Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

lots of security and privacy alerts directing me to web pages


  • Please log in to reply

#1
duke8t

duke8t

    New Member

  • Member
  • Pip
  • 2 posts
hi hope someone can help have folowed insructions on forum pages. but still happening any help would be appreciated.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:16:07, on 07/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\iftuyszv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Xfire\xfire.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {70A51F76-EED9-4657-8DCA-3B9D107643A7} - C:\Windows\system32\yayXnOeE.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: {3e86a6b1-28ae-e89a-cb54-bd2e42194c7b} - {b7c49124-e2db-45bc-a98e-ea821b6a68e3} - C:\Windows\system32\gfpotrkf.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\Windows\portsv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 8650 bytes
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :)

Please rescan with Hijackthis and place a check next to the following entries:

O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: {3e86a6b1-28ae-e89a-cb54-bd2e42194c7b} - {b7c49124-e2db-45bc-a98e-ea821b6a68e3} - C:\Windows\system32\gfpotrkf.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)

Now click "Fix Checked" and close Hijackthis

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
duke8t

duke8t

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi Loophole

Thanks for the swift reply :) Here are the combo fix and hijack logs.

and all seems a lot better allready. :)


ComboFix 08-06-06.6 - duke8t 2008-06-07 15:14:07.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.800 [GMT 1:00]
Running from: C:\Users\duke8t\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\vtmp2
C:\Windows\accesss.exe
C:\Windows\astctl32.ocx
C:\Windows\avpcc.dll
C:\Windows\clrssn.exe
C:\Windows\cpan.dll
C:\Windows\ctfmon32.exe
C:\Windows\ctrlpan.dll
C:\Windows\default.htm
C:\Windows\directx32.exe
C:\Windows\dnsrelay.dll
C:\Windows\Downloaded Program Files\setup.inf
C:\Windows\editpad.exe
C:\Windows\explore.exe
C:\Windows\explorer32.exe
C:\Windows\funniest.exe
C:\Windows\funny.exe
C:\Windows\gfmnaaa.dll
C:\Windows\helpcvs.exe
C:\Windows\iedll.exe
C:\Windows\iexplorer.exe
C:\Windows\inetinf.exe
C:\Windows\internet.exe
C:\Windows\loader.exe
C:\Windows\mainms.vpi
C:\Windows\megavid.cdt
C:\Windows\msconfd.dll
C:\Windows\msspi.dll
C:\Windows\mssys.exe
C:\Windows\msupdate.exe
C:\Windows\mswsc10.dll
C:\Windows\mswsc20.dll
C:\Windows\mtwirl32.dll
C:\Windows\muotr.so
C:\Windows\notepad32.exe
C:\Windows\olehelp.exe
C:\Windows\qttasks.exe
C:\Windows\quicken.exe
C:\Windows\rundll16.exe
C:\Windows\rundll32.vbe
C:\Windows\searchword.dll
C:\Windows\sistem.exe
C:\Windows\svchost32.exe
C:\Windows\svcinit.exe
C:\Windows\systeem.exe
C:\Windows\system32\alkycvrt.dll
C:\Windows\System32\EeOnXyay.ini
C:\Windows\System32\EeOnXyay.ini2
C:\Windows\system32\gfpotrkf.dll
C:\Windows\system32\gskiqiyj.dll
C:\Windows\system32\hljwugsf.bin
C:\Windows\system32\ibccccwo.dll
C:\Windows\system32\ivqvwhpd.dll
C:\Windows\system32\MSINET.oca
C:\Windows\system32\uddgpymp.dll
C:\Windows\system32\udyskfac.dll
C:\Windows\system32\winsusrm.dll
C:\Windows\system32\winsusrx.dll
C:\Windows\system32\xwvxxfng.dll
C:\Windows\systemcritical.exe
C:\Windows\time.exe
C:\Windows\users32.exe
C:\Windows\waol.exe
C:\Windows\win32e.exe
C:\Windows\win64.exe
C:\Windows\winajbm.dll
C:\Windows\window.exe
C:\Windows\winmgnt.exe
C:\Windows\x.exe
C:\Windows\xplugin.dll
C:\Windows\xxxvideo.hta
C:\Windows\y.exe

----- BITS: Possible infected sites -----

hxxp://theinstalls.com
.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 07:50 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-07 07:49 --------- d-----w C:\Users\duke8t\AppData\Roaming\SUPERAntiSpyware.com
2008-06-07 07:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 06:26 --------- d-----w C:\Users\duke8t\AppData\Roaming\Malwarebytes
2008-06-07 06:26 --------- d-----w C:\Users\duke8t\AppData\Roaming\Download Manager
2008-06-07 06:26 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 23:28 --------- d-----w C:\Program Files\Trend Micro
2008-06-06 21:53 55,808 ----a-w C:\Windows\portsv.exe
2008-06-06 20:50 87,511 ----a-w C:\Windows\System32\iftuyszv.exe
2008-06-06 20:45 --------- d-----w C:\Program Files\AVG
2008-06-06 15:44 --------- d-----w C:\Users\duke8t\AppData\Roaming\Xfire
2008-06-06 15:28 --------- d-----w C:\Program Files\WarRock
2008-06-06 15:28 --------- d-----w C:\Program Files\Guild Wars
2008-06-06 15:28 --------- d-----w C:\Program Files\CCleaner
2008-06-05 15:04 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-06-05 15:04 15,864 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-06-04 21:07 --------- d-----w C:\Users\duke8t\AppData\Roaming\PeerNetworking
2008-06-04 21:02 --------- d-----w C:\Users\duke8t\AppData\Roaming\LimeWire
2008-06-04 20:13 --------- d-----w C:\Users\duke8t\AppData\Roaming\uTorrent
2008-06-04 13:28 --------- d-----w C:\Program Files\Birmingham City - DNA
2008-05-31 06:38 --------- d-----w C:\Users\duke8t\AppData\Roaming\Roxio
2008-05-30 22:04 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-05-30 21:57 --------- d-----w C:\Users\duke8t\AppData\Roaming\Research In Motion
2008-05-30 21:51 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-30 21:51 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-05-30 21:50 --------- d-----w C:\Program Files\Roxio
2008-05-30 21:46 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-05-30 21:40 --------- d-----w C:\Program Files\Research In Motion
2008-05-30 08:34 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-05-30 08:34 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-05-29 21:38 --------- d-----w C:\Program Files\Eudemons Online
2008-05-29 19:57 141 ----a-w C:\Program Files\values.dat
2008-05-29 19:54 42,548 ----a-w C:\Program Files\warrock.exe
2008-05-29 19:46 --------- d-----w C:\Program Files\Xfire
2008-05-28 19:19 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-23 22:14 --------- d-----w C:\Users\duke8t\AppData\Roaming\InstallShield
2008-05-14 13:12 --------- d-----w C:\Program Files\Windows Mail
2008-05-14 01:28 41,296 ----a-w C:\Windows\System32\xfcodec.dll
2008-05-13 19:56 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-05-13 15:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 15:15 --------- d-----w C:\Program Files\Triggersoft
2008-05-12 10:07 188,580,039 ----a-w C:\Destinator PN.zip
2008-05-09 21:07 --------- d-----w C:\Program Files\Yahoo!
2008-05-09 12:28 --------- d-----w C:\Users\duke8t\AppData\Roaming\Yahoo!
2008-04-24 14:51 --------- d-----w C:\Program Files\TiNControl
2008-04-24 14:43 --------- d-----w C:\Program Files\3-Clicks
2008-04-23 13:10 --------- d-----w C:\Program Files\NetObjects
2008-04-21 20:03 --------- d-----w C:\Users\duke8t\AppData\Roaming\Maxthon
2008-04-21 19:48 --------- d-----w C:\Program Files\Zoom Search Engine 5.1
2008-04-16 21:11 --------- d-----w C:\Program Files\Dragonfly
2008-04-08 09:50 --------- d-----w C:\Users\duke8t\AppData\Roaming\gamelab
2008-04-01 08:15 341,552 ----a-w C:\Windows\System32\npesLauncher.exe
2008-03-28 23:16 691,545 ----a-w C:\Windows\unins000.exe
2008-03-28 10:24 974,848 ----a-w C:\Windows\System32\npdownv.exe
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-10-26 19:20 174 --sha-w C:\Program Files\desktop.ini
2007-10-26 19:30 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-26 19:30 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-26 19:30 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70A51F76-EED9-4657-8DCA-3B9D107643A7}]
C:\Windows\system32\yayXnOeE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-11 04:40 218032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-11 21:38 1232896]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-05-05 16:05 652528]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-03-09 16:28 598016 C:\Windows\SOUNDMAN.EXE]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]

C:\Users\duke8t\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-05-14 02:28:16 3007824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4028478744-3637310691-4208235819-1000]
"EnableNotificationsRef"=dword:00000002
"EnableNotifications"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{86B7B104-02CA-491C-BAEA-7EC91A71282A}"= UDP:C:\Program Files\Eudemons Online\AutoPatch.exe:AutoPatch
"{F69D55F6-22CB-41FB-812B-BBCD39B49B31}"= TCP:C:\Program Files\Eudemons Online\AutoPatch.exe:AutoPatch
"TCP Query User{08C906EE-3FF9-46B6-BEA9-F6F71BF7C5F1}C:\\program files\\windows sidebar\\sidebar.exe"= UDP:C:\program files\windows sidebar\sidebar.exe:Windows Sidebar
"UDP Query User{28BC5929-9EDC-40A5-B639-7A8815C52BBF}C:\\program files\\windows sidebar\\sidebar.exe"= TCP:C:\program files\windows sidebar\sidebar.exe:Windows Sidebar
"TCP Query User{FCBA1E5C-514C-4481-8508-8825E16F9CFB}C:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"UDP Query User{15D190B8-E38F-4328-912F-F988461FE99D}C:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"TCP Query User{A357099E-B2AF-4DB7-B084-34ABBE246FA0}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{8F5078D9-38AC-4FBB-9084-3393C805FA0B}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"{95C06DAE-BDDF-4F85-B141-F203860F0859}"= UDP:C:\Program Files\Flagship Studios\Hellgate London\Launcher.exe:Hellgate: London
"{50BCF2DE-1842-4FE7-9AD1-DED7247333CA}"= TCP:C:\Program Files\Flagship Studios\Hellgate London\Launcher.exe:Hellgate: London
"TCP Query User{B18BB192-8ECE-4A47-BAB2-8F2642574A17}C:\\program files\\firefly studios\\civcity rome\\civcity rome.exe"= UDP:C:\program files\firefly studios\civcity rome\civcity rome.exe:CivCity Rome
"UDP Query User{D371D34D-9BC5-4B58-BB85-2FE22E2B837B}C:\\program files\\firefly studios\\civcity rome\\civcity rome.exe"= TCP:C:\program files\firefly studios\civcity rome\civcity rome.exe:CivCity Rome
"TCP Query User{827F97D9-F38D-4D1B-9EF0-FB6F9488F631}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{F598810B-2664-43F9-A1FC-0316ADD713EA}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{92103D39-BBBB-472D-AFAC-9C16A26B1713}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{F7D4DBB0-0903-4502-9FC5-FBFF900EEA90}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{BE043AC5-18AC-4A1B-A1BF-2D22A84287FB}"= UDP:C:\Program Files\Triggersoft\Rose Online Evolution\SRose launcher.exe:Speed Rose
"{1C1EF9D0-E914-4FE2-BEC4-EB5593CA955B}"= TCP:C:\Program Files\Triggersoft\Rose Online Evolution\SRose launcher.exe:Speed Rose
"{14AE2DB7-88E6-467D-9900-064A554FAEEE}"= UDP:C:\Program Files\Triggersoft\Rose Online Evolution\ROSEonline.exe:RoseOnlineEvolution
"{9DF876A2-D110-46D4-B9E4-2820F5D3F529}"= TCP:C:\Program Files\Triggersoft\Rose Online Evolution\ROSEonline.exe:RoseOnlineEvolution
"{71C14FD3-5A1D-406F-B289-BAFAEB97FDBD}"= UDP:C:\Program Files\Triggersoft\Rose Online Evolution\RoUpdate.exe:RoUpdate
"{13C7F76B-204F-4AA5-868E-224C7A4ABB69}"= TCP:C:\Program Files\Triggersoft\Rose Online Evolution\RoUpdate.exe:RoUpdate
"{7F72DE3B-5FBE-4E22-A445-A6F0F0224EBC}"= UDP:C:\Program Files\CCleaner\CCleaner.exe:CCleaner
"{4D22C72B-A61B-4F1D-8E39-B228AE0AD5D0}"= TCP:C:\Program Files\CCleaner\CCleaner.exe:CCleaner
"{F1FB5FD5-40D8-49A4-9906-EF3CA0E92D7D}"= UDP:C:\Program Files\Triggersoft\Rose Online Evolution\TRose.exe:TRose
"{905FA9EE-A077-4787-8337-FDDE4FE0BADA}"= TCP:C:\Program Files\Triggersoft\Rose Online Evolution\TRose.exe:TRose
"TCP Query User{932CF4FA-E5F7-4EE7-B60B-4C0A32FCC08F}C:\\program files\\roxio\\media manager 9\\mediamanager9.exe"= UDP:C:\program files\roxio\media manager 9\mediamanager9.exe:MediaManager9 Module
"UDP Query User{CE366C25-00F7-449D-9F41-9AA3778772BC}C:\\program files\\roxio\\media manager 9\\mediamanager9.exe"= TCP:C:\program files\roxio\media manager 9\mediamanager9.exe:MediaManager9 Module
"{F78032D6-8C54-42D2-AF56-7692B77CCCEE}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{BEFA0038-6447-4C95-B552-2F0BD153C710}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{E52E6B4D-B400-432C-BB57-B7E273BFB7D8}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{BEDFA0C6-27AB-4845-9BA1-0D3C97833FCB}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{082B7957-4F36-46B3-A056-BF18827DBB57}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{53ABE80D-6DA6-4DD1-8296-4491DF2FB398}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{2D10BA96-0E95-45D1-ACA8-8B5106335526}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{72EC8ADA-BF6E-4A13-B756-C34F238ACD72}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{8BAE31E9-B0C1-4FFF-ADBC-A410AE2E53E5}"= UDP:C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe:RoxLiveShare9
"{8E83955E-736B-468D-B7AD-4E4374F0D4C1}"= TCP:C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe:RoxLiveShare9
"{BCAE74B4-717F-4348-9229-BB64CFEB84E0}"= UDP:C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe:RoxLiveShare9
"{3C2313BC-3EC7-4164-A02E-00EFEEFA1E64}"= TCP:C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe:RoxLiveShare9
"{15215B40-1786-4F01-8042-03E7C9B6D916}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{1A7B0C36-BF1D-4E3B-8D81-8A5C4589B1A3}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{ADFADAD5-FF10-43EF-BC9D-19103BE448F0}"= UDP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{617A97FB-A0A5-4A28-B2AA-C58E6B1D4842}"= TCP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{AFA84DCF-C53B-414E-AF68-1ABE0A78C945}"= UDP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{37DD3005-5B0A-4DB9-BADC-7B85C03ED09D}"= TCP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{952BE327-BA2D-4402-AC0B-71C09D080498}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{C04EDFA8-9CA8-408A-AFDF-0CA754F56E77}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 PlugPlayRPC;Plug and Play (RPC);C:\Windows\portsv.exe service []
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R3 ULI526X;ULi M526X 10/100 Ethernet Controller Driver;C:\Windows\system32\DRIVERS\ULIM526X.SYS [2006-12-18 17:36]
S3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\Windows\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 15:20:54
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\portsv.exe
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-06-07 15:26:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-07 14:26:13

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

289 --- E O F --- 2008-06-06 17:24:11



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:28:32, on 07/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {70A51F76-EED9-4657-8DCA-3B9D107643A7} - C:\Windows\system32\yayXnOeE.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\Windows\portsv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 6099 bytes



:)
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Please post the log with a new Hijack log

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP