Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Having a terrible Virtumonde effect . Need HELP ! [RESOLVED]


  • This topic is locked This topic is locked

#16
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
G:\LaunchU3.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14c0f204-2aae-11dd-8f65-001636ce7d60}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32621c7a-228d-11dd-a572-001636ce7d60}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Also post a new HijackThis log
  • 0

Advertisements


#17
Youssef Attalla

Youssef Attalla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I am afraid that the combofix.txt is the same as the old one because i didn't see a ComboFix.txt file created on my C: drive location

here is the combofix.txt file

ComboFix 08-05-21.3 - youssefhg 2008-05-27 10:53:39.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.914 [GMT -4:00]
Running from: D:\Downoaded Softwares\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-25 19:37 . 2008-05-25 19:37 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\Media Player Classic
2008-05-25 19:37 . 2008-05-25 19:37 <DIR> d-------- C:\Users\All Users\Real
2008-05-25 19:37 . 2008-05-25 19:37 <DIR> d-------- C:\Program Files\Real Alternative
2008-05-25 18:34 . 2008-05-25 18:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-25 18:34 . 2008-05-25 18:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-23 17:18 . 2008-05-23 17:18 <DIR> d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-05-23 12:43 . 2008-05-23 12:43 <DIR> d-------- C:\VundoFix Backups
2008-05-23 09:22 . 2008-05-23 09:22 <DIR> d-------- C:\Users\youssefhg\.ssh
2008-05-23 09:20 . 2008-05-27 10:31 <DIR> d-------- C:\Users\youssefhg\.nx
2008-05-23 09:19 . 2008-05-23 09:19 <DIR> d-------- C:\Program Files\NX Client for Windows
2008-05-20 20:53 . 2008-05-20 20:58 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\DivX
2008-05-20 20:51 . 2008-05-20 20:51 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-05-20 20:42 . 2008-05-20 20:42 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\acccore
2008-05-20 20:41 . 2008-05-20 20:41 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-05-20 20:41 . 2008-05-20 20:43 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-05-20 20:41 . 2008-05-20 20:41 <DIR> d-------- C:\Users\All Users\AOL
2008-05-20 20:41 . 2008-05-20 20:41 <DIR> d-------- C:\ProgramData\Viewpoint
2008-05-20 20:41 . 2008-05-20 20:43 <DIR> d-------- C:\ProgramData\AOL OCP
2008-05-20 20:41 . 2008-05-20 20:41 <DIR> d-------- C:\ProgramData\AOL
2008-05-20 20:41 . 2008-05-20 20:41 <DIR> d-------- C:\Program Files\Viewpoint
2008-05-20 20:41 . 2008-05-20 20:41 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-05-20 20:40 . 2008-05-20 20:42 <DIR> d-------- C:\Program Files\AIM6
2008-05-20 20:40 . 2008-05-20 20:42 366 --ah----- C:\IPH.PH
2008-05-20 14:20 . 2008-05-20 14:20 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\WildTangent
2008-05-19 22:33 . 2008-05-27 08:54 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\skypePM
2008-05-19 22:33 . 2008-05-19 22:33 32 --a------ C:\Users\All Users\ezsid.dat
2008-05-19 22:33 . 2008-05-19 22:33 32 --a------ C:\ProgramData\ezsid.dat
2008-05-19 22:32 . 2008-05-27 10:58 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\Skype
2008-05-19 22:30 . 2008-05-19 22:31 <DIR> d-------- C:\Program Files\Skype
2008-05-19 22:30 . 2008-05-19 22:30 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-19 12:26 . 2008-05-19 12:51 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-19 12:26 . 2008-05-19 12:51 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-19 12:26 . 2008-05-19 12:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-19 11:22 . 2008-05-19 11:22 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\HP
2008-05-19 11:22 . 2008-05-19 11:22 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\CyberLink
2008-05-19 11:22 . 2008-05-19 11:22 <DIR> d-------- C:\Users\All Users\HP
2008-05-19 11:22 . 2008-05-19 11:22 <DIR> d-------- C:\ProgramData\HP
2008-05-18 22:41 . 2008-05-18 22:41 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\Apple Computer
2008-05-18 22:40 . 2008-05-18 22:41 <DIR> d-------- C:\Program Files\iTunes
2008-05-18 22:40 . 2008-05-18 22:40 <DIR> d-------- C:\Program Files\iPod
2008-05-18 22:37 . 2008-05-18 22:40 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-05-18 22:37 . 2008-05-18 22:40 <DIR> d-------- C:\ProgramData\Apple Computer
2008-05-18 22:37 . 2008-05-18 22:39 <DIR> d-------- C:\Program Files\QuickTime
2008-05-18 22:37 . 2008-05-18 22:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-18 22:36 . 2008-05-18 22:36 <DIR> d-------- C:\Users\All Users\Apple
2008-05-18 22:36 . 2008-05-18 22:36 <DIR> d-------- C:\ProgramData\Apple
2008-05-18 22:36 . 2008-05-18 22:36 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-17 12:59 . 2008-05-17 15:42 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\SSH
2008-05-17 12:59 . 2008-05-17 13:00 <DIR> d-------- C:\Users\All Users\SSH
2008-05-17 12:59 . 2008-05-17 13:00 <DIR> d-------- C:\ProgramData\SSH
2008-05-17 12:53 . 2008-05-17 12:53 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\Helios
2008-05-17 12:53 . 2008-05-17 12:53 <DIR> d-------- C:\Program Files\TextPad 5
2008-05-17 12:53 . 2008-05-17 12:53 <DIR> d-------- C:\Program Files\SSH Communications Security
2008-05-17 09:48 . 2008-05-17 09:48 0 --ah----- C:\WINDOWS\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-17 05:10 . 2008-05-17 05:10 <DIR> d-------- C:\PerfLogs
2008-05-17 04:42 . 2008-05-17 04:14 152,576 --a------ C:\WINDOWS\System32\SPWizUI.dll
2008-05-17 04:42 . 2008-05-17 04:14 47,560 --a------ C:\WINDOWS\System32\SPReview.exe
2008-05-17 04:21 . 2008-01-18 23:33 599,552 --a------ C:\WINDOWS\System32\vsp1cln.exe
2008-05-17 04:21 . 2008-01-18 23:33 193,024 --a------ C:\WINDOWS\System32\recdisc.exe
2008-05-17 04:21 . 2008-01-18 23:36 142,336 --a------ C:\WINDOWS\System32\spp.dll
2008-05-17 04:21 . 2008-01-18 23:36 28,160 --a------ C:\WINDOWS\System32\sxproxy.dll
2008-05-17 04:21 . 2008-01-18 23:36 6,656 --a------ C:\WINDOWS\System32\sdspres.dll
2008-05-17 04:18 . 2008-01-18 23:34 6,103,040 --a------ C:\WINDOWS\System32\chtbrkr.dll
2008-05-17 04:14 . 2008-01-18 23:33 44,032 --a------ C:\WINDOWS\System32\cbsra.exe
2008-05-17 03:03 . 2008-05-17 04:44 327,680 --a------ C:\WINDOWS\SPInstall.etl
2008-05-17 02:30 . 2008-05-17 02:31 268,511,373 --a------ C:\WINDOWS\MEMORY.DMP
2008-05-16 15:32 . 2008-05-16 15:33 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-05-16 15:32 . 2008-05-16 15:33 <DIR> d-------- C:\ProgramData\Lavasoft
2008-05-16 15:32 . 2008-05-16 15:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-16 15:32 . 2008-05-16 15:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 03:21 . 2008-05-16 03:21 988,216 --a------ C:\WINDOWS\System32\winload.exe
2008-05-16 03:21 . 2008-05-16 03:21 927,288 --a------ C:\WINDOWS\System32\winresume.exe
2008-05-16 03:21 . 2008-05-16 03:21 615,992 --a------ C:\WINDOWS\System32\ci.dll
2008-05-16 03:21 . 2008-05-16 03:21 378,368 --a------ C:\WINDOWS\System32\srcore.dll
2008-05-16 03:21 . 2008-05-16 03:21 318,464 --a------ C:\WINDOWS\System32\rstrui.exe
2008-05-16 03:21 . 2008-05-16 03:21 46,592 --a------ C:\WINDOWS\System32\setbcdlocale.dll
2008-05-16 03:21 . 2008-05-16 03:21 40,960 --a------ C:\WINDOWS\System32\srclient.dll
2008-05-16 03:21 . 2008-05-16 03:21 19,000 --a------ C:\WINDOWS\System32\kd1394.dll
2008-05-16 03:21 . 2008-05-16 03:21 14,848 --a------ C:\WINDOWS\System32\srdelayed.exe
2008-05-16 03:21 . 2008-05-16 03:21 6,656 --a------ C:\WINDOWS\System32\kbd106n.dll
2008-05-16 03:18 . 2008-05-16 03:18 2,032,128 --a------ C:\WINDOWS\System32\win32k.sys
2008-05-16 03:17 . 2008-05-16 03:17 295,936 --a------ C:\WINDOWS\System32\gdi32.dll
2008-05-16 03:11 . 2008-05-16 03:11 1,383,424 --a------ C:\WINDOWS\System32\mshtml.tlb
2008-05-16 03:11 . 2008-05-16 03:11 826,880 --a------ C:\WINDOWS\System32\wininet.dll
2008-05-16 03:10 . 2008-05-16 03:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-15 23:16 . 2008-05-15 23:16 <DIR> d-------- C:\Program Files\Gabest
2008-05-15 22:41 . 2008-05-15 22:41 <DIR> dr------- C:\WINDOWS\System32\config\systemprofile\Music
2008-05-15 21:31 . 2008-05-15 21:31 <DIR> d-------- C:\Users\All Users\Google
2008-05-15 20:49 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-15 14:59 . 2008-05-15 15:00 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\TortoiseSVN
2008-05-15 14:16 . 2008-05-27 08:53 25,515 --a------ C:\Users\youssefhg\AppData\Roaming\nvModes.dat
2008-05-15 14:05 . 2008-05-15 14:05 <DIR> d-------- C:\Program Files\UnH Solutions
2008-05-15 13:55 . 2008-05-15 13:55 <DIR> d-------- C:\Downloads
2008-05-15 13:54 . 2008-05-16 08:49 <DIR> d-------- C:\Program Files\BitComet
2008-05-15 13:10 . 2008-05-15 13:15 <DIR> d-------- C:\Program Files\Windows Live
2008-05-15 13:10 . 2008-05-15 13:14 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-15 13:04 . 2008-05-15 13:04 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-05-15 13:04 . 2008-05-15 13:04 <DIR> d-------- C:\ProgramData\FLEXnet
2008-05-15 12:59 . 2008-05-15 13:10 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-05-15 12:59 . 2008-05-15 13:10 <DIR> d-------- C:\ProgramData\WLInstaller
2008-05-15 12:56 . 2008-05-18 22:40 <DIR> d-------- C:\Program Files\Bonjour
2008-05-15 12:53 . 2008-05-19 22:31 <DIR> d-------- C:\Users\All Users\Skype
2008-05-15 12:53 . 2008-05-19 22:31 <DIR> d-------- C:\ProgramData\Skype
2008-05-15 12:48 . 2008-05-15 12:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-15 12:29 . 2008-05-15 12:29 <DIR> d-------- C:\Users\youssefhg\.dbvis
2008-05-15 12:25 . 2008-05-15 12:26 <DIR> d-------- C:\Program Files\DbVisualizer-6.0.10
2008-05-15 12:13 . 2008-05-15 12:13 <DIR> d-------- C:\Users\youssefhg\AppData\Roaming\Subversion
2008-05-15 12:07 . 2008-05-15 12:07 <DIR> d-------- C:\Program Files\TortoiseSVN
2008-05-15 11:51 . 2008-05-15 11:51 21 --ah----- C:\qpmd8379.bin
2008-05-15 11:50 . 2008-05-16 10:04 53,248 --a------ C:\WINDOWS\System32\cfperfmon_8.dll
2008-05-15 11:48 . 2008-05-15 11:49 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-05-15 11:48 . 2008-05-16 10:07 <DIR> d-------- C:\ColdFusion8
2008-05-15 11:44 . 2008-05-15 11:44 <DIR> d--h----- C:\Users\youssefhg\InstallAnywhere
2008-05-15 11:39 . 2008-05-15 12:15 <DIR> d-------- C:\cygwin
2008-05-15 11:38 . 2008-05-15 11:38 <DIR> d-------- C:\Program Files\Subversion
2008-05-15 11:27 . 2008-05-15 11:27 <DIR> d-------- C:\WINDOWS\PCHEALTH
2008-05-15 11:27 . 2008-05-15 11:27 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-15 11:18 . 2008-05-15 11:18 <DIR> dr-h----- C:\MSOCache
2008-05-15 10:59 . 2008-05-15 10:59 136,496 --a------ C:\WINDOWS\System32\drivers\SYMEVENT.SYS
2008-05-15 10:59 . 2008-05-15 11:00 10,652 --a------ C:\WINDOWS\System32\drivers\SYMEVENT.CAT
2008-05-15 10:59 . 2008-05-15 11:00 806 --a------ C:\WINDOWS\System32\drivers\SYMEVENT.INF
2008-05-15 10:58 . 2008-05-15 11:00 <DIR> d-------- C:\Program Files\Symantec
2008-05-15 10:58 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\System32\MFC71.DLL
2008-05-15 10:58 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\System32\MSVCP71.DLL
2008-05-15 10:58 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\System32\MSVCR71.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 00:51 --------- d-----w C:\Program Files\DivX
2008-05-20 18:20 --------- d-----w C:\ProgramData\WildTangent
2008-05-17 16:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 09:30 174 --sha-w C:\Program Files\desktop.ini
2008-05-17 09:20 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-17 09:20 --------- d-----w C:\Program Files\Windows Calendar
2008-05-17 09:19 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-17 09:19 --------- d-----w C:\Program Files\Windows Mail
2008-05-17 09:19 --------- d-----w C:\Program Files\Windows Journal
2008-05-17 09:19 --------- d-----w C:\Program Files\Windows Defender
2008-05-17 09:19 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-17 08:50 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-17 08:50 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-16 07:40 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-15 18:13 --------- d-----w C:\ProgramData\CyberLink
2008-05-15 16:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-15 15:29 --------- d-----w C:\Program Files\Microsoft Works
2008-05-15 15:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-15 15:02 --------- d-----w C:\ProgramData\Symantec
2008-05-15 14:47 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-15 14:32 --------- d-----w C:\Program Files\Yahoo!
2008-05-15 14:30 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-05-15 14:19 --------- d-sh--w C:\ProgramData\Templates
2008-05-15 14:19 --------- d-sh--w C:\ProgramData\Start Menu
2008-05-15 14:19 --------- d-sh--w C:\ProgramData\Favorites
2008-05-15 14:19 --------- d-sh--w C:\ProgramData\Documents
2008-05-15 14:19 --------- d-sh--w C:\ProgramData\Desktop
2008-05-15 14:19 --------- d-sh--w C:\ProgramData\Application Data
2008-05-13 01:53 129,784 ------w C:\Windows\System32\PxAFS.DLL
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 01:02 815104]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-11-24 19:33 167936]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 14:58 159744]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 19:42 46704]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 13:56 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 13:32 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2006-12-29 09:35 77824]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 15:15 115560]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-07 00:25 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-07 00:25 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-07 00:25 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\Users\youssefhg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2008-05-15 11:30:31 845584]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 05:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 04:01:50 734872]
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2006-12-29 09:16:39 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2497455648-2839833209-4065968779-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8487480D-1C86-41BC-88D2-2F94CEFB5506}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{2323E63B-77E5-49DA-AB6C-674CAE419990}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{BA87D380-4483-441F-8DE3-F17AFA5472AB}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{85087D8B-AF97-4EB9-A26E-D8B9AB8F767F}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{935C2EF6-A603-4F13-8463-5A832EC27F6B}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{D75EE1D6-182D-42A7-BE19-058BA7449A8C}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{E274B2FC-F54F-4631-BB1B-F63DD15BA9A2}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{694F75FE-AD5C-4AB0-BB36-7C2CAA098EAF}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{6014D925-779E-4517-9853-F48EE1F54858}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0158754C-0CAA-4651-A1BC-C0CA90A95F43}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{44A7F39C-5F3C-4878-86B5-5C42F49CA0E1}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C2105CA8-6F50-4906-9F35-ADCC317BB1B5}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D0AE3926-EEC5-4F02-A564-C24AE84F922B}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9403EDE5-FA94-449F-A7F9-2006D330B0EF}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{47DE4C2C-D9DC-4933-8CF5-4455BD02DEF2}"= UDP:C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{2DB2D51C-F7CA-40C8-B950-41B4DBBBE499}"= TCP:C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{D88F83D6-90E3-4FA8-BDB6-D7455B6F4671}"= UDP:C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{1478A35F-D3FB-4895-82B9-19FC2AD60FE6}"= TCP:C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{653FD3FB-5E10-43C2-AB94-27C329478C33}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{317AE7C4-D296-41A3-B7B9-35F3E2EDA431}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{A010181C-C3A3-4061-9FC0-0A7D6F854FC7}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{9032707E-686C-4502-9CFA-C06352072053}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{A5CCC3F1-2EC6-4088-87C8-0F66CD469FD5}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{96780B97-CE85-4218-A886-80FEC7C56F22}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{3128D0F9-4727-441F-9493-0AF512D7DB64}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{AC5AFC2A-104D-4717-AB12-BF70C7DF83AB}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{243C6AAD-A340-4ACF-8D73-118E1819570E}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{58934D5E-E61A-4CC3-B95C-3DAFD8640D02}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{E8247466-714A-4C2C-9E45-29E540EA62AA}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{DFD721AE-8C5A-46CA-B132-7786EEEC719E}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5262D4C2-465D-476C-B62C-EB0648B3D0CD}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{4E97483A-F807-4673-A9E2-B088C88EB51F}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{F710AD1B-ECA1-4FAB-B718-A0F0E4D9B656}C:\\program files\\nx client for windows\\nxclient.exe"= UDP:C:\program files\nx client for windows\nxclient.exe:nxclient
"UDP Query User{C2832FE4-4EBC-4C39-843C-1D653ED99782}C:\\program files\\nx client for windows\\nxclient.exe"= TCP:C:\program files\nx client for windows\nxclient.exe:nxclient
"TCP Query User{95301031-5273-4D82-BB15-25FD6CC3FE8C}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{4B38BA65-35C6-4FB5-88D5-87730D587BB1}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{98181D0A-07D7-4943-ADD9-38E63F65E9E8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0A869BA8-7026-46A6-800B-97693210D892}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 ColdFusion 8 Application Server;ColdFusion 8 Application Server;"C:\ColdFusion8\runtime\bin\jrunsvc.exe" [2008-03-18 05:11]
R2 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent;C:\ColdFusion8\db\slserver54\bin\swagent.exe "ColdFusion 8 ODBC Agent" []
R2 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server;C:\ColdFusion8\db\slserver54\bin\swstrtr.exe "ColdFusion 8 ODBC Server" []
R2 ColdFusion 8 Search Server;ColdFusion 8 Search Server;"C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\ColdFusion8\verity\k2\common\verity.cfg" -ntstart 1 []
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 13:39]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 03:30]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14c0f204-2aae-11dd-8f65-001636ce7d60}]
\shell\AutoRun\command - H:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32621c7a-228d-11dd-a572-001636ce7d60}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 10:58:32
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so
-> C:\Program Files\TortoiseSVN\iconv\windows-1252.so
-> C:\Program Files\TortoiseSVN\iconv\utf-8.so
.
Completion time: 2008-05-27 11:00:21
ComboFix-quarantined-files.txt 2008-05-27 14:59:31

Pre-Run: 22,253,686,784 bytes free
Post-Run: 22,264,463,360 bytes free

327 --- E O F --- 2008-05-21 07:06:50



and here is the highjackthis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:54 PM, on 5/27/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Users\youssefhg\Desktop\putty.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\Explorer.exe
C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Downoaded Softwares\BlueFish\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 66.135.55.155 mrt
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Office Outlook 2007.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplu...lug/beta/SP.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.co.../EconPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion 8 Search Server - Verity, Inc. - C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10660 bytes

Edited by Youssef Attalla, 27 May 2008 - 12:10 PM.

  • 0

#18
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also tell me how your PC is running
  • 0

#19
Youssef Attalla

Youssef Attalla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
here is the log

and the PC is tunning normal or this is what it looks to me, no restart was promted

Malwarebytes' Anti-Malware 1.12
Database version: 791

Scan type: Quick Scan
Objects scanned: 35715
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#20
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#21
Youssef Attalla

Youssef Attalla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
i will perform all these steps but not now though
but i just wanted to thank you so much and i will also post a conclusion in a couple of days to tell you that the problem has resolved

thanks a million
  • 0

#22
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok let me know how it goes
  • 0

#23
Youssef Attalla

Youssef Attalla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
well it looks like we removed it
yes i think it is gone now, so far there is no popups and spybot is not complaining about any registry changes

Thanks again :)
  • 0

#24
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP