micro PC-cillin Internet Security 12.7.1019 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\charles norris\favorites\health
00055522 Eicar.Mod Virus No 0 No No C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Charles Norris\Desktop\VirtumundoBeGone.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Charles Norris\Local Settings\Temp\nsm5.tmp
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Charles Norris\Cookies\[email protected][1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Charles Norris\Cookies\[email protected][1].txt
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Charles Norris\Desktop\VirtumundoBeGone.exe
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\RECYCLER\S-1-5-21-206477445-1129975854-549022975-1005\Dc1.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096599.EXE
02164907 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\DIGStream\digstream.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096585.sys
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096542.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\cvwhwotd.exe.vir
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096538.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ckhebday.exe.vir
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\mroksvyt.exe.vir
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096526.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096525.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\oqejusfw.exe.vir
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096535.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096522.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\udjnyyun.exe.vir
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\xfyyvhbl.exe.vir
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\arbypqqd.exe.vir
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096545.exe
02975133 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP365\A0085214.dll
02976804 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP365\A0085105.dll
02976834 Generic Trojan Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\mnrdjaje.dll.vir
02976834 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096534.dll
02978676 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096537.dll
02978676 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\omqtscgc.dll.vir
02978749 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\nnmunkuq.dll.vir
02978749 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096536.dll
02980300 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP368\A0087643.dll
02980337 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096527.dll
02980337 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\dlvthvut.dll.vir
02980347 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\twwnoley.dll.vir
02980347 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096541.dll
02980934 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\fmxofrtd.dll.vir
02980934 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096529.dll
02981909 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096533.dll
02981909 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\mglfkdni.dll.vir
02983888 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP371\A0093467.dll
02983889 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\orhgwgjp.dll.vir
02983889 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096539.dll
02983998 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\imbxdxxi.dll
02983998 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\cywasjat.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location qQ
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description qQ
;===============================================================================
================================================================================
=
===================
182048 HIGH MS07-069 qQ
;===============================================================================
================================================================================
=
===================

HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:28 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GE Security\AKeyPCSyncService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\ge security supra\syncservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Print Audit Inc\Print Audit 5\Client\pa5clint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.trendmls.com/Default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PrintAudit5] C:\Program Files\Print Audit Inc\Print Audit 5\Client\pa5clint.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc0f1c2] rundll32.exe "C:\WINDOWS\system32\xkhqeacv.dll",b
O4 - HKLM\..\Run: [BMeff3c25e] Rundll32.exe "C:\WINDOWS\system32\sypapihm.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: agents_laptop.bat
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program

Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft

Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) -

http://www.pqprintce...ntquick1611.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -

http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) -

http://i.dell.com/im.../SYSSCANNER.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.mi...b?1188007322140
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...b?1188007306171
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} -
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) -

http://www.trendsecu...asyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft

Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: ActiveKEY PCSync (AKeyPCSyncService) - GE Security Inc - C:\Program Files\GE

Security\AKeyPCSyncService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic

Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic

Shared\RoxioUpnpService9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program

Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12977 bytes

Edited by NAVYVET, 21 May 2008 - 08:25 PM.

  • 0

Advertisements


#2
NAVYVET

NAVYVET

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I'm not sure if it has anything to do with Virtumundo or not but now Firefox won't connect to the internet. It loads indefinately, never times out. IE works fine.
  • 0

#3
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.

OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Regards,
RatHat
  • 0

#4
NAVYVET

NAVYVET

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here are the results.

ComboFix 08-05-21.3 - Charles Norris 2008-05-23 14:32:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.348 [GMT -4:00]
Running from: C:\Documents and Settings\Charles Norris\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cbXRlMed.dll
C:\WINDOWS\system32\cywasjat.dll
C:\WINDOWS\system32\dnedpgit.dll
C:\WINDOWS\system32\ehvgytai.exe
C:\WINDOWS\system32\fabxmtrd.dll
C:\WINDOWS\system32\faqhasot.exe
C:\WINDOWS\system32\hgghFxuU.dll
C:\WINDOWS\system32\hqerclql.ini
C:\WINDOWS\system32\imbxdxxi.dll
C:\WINDOWS\system32\jntyqdpb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\sypapihm.dll
C:\WINDOWS\system32\UuxFhggh.ini
C:\WINDOWS\system32\UuxFhggh.ini2
C:\WINDOWS\system32\vcaeqhkx.ini
C:\WINDOWS\system32\yayaAqoo.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-22 18:13 . 2008-05-22 18:13 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-22 18:13 . 2008-05-22 18:13 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-22 17:04 . 2008-05-22 17:04 115,200 --a------ C:\WINDOWS\system32\lqlcreqh.dll
2008-05-22 17:01 . 2008-05-22 17:01 134,144 --a------ C:\WINDOWS\system32\hrpudfgy.dll
2008-05-22 16:55 . 2008-05-22 16:55 126,464 --a------ C:\WINDOWS\system32\cmmjebjo.dll
2008-05-21 22:30 . 2008-05-21 22:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 22:30 . 2008-05-21 22:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-21 18:43 . 2008-05-21 18:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-21 18:10 . 2008-05-21 18:10 <DIR> d-------- C:\VundoFix Backups
2008-05-21 17:22 . 2008-05-21 17:35 354 ---hs---- C:\WINDOWS\system32\stprdtby.ini
2008-05-21 16:53 . 2008-05-21 16:53 0 --a------ C:\WINDOWS\BMeff3c25e.xml
2008-05-17 11:53 . 2008-05-20 21:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-17 11:53 . 2008-05-20 21:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 19:07 . 2008-05-13 19:07 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Sonic
2008-05-13 19:06 . 2008-05-13 19:06 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Leadertech
2008-05-10 22:52 . 2008-05-10 22:52 57,856 --a------ C:\WINDOWS\system32\hggHyWpp.dll.vir
2008-05-09 17:29 . 2008-05-09 21:36 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\DivX
2008-05-09 17:23 . 2008-05-09 17:24 <DIR> d-------- C:\Program Files\DivX
2008-05-09 17:23 . 2008-03-21 16:30 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-05-09 08:02 . 2008-05-09 08:02 <DIR> d-------- C:\Program Files\DNA
2008-05-09 08:02 . 2008-05-23 14:36 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\DNA
2008-05-08 21:19 . 2008-05-08 21:19 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\IEPro
2008-05-08 21:18 . 2008-05-08 21:19 <DIR> d-------- C:\Program Files\IEPro
2008-05-05 15:24 . 2008-05-05 15:24 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Windows Desktop Search
2008-05-05 15:23 . 2008-05-05 15:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-05-05 15:21 . 2006-09-15 08:36 98,304 --------- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-05-05 15:21 . 2006-09-15 08:36 29,696 --------- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-05-05 13:55 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-05 13:44 . 2008-05-05 13:44 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-05 13:43 . 2008-05-17 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-04 21:35 . 2008-05-04 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-03 16:20 . 2008-05-03 16:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-03 16:20 . 2008-05-03 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-02 22:11 . 2008-05-02 23:36 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\ICAClient
2008-05-02 21:59 . 2008-05-02 21:59 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 22:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-21 22:39 --------- d-----w C:\Program Files\Trend Micro
2008-05-21 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 14:19 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-16 00:06 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\AdobeUM
2008-05-11 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-05 17:52 --------- d-----w C:\Program Files\Microsoft Works
2008-05-05 17:51 --------- d-----w C:\Program Files\MSBuild
2008-05-04 11:55 37,573 ----a-w C:\Program Files\Lab1_NORRIS.xlsx
2008-04-18 22:11 --------- d-----w C:\Program Files\Apple Software Update
2008-04-13 13:00 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\Hewlett-Packard
2008-04-13 12:56 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-13 12:56 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-08 23:19 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-05 00:44 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\Apple Computer
2008-04-05 00:13 --------- d-----w C:\Program Files\Dave Ramsey's Financial Peace Financial Software
2008-04-04 21:35 --------- d-----w C:\Program Files\iTunes
2008-04-04 21:35 --------- d-----w C:\Program Files\iPod
2008-04-04 21:33 --------- d-----w C:\Program Files\QuickTime
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2008-03-30 13:37 --------- d-----w C:\Program Files\GE Security
2008-03-30 13:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 22:41 691,545 ----a-w C:\WINDOWS\unins000.exe
2007-04-26 21:08 13,164 -c--a-w C:\Documents and Settings\Charles Norris\Application Data\wklnhst.dat
2008-02-08 01:46 13,624 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 01:46 87,360 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 01:46 91,448 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-02-08 01:46 21,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 01:46 206,136 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 01:46 31,544 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-02-08 01:46 40,248 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-03-16 21:27 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 21:27 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 21:27 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 16:47 981,170 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 01:46 24,384 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( [email protected]_16.54.07.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 20:45:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 18:37:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-05-03 20:19:51 65,536 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\PM_Designer.exe
+ 2008-05-23 00:53:03 65,536 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\PM_Designer.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe
+ 2008-05-23 00:53:02 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat_Standard.exe
+ 2008-05-23 00:53:03 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat_Standard.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Distiller.exe
+ 2008-05-23 00:53:03 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Distiller.exe
- 2008-05-03 20:19:51 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2008-05-23 00:53:03 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_ELEMENTS_DT.exe
- 2007-10-08 00:17:14 5,139 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-05-22 22:03:08 5,674 -c--a-w C:\WINDOWS\mozver.dat
- 2008-05-18 20:57:59 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-05-22 22:04:11 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d79ec44-5114-42c4-8742-08a8682bd0b6}]
2008-05-22 17:01 134144 --a------ C:\WINDOWS\system32\hrpudfgy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{714FEA2B-78FC-4CCC-9144-651EE0FC8E4A}]
C:\WINDOWS\system32\ssqNHwTJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72D225A9-E3B8-48DF-8D25-BA53624901E8}]
C:\WINDOWS\system32\pmnnMfFy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9A76A93-D5B8-4492-9710-0D00BF3FE2D8}]
C:\WINDOWS\system32\ddCUoMcY.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-09 08:02 289088]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 20:48 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 11:28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 11:28 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 11:44 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 11:45 118784]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 11:41 77824]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 07:20 122940]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PrintAudit5"="C:\Program Files\Print Audit Inc\Print Audit 5\Client\pa5clint.exe" [2007-04-09 17:03 800320]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"ecc0f1c2"="C:\WINDOWS\system32\lqlcreqh.dll" [2008-05-22 17:04 115200]
"BMeff3c25e"="C:\WINDOWS\system32\cmmjebjo.dll" [2008-05-22 16:55 126464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe [2008-05-03 16:19:51 25214]
agents_laptop.bat [2007-09-27 14:55:07 1051]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 20:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-29 10:41:39 24576]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Charles Norris^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Charles Norris\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2007-04-02 05:24 113400 C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-11-29 10:49 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Adware-Spware Removal]
C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:47 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\igfxsrvc.exe"=
"C:\\Program Files\\SkillSoft\\jre\\bin\\java.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3689:TCP"= 3689:TCP:iTUNES

R2 AKeyPCSyncService;ActiveKEY PCSync;"C:\Program Files\GE Security\AKeyPCSyncService.exe" [2007-06-21 14:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 23:34:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-20 13:00:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1208091559.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 14:38:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\lqlcreqh.dll
-> C:\WINDOWS\system32\cmmjebjo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\GE Security Supra\SyncService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-05-23 14:45:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 18:45:29
ComboFix2.txt 2008-05-21 20:55:23

Pre-Run: 67,507,208,192 bytes free
Post-Run: 67,601,129,472 bytes free

286 --- E O F --- 2007-06-13 02:30:02




By the way. I have to do everything from another computer. My laptop won't get to ANY web page I put in, bookmarked or not, past the front page. I try to go further into the site and it gets about 3 bars of loading and won't go any further.
  • 0

#5
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK! Lets install the recovery console first, then continue cleaning your machine.

Delete the version of Combofix that you have. Download a new version from Here, Here or Here and save it to your Desktop.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\lqlcreqh.dll
C:\WINDOWS\system32\hrpudfgy.dll
C:\WINDOWS\system32\cmmjebjo.dll
C:\WINDOWS\system32\stprdtby.ini
C:\WINDOWS\BMeff3c25e.xml
C:\WINDOWS\system32\hggHyWpp.dll.vir

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d79ec44-5114-42c4-8742-08a8682bd0b6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{714FEA2B-78FC-4CCC-9144-651EE0FC8E4A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72D225A9-E3B8-48DF-8D25-BA53624901E8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9A76A93-D5B8-4492-9710-0D00BF3FE2D8}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ecc0f1c2"=-
"BMeff3c25e"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Let me know how the computer is performing after completing the above, and if you can access the web.

Regards,
RatHat
  • 0

#6
NAVYVET

NAVYVET

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ComboFix 08-05-21.3 - Charles Norris 2008-05-23 20:58:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.375 [GMT -4:00]
Running from: C:\Documents and Settings\Charles Norris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charles Norris\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMeff3c25e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\hqerclql.ini
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 16:48 . 2008-05-23 16:48 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-23 15:50 . 2008-05-23 15:50 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Malwarebytes
2008-05-23 15:50 . 2008-05-23 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 15:49 . 2008-05-23 15:49 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 18:13 . 2008-05-22 18:13 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-22 18:13 . 2008-05-22 18:13 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-22 17:04 . 2008-05-22 17:04 115,200 --a------ C:\WINDOWS\system32\lqlcreqh.dll
2008-05-22 17:01 . 2008-05-22 17:01 134,144 --a------ C:\WINDOWS\system32\hrpudfgy.dll
2008-05-22 16:55 . 2008-05-22 16:55 126,464 --a------ C:\WINDOWS\system32\cmmjebjo.dll
2008-05-21 22:30 . 2008-05-23 16:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 22:30 . 2008-05-21 22:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-21 18:43 . 2008-05-21 18:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-21 18:10 . 2008-05-21 18:10 <DIR> d-------- C:\VundoFix Backups
2008-05-21 17:22 . 2008-05-21 17:35 354 ---hs---- C:\WINDOWS\system32\stprdtby.ini
2008-05-17 11:53 . 2008-05-23 15:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-17 11:53 . 2008-05-23 15:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 19:07 . 2008-05-13 19:07 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Sonic
2008-05-13 19:06 . 2008-05-13 19:06 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Leadertech
2008-05-10 22:52 . 2008-05-10 22:52 57,856 --a------ C:\WINDOWS\system32\hggHyWpp.dll.vir
2008-05-09 17:29 . 2008-05-09 21:36 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\DivX
2008-05-09 17:23 . 2008-05-09 17:24 <DIR> d-------- C:\Program Files\DivX
2008-05-09 17:23 . 2008-03-21 16:30 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-05-09 08:02 . 2008-05-09 08:02 <DIR> d-------- C:\Program Files\DNA
2008-05-09 08:02 . 2008-05-23 20:57 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\DNA
2008-05-08 21:19 . 2008-05-08 21:19 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\IEPro
2008-05-08 21:18 . 2008-05-08 21:19 <DIR> d-------- C:\Program Files\IEPro
2008-05-05 15:24 . 2008-05-05 15:24 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Windows Desktop Search
2008-05-05 15:23 . 2008-05-05 15:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-05-05 15:21 . 2006-09-15 08:36 98,304 --------- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-05-05 15:21 . 2006-09-15 08:36 29,696 --------- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-05-05 13:55 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-05 13:44 . 2008-05-05 13:44 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-05 13:43 . 2008-05-17 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-04 21:35 . 2008-05-04 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-03 16:20 . 2008-05-03 16:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-03 16:20 . 2008-05-03 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-02 22:11 . 2008-05-02 23:36 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\ICAClient
2008-05-02 21:59 . 2008-05-02 21:59 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 22:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-21 22:39 --------- d-----w C:\Program Files\Trend Micro
2008-05-21 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 14:19 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-16 00:06 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\AdobeUM
2008-05-11 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-05 17:52 --------- d-----w C:\Program Files\Microsoft Works
2008-05-05 17:51 --------- d-----w C:\Program Files\MSBuild
2008-05-04 11:55 37,573 ----a-w C:\Program Files\Lab1_NORRIS.xlsx
2008-04-18 22:11 --------- d-----w C:\Program Files\Apple Software Update
2008-04-13 13:00 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\Hewlett-Packard
2008-04-13 12:56 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-13 12:56 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-08 23:19 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-05 00:44 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\Apple Computer
2008-04-05 00:13 --------- d-----w C:\Program Files\Dave Ramsey's Financial Peace Financial Software
2008-04-04 21:35 --------- d-----w C:\Program Files\iTunes
2008-04-04 21:35 --------- d-----w C:\Program Files\iPod
2008-04-04 21:33 --------- d-----w C:\Program Files\QuickTime
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2008-03-30 13:37 --------- d-----w C:\Program Files\GE Security
2008-03-30 13:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 20:29 2,984 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 118,520 ----a-w C:\WINDOWS\system32\PxInsI64.exe
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-03 22:41 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-04-26 21:08 13,164 -c--a-w C:\Documents and Settings\Charles Norris\Application Data\wklnhst.dat
2008-02-08 01:46 13,624 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 01:46 87,360 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 01:46 91,448 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-02-08 01:46 21,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 01:46 206,136 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 01:46 31,544 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-02-08 01:46 40,248 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-03-16 21:27 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 21:27 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 21:27 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 16:47 981,170 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 01:46 24,384 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( [email protected]_16.54.07.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 20:45:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 20:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-05-03 20:19:51 65,536 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\PM_Designer.exe
+ 2008-05-23 00:53:03 65,536 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\PM_Designer.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe
+ 2008-05-23 00:53:02 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat_Standard.exe
+ 2008-05-23 00:53:03 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat_Standard.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Distiller.exe
+ 2008-05-23 00:53:03 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Distiller.exe
- 2008-05-03 20:19:51 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2008-05-23 00:53:03 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_ELEMENTS_DT.exe
- 2007-10-08 00:17:14 5,139 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-05-23 21:13:58 6,310 -c--a-w C:\WINDOWS\mozver.dat
- 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 00:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-03-25 00:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-05-18 20:57:59 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-05-22 22:04:11 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d79ec44-5114-42c4-8742-08a8682bd0b6}]
2008-05-22 17:01 134144 --a------ C:\WINDOWS\system32\hrpudfgy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{714FEA2B-78FC-4CCC-9144-651EE0FC8E4A}]
C:\WINDOWS\system32\ssqNHwTJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72D225A9-E3B8-48DF-8D25-BA53624901E8}]
C:\WINDOWS\system32\pmnnMfFy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9A76A93-D5B8-4492-9710-0D00BF3FE2D8}]
C:\WINDOWS\system32\ddCUoMcY.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-09 08:02 289088]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 20:48 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 11:28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 11:28 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 11:44 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 11:45 118784]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 11:41 77824]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 07:20 122940]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PrintAudit5"="C:\Program Files\Print Audit Inc\Print Audit 5\Client\pa5clint.exe" [2007-04-09 17:03 800320]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"ecc0f1c2"="C:\WINDOWS\system32\lqlcreqh.dll" [2008-05-22 17:04 115200]
"BMeff3c25e"="C:\WINDOWS\system32\cmmjebjo.dll" [2008-05-22 16:55 126464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe [2008-05-03 16:19:51 25214]
agents_laptop.bat [2007-09-27 14:55:07 1051]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 20:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-29 10:41:39 24576]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Charles Norris^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Charles Norris\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2007-04-02 05:24 113400 C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-11-29 10:49 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Adware-Spware Removal]
C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:47 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\igfxsrvc.exe"=
"C:\\Program Files\\SkillSoft\\jre\\bin\\java.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3689:TCP"= 3689:TCP:iTUNES

R2 AKeyPCSyncService;ActiveKEY PCSync;"C:\Program Files\GE Security\AKeyPCSyncService.exe" [2007-06-21 14:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 23:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-20 13:00:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1208091559.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 20:59:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-23 21:02:22
ComboFix-quarantined-files.txt 2008-05-24 01:01:19
ComboFix2.txt 2008-05-23 18:45:39
ComboFix3.txt 2008-05-21 20:55:23

Pre-Run: 67,460,526,080 bytes free
Post-Run: 67,428,483,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

276 --- E O F --- 2007-06-13 02:30:02


================================================================================
================================================================================
=



ComboFix 08-05-21.3 - Charles Norris 2008-05-23 21:10:57.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.369 [GMT -4:00]
Running from: C:\Documents and Settings\Charles Norris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charles Norris\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMeff3c25e.xml
C:\WINDOWS\system32\cmmjebjo.dll
C:\WINDOWS\system32\hggHyWpp.dll.vir
C:\WINDOWS\system32\hrpudfgy.dll
C:\WINDOWS\system32\lqlcreqh.dll
C:\WINDOWS\system32\stprdtby.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cmmjebjo.dll
C:\WINDOWS\system32\hggHyWpp.dll.vir
C:\WINDOWS\system32\hrpudfgy.dll
C:\WINDOWS\system32\lqlcreqh.dll
C:\WINDOWS\system32\stprdtby.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 16:48 . 2008-05-23 16:48 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-23 15:50 . 2008-05-23 15:50 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Malwarebytes
2008-05-23 15:50 . 2008-05-23 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 15:49 . 2008-05-23 15:49 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 18:13 . 2008-05-22 18:13 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-22 18:13 . 2008-05-22 18:13 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-21 22:30 . 2008-05-23 16:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 22:30 . 2008-05-21 22:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-21 18:43 . 2008-05-21 18:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-21 18:10 . 2008-05-21 18:10 <DIR> d-------- C:\VundoFix Backups
2008-05-17 11:53 . 2008-05-23 15:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-17 11:53 . 2008-05-23 15:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 19:07 . 2008-05-13 19:07 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Sonic
2008-05-13 19:06 . 2008-05-13 19:06 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Leadertech
2008-05-09 17:29 . 2008-05-09 21:36 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\DivX
2008-05-09 17:23 . 2008-05-09 17:24 <DIR> d-------- C:\Program Files\DivX
2008-05-09 17:23 . 2008-03-21 16:30 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-05-09 08:02 . 2008-05-09 08:02 <DIR> d-------- C:\Program Files\DNA
2008-05-09 08:02 . 2008-05-23 21:07 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\DNA
2008-05-08 21:19 . 2008-05-08 21:19 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\IEPro
2008-05-08 21:18 . 2008-05-08 21:19 <DIR> d-------- C:\Program Files\IEPro
2008-05-05 15:24 . 2008-05-05 15:24 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\Windows Desktop Search
2008-05-05 15:23 . 2008-05-05 15:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-05-05 15:21 . 2006-09-15 08:36 98,304 --------- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-05-05 15:21 . 2006-09-15 08:36 29,696 --------- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-05-05 13:55 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-05 13:44 . 2008-05-05 13:44 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-05 13:43 . 2008-05-17 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-04 21:35 . 2008-05-04 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-03 16:20 . 2008-05-03 16:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-03 16:20 . 2008-05-03 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-02 22:11 . 2008-05-02 23:36 <DIR> d-------- C:\Documents and Settings\Charles Norris\Application Data\ICAClient
2008-05-02 21:59 . 2008-05-02 21:59 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 22:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-21 22:39 --------- d-----w C:\Program Files\Trend Micro
2008-05-21 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 14:19 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-16 00:06 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\AdobeUM
2008-05-11 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-05 17:52 --------- d-----w C:\Program Files\Microsoft Works
2008-05-05 17:51 --------- d-----w C:\Program Files\MSBuild
2008-05-04 11:55 37,573 ----a-w C:\Program Files\Lab1_NORRIS.xlsx
2008-04-18 22:11 --------- d-----w C:\Program Files\Apple Software Update
2008-04-13 13:00 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\Hewlett-Packard
2008-04-13 12:56 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-13 12:56 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-08 23:19 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-05 00:44 --------- d-----w C:\Documents and Settings\Charles Norris\Application Data\Apple Computer
2008-04-05 00:13 --------- d-----w C:\Program Files\Dave Ramsey's Financial Peace Financial Software
2008-04-04 21:35 --------- d-----w C:\Program Files\iTunes
2008-04-04 21:35 --------- d-----w C:\Program Files\iPod
2008-04-04 21:33 --------- d-----w C:\Program Files\QuickTime
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2008-03-30 13:37 --------- d-----w C:\Program Files\GE Security
2008-03-30 13:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 20:29 2,984 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 118,520 ----a-w C:\WINDOWS\system32\PxInsI64.exe
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-03 22:41 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-04-26 21:08 13,164 -c--a-w C:\Documents and Settings\Charles Norris\Application Data\wklnhst.dat
2008-02-08 01:46 13,624 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 01:46 87,360 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 01:46 91,448 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-02-08 01:46 21,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 01:46 206,136 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 01:46 31,544 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-02-08 01:46 40,248 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-03-16 21:27 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 21:27 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 21:27 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 16:47 981,170 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 01:46 24,384 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( [email protected]_16.54.07.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 20:45:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 20:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-05-03 20:19:51 65,536 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\PM_Designer.exe
+ 2008-05-23 00:53:03 65,536 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\PM_Designer.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe
+ 2008-05-23 00:53:02 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat_Standard.exe
+ 2008-05-23 00:53:03 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat_Standard.exe
- 2008-05-03 20:19:51 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Distiller.exe
+ 2008-05-23 00:53:03 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Distiller.exe
- 2008-05-03 20:19:51 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2008-05-23 00:53:03 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_ELEMENTS_DT.exe
- 2007-10-08 00:17:14 5,139 -c--a-w C:\WINDOWS\mozver.dat
+ 2008-05-23 21:13:58 6,310 -c--a-w C:\WINDOWS\mozver.dat
- 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 00:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-03-25 00:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-05-18 20:57:59 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-05-22 22:04:11 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 20:48 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 11:28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 11:28 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 11:44 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 11:45 118784]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 11:41 77824]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 07:20 122940]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PrintAudit5"="C:\Program Files\Print Audit Inc\Print Audit 5\Client\pa5clint.exe" [2007-04-09 17:03 800320]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe [2008-05-03 16:19:51 25214]
agents_laptop.bat [2007-09-27 14:55:07 1051]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 20:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-29 10:41:39 24576]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Charles Norris^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Charles Norris\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2007-04-02 05:24 113400 C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-11-29 10:49 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Adware-Spware Removal]
C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:47 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\igfxsrvc.exe"=
"C:\\Program Files\\SkillSoft\\jre\\bin\\java.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3689:TCP"= 3689:TCP:iTUNES

R2 AKeyPCSyncService;ActiveKEY PCSync;"C:\Program Files\GE Security\AKeyPCSyncService.exe" [2007-06-21 14:58]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 23:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-20 13:00:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1208091559.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 21:11:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-23 21:14:33
ComboFix-quarantined-files.txt 2008-05-24 01:13:31
ComboFix2.txt 2008-05-24 01:02:22
ComboFix3.txt 2008-05-23 18:45:39
ComboFix4.txt 2008-05-21 20:55:23

Pre-Run: 67,416,285,184 bytes free
Post-Run: 67,402,366,976 bytes free

260 --- E O F --- 2007-06-13 02:30:02



================================================================================
================================================================================

Edited by NAVYVET, 23 May 2008 - 07:37 PM.

  • 0

#7
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you repost the HijackThis log and let me know how the machine is performing now?

Regards,
RatHat
  • 0

#8
NAVYVET

NAVYVET

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:32 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GE Security\AKeyPCSyncService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\ge security supra\syncservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Print Audit Inc\Print Audit 5\Client\pa5clint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.trendmls.com/Default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PrintAudit5] C:\Program Files\Print Audit Inc\Print Audit 5\Client\pa5clint.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: agents_laptop.bat
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintce...ntquick1611.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/im.../SYSSCANNER.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188007322140
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188007306171
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} -
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ActiveKEY PCSync (AKeyPCSyncService) - GE Security Inc - C:\Program Files\GE Security\AKeyPCSyncService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13055 bytes

The internet is faster. The laptop from reboot to desktop is faster. I cannot possibly say thank you enough. It appears everything is as it should be. Again thank you very much.
  • 0

#9
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well lets make sure that it really is clear before we go.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post along with the MBAM log.
Regards,
RatHat
  • 0

#10
NAVYVET

NAVYVET

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Malwarebytes' Anti-Malware 1.12
Database version: 782

Scan type: Quick Scan
Objects scanned: 38809
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
==============================================================

Saturday, May 24, 2008 9:15:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/05/2008
Kaspersky Anti-Virus database records: 799443
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 107715
Number of viruses found 17
Number of infected objects 40
Number of suspicious objects 2
Duration of the scan process 02:22:25

Infected Object Name Virus Name Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.18.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.18.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy109.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_830.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoAccessActiveXObject.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoAccessActiveXObject.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Charles Norris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Print Audit Inc\Print Audit\5.0\Client\pa5local.set Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Print Audit Inc\Print Audit\5.0\Logs\PA5ClientErrors.log Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\History\History.IE5\MSHist012008052320080524\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Charles Norris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\GE Security\SyncLog.txt Object is locked skipped
C:\Program Files\GE Security Supra\DaemonLog.txt Object is locked skipped
C:\Program Files\GE Security Supra\SyncLog.txt Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7B.tmp Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7C.tmp Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7D.tmp Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\acpjcsrv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.sfm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bdtbjrlj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rqz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXRlMed.dll.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cywasjat.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dlvthvut.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.sby skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dnedpgit.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fmxofrtd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hggHyWpp.dll.vir.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\imbxdxxi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jntyqdpb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mglfkdni.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnmunkuq.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qgcpncaw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yayaAqoo.dll.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yayotbfb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ywjoscgw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.sce skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP369\A0090466.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP371\A0093466.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sca skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP371\A0093467.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP371\A0096475.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096521.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sfm skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096523.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqz skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096527.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sby skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096529.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096533.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096536.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096540.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096547.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096549.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sce skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP373\A0097672.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP373\A0098675.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099201.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099202.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099203.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099207.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099208.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099210.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP380\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DCF744E2-729F-4707-97AE-CA671A156570}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
  • 0

#11
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
The Kaspersky scan is incomplete, could you post it again for me please.

Regards,
RatHat
  • 0

#12
NAVYVET

NAVYVET

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Sorry about that.

Saturday, May 24, 2008 9:15:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/05/2008
Kaspersky Anti-Virus database records: 799443
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 107715
Number of viruses found 17
Number of infected objects 40
Number of suspicious objects 2
Duration of the scan process 02:22:25

Infected Object Name Virus Name Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.18.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.18.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy109.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_830.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoAccessActiveXObject.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoAccessActiveXObject.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Charles Norris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Print Audit Inc\Print Audit\5.0\Client\pa5local.set Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Application Data\Print Audit Inc\Print Audit\5.0\Logs\PA5ClientErrors.log Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\History\History.IE5\MSHist012008052320080524\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charles Norris\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Charles Norris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\GE Security\SyncLog.txt Object is locked skipped
C:\Program Files\GE Security Supra\DaemonLog.txt Object is locked skipped
C:\Program Files\GE Security Supra\SyncLog.txt Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7B.tmp Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7C.tmp Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\7D.tmp Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\acpjcsrv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.sfm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bdtbjrlj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rqz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXRlMed.dll.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cywasjat.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dlvthvut.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.sby skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dnedpgit.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fmxofrtd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hggHyWpp.dll.vir.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\imbxdxxi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jntyqdpb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mglfkdni.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnmunkuq.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qgcpncaw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yayaAqoo.dll.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yayotbfb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ywjoscgw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.sce skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP369\A0090466.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP371\A0093466.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sca skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP371\A0093467.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP371\A0096475.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096521.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sfm skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096523.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqz skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096527.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sby skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096529.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096533.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096536.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096540.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096547.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP372\A0096549.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sce skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP373\A0097672.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP373\A0098675.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099201.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099202.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099203.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099207.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099208.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0099210.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP380\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DCF744E2-729F-4707-97AE-CA671A156570}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
  • 0

#13
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hey there,

OK! Well done, your log is clean again! :)

Lets start to clean up. Please re-open HiJackThis and scan. Check the box next to the entry listed below.

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
    Posted Image
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets make sure there are no other tools hanging around. Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


An essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP