Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde and virtumonde.dll [CLOSED]


  • This topic is locked This topic is locked

#1
tooning

tooning

    New Member

  • Member
  • Pip
  • 8 posts
Please Help. I have tried all of the virtumonde removal programs that I have found on this site and others. I have also tried avast and symantec and Search and destroy(in safemode as well). I have tried XoftspySe. They all find them but never completely get rid of them. I have posted my Hijack this log. Hoping you can help and thanking you in advance for any help anybody is willing to give me.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:30 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
G:\Torrent\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\Games\QTTask.exe
D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Pure Networks\Network Magic\nmapp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {048ADF87-6419-41F6-B692-B1CC2D9850C8} - D:\WINDOWS\system32\cbXPhfCU.dll (file missing)
O2 - BHO: (no name) - {1435F45D-5EAC-45AC-B3AA-50A3207E9FB2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - (no file)
O2 - BHO: (no name) - {81EA3F36-357A-435A-8741-52C27CCC9F21} - D:\WINDOWS\system32\pmnoLbcA.dll
O2 - BHO: {e5d8ba6f-3ce0-d088-b364-0c14839ebcca} - {accbe938-41c0-463b-880d-0ec3f6ab8d5e} - D:\WINDOWS\system32\bctjfpig.dll
O2 - BHO: (no name) - {C7EDAC51-86E0-4414-9839-55E3DF486220} - D:\WINDOWS\system32\awtttqOi.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Games\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nmapp] "D:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [647ec673] rundll32.exe "D:\WINDOWS\system32\oyixynng.dll",b
O4 - HKLM\..\Run: [BM5bde2243] Rundll32.exe "D:\WINDOWS\system32\fxftxaef.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5896] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4164] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1363] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2736] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7192] command /c del "D:\WINDOWS\b152.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1324] cmd /c del "D:\WINDOWS\b152.exe_old"
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Orb] "D:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BPS Spyware Remover] G:\Games\BulletProofSoft.BPS.Spyware.Adware.Remover.v9.3.0.6.WinALL.RETAIL-ARN\BPS Spyware Remover\SpyRem.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1131] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6030] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7871] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2607] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB265] command /c del "D:\WINDOWS\b152.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2896] cmd /c del "D:\WINDOWS\b152.exe_old"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - D:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab53083.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab53083.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shoc...otoy/OTOYAX.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab53984.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} - http://www.sunbelt-s.../CounterSpy.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab53852.cab
O20 - Winlogon Notify: hgdba - D:\WINDOWS\
O20 - Winlogon Notify: pmnoLbcA - D:\WINDOWS\SYSTEM32\pmnoLbcA.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - G:\Torrent\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - D:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - D:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - G:\Torrent\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - G:\Torrent\Spyware Doctor\pctsSvc.exe

--
End of file - 10713 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.





Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
tooning

tooning

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I am sorry it took so long for me to reply it took me this long to get into this forafter work it was going so slow. here is my combofix log

D:\WINDOWS\mrofinu1381.exe.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 19:17 . 2008-06-16 19:17 322,560 --a------ D:\WINDOWS\system32\xxywTMfD.dll_old
2008-06-15 14:52 . 2008-06-15 14:52 <DIR> d-------- D:\Program Files\Trend Micro
2008-06-13 19:08 . 2008-06-13 19:08 <DIR> d-------- D:\Program Files\Enigma Software Group
2008-06-13 18:27 . 2008-06-13 18:27 <DIR> d-------- D:\Program Files\SpyZooka
2008-06-13 18:26 . 2008-06-13 18:26 <DIR> d-------- D:\Program Files\Common Files\Download Manager
2008-06-12 21:00 . 2008-06-12 21:03 <DIR> d-------- D:\Program Files\Windows Live Safety Center
2008-06-12 20:47 . 2008-06-12 20:47 <DIR> d-------- D:\Documents and Settings\Tooning\Application Data\Talkback
2008-06-12 20:46 . 2008-06-12 20:46 0 --a------ D:\WINDOWS\nsreg.dat
2008-06-12 01:24 . 2008-06-12 01:24 321,536 --a------ D:\WINDOWS\system32\awtttqOi.dll_old
2008-06-10 22:56 . 2008-06-16 19:57 738 --a------ D:\WINDOWS\wininit.ini
2008-06-10 22:18 . 2008-06-10 22:17 691,545 --a------ D:\WINDOWS\unins000.exe
2008-06-10 22:18 . 2008-06-10 22:18 2,552 --a------ D:\WINDOWS\unins000.dat
2008-06-10 19:18 . 2008-06-14 12:55 <DIR> d-------- D:\Program Files\XoftSpySE
2008-06-08 22:01 . 2008-06-08 22:01 57,856 --a------ D:\WINDOWS\system32\khfFYRkH.dll.vir
2008-06-08 22:00 . 2008-06-12 20:34 <DIR> d-------- D:\WINDOWS\Bigfish Games - Cooking Academy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 01:40 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-06-13 01:35 --------- d-----w D:\Program Files\Google
2008-06-13 01:34 --------- d-----w D:\Program Files\Canon
2008-06-11 04:24 --------- d-----w D:\Documents and Settings\Tooning\Application Data\uTorrent
2008-06-11 04:00 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 03:20 --------- d-----w D:\Program Files\Spybot - Search & Destroy
2008-06-10 00:39 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-06-07 05:44 --------- d-----w D:\Documents and Settings\Tooning\Application Data\PlayFirst
2008-05-23 05:54 --------- d-----w D:\Documents and Settings\Tooning\Application Data\Canon
2008-05-22 04:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-05-05 02:43 --------- d-----w D:\Program Files\Ares
2008-05-04 03:59 --------- d-----w D:\Documents and Settings\All Users\Application Data\Gogii
2008-04-27 00:21 --------- d-----w D:\Documents and Settings\Tooning\Application Data\Ludia
2008-04-27 00:21 --------- d-----w D:\Documents and Settings\All Users\Application Data\Ludia
2008-03-27 08:12 151,583 ----a-w D:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w D:\WINDOWS\system32\win32k.sys
2007-05-08 19:40 60,168 -c--a-w D:\Documents and Settings\Tooning\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{048ADF87-6419-41F6-B692-B1CC2D9850C8}]
D:\WINDOWS\system32\cbXPhfCU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E8A0E34-D6CD-4A6D-A2DF-369A0D51B86C}]
D:\WINDOWS\system32\xxywTMfD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7EDAC51-86E0-4414-9839-55E3DF486220}]
D:\WINDOWS\system32\awtttqOi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="D:\Program Files\Ares\Ares.exe" [2008-02-20 09:33 963072]
"updateMgr"="D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 18:45 313472]
"Orb"="D:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 15:02 495616]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"BPS Spyware Remover"="G:\Games\BulletProofSoft.BPS.Spyware.Adware.Remover.v9.3.0.6.WinALL.RETAIL-ARN\BPS Spyware Remover\SpyRem.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 D:\WINDOWS\system32\nwiz.exe]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"QuickTime Task"="G:\Games\QTTask.exe" [2008-01-31 23:13 385024]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SSBkgdUpdate"="D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14 155648]
"OpwareSE4"="D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19 69632]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-09 22:44 185632]
"nmapp"="D:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-06-21 10:25 1069056]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
Kodak EasyShare software.lnk - D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-07 07:26:28 180224]
Kodak software updater.lnk - D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16:12:08 16423]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= D:\PROGRA~1\SpyZooka\spyguard.dll [2005-05-07 23:25 173568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgdba]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Ares\\Ares.exe"=
"C:\\Battle For Middle Earth\\Battle 2\\game.dat"=
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"D:\\Program Files\\uTorrent\\utorrent.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"D:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"D:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 nmservice;Pure Networks Network Magic Service;"D:\Program Files\Pure Networks\Network Magic\nmsrvc.exe" [2006-06-21 10:12]
R3 SMC55T;SMC EZ Card 10/100 (SMC1255TX-PF);D:\WINDOWS\system32\DRIVERS\SMC55T51.sys [2002-07-05 04:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{796cdb12-5433-11dc-8687-0004e2d3113b}]
\Shell\AutoRun\command - J:\Madden08.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 05:36:52 D:\WINDOWS\Tasks\XoftSpySE 2.job"
- D:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-14 17:55:17 D:\WINDOWS\Tasks\XoftSpySE.job"
- D:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 00:59:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-17 1:02:48
ComboFix-quarantined-files.txt 2008-06-17 06:01:57
ComboFix2.txt 2008-06-17 05:49:40
ComboFix3.txt 2008-03-22 07:40:32
ComboFix4.txt 2008-03-22 07:30:47
ComboFix5.txt 2008-03-22 06:05:08

Pre-Run: 4,237,029,376 bytes free
Post-Run: 4,220,903,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

143 --- E O F --- 2008-05-16 17:46:44

and my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:38 AM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
G:\Torrent\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\Games\QTTask.exe
D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Pure Networks\Network Magic\nmapp.exe
D:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Outlook Express\msimn.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {048ADF87-6419-41F6-B692-B1CC2D9850C8} - D:\WINDOWS\system32\cbXPhfCU.dll (file missing)
O2 - BHO: (no name) - {1435F45D-5EAC-45AC-B3AA-50A3207E9FB2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - (no file)
O2 - BHO: (no name) - {6E8A0E34-D6CD-4A6D-A2DF-369A0D51B86C} - D:\WINDOWS\system32\xxywTMfD.dll (file missing)
O2 - BHO: (no name) - {81EA3F36-357A-435A-8741-52C27CCC9F21} - (no file)
O2 - BHO: (no name) - {C7EDAC51-86E0-4414-9839-55E3DF486220} - D:\WINDOWS\system32\awtttqOi.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Games\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nmapp] "D:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [BM5bde2243] Rundll32.exe "D:\WINDOWS\system32\fxftxaef.dll",s
O4 - HKLM\..\Run: [647ec673] rundll32.exe "D:\WINDOWS\system32\rhieteyc.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5896] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4164] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1363] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2736] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7192] command /c del "D:\WINDOWS\b152.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1324] cmd /c del "D:\WINDOWS\b152.exe_old"
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Orb] "D:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BPS Spyware Remover] G:\Games\BulletProofSoft.BPS.Spyware.Adware.Remover.v9.3.0.6.WinALL.RETAIL-ARN\BPS Spyware Remover\SpyRem.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1131] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6030] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7871] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2607] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB265] command /c del "D:\WINDOWS\b152.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2896] cmd /c del "D:\WINDOWS\b152.exe_old"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - D:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab53083.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab53083.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shoc...otoy/OTOYAX.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab53984.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} - http://www.sunbelt-s.../CounterSpy.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab53852.cab
O20 - Winlogon Notify: hgdba - D:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - G:\Torrent\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - D:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - D:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - G:\Torrent\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - G:\Torrent\Spyware Doctor\pctsSvc.exe

--
End of file - 10832 bytes
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post the Kaspersky log

Rename HijackThis.exe to Toon.exe


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
D:\WINDOWS\system32\xxywTMfD.dll_old
D:\WINDOWS\system32\awtttqOi.dll_old
D:\WINDOWS\system32\khfFYRkH.dll.vir
J:\Madden08.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{796cdb12-5433-11dc-8687-0004e2d3113b}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Also post a new Hijackthis log
  • 0

#5
tooning

tooning

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Kaspersky Froze at 51% and woldn't let me save thelog I will try again tonight and post then . I will also do the combofix stuff.

Thank you for helping me.
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Try not to use your PC while Kaspersky is running
  • 0

#7
tooning

tooning

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I believe it worked thank you. here is my hijack this log. The scan only gotr to 27% that time and I had nothing running.

Thank you againin





R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {048ADF87-6419-41F6-B692-B1CC2D9850C8} - D:\WINDOWS\system32\cbXPhfCU.dll (file missing)
O2 - BHO: (no name) - {1435F45D-5EAC-45AC-B3AA-50A3207E9FB2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - (no file)
O2 - BHO: (no name) - {81EA3F36-357A-435A-8741-52C27CCC9F21} - D:\WINDOWS\system32\pmnoLbcA.dll
O2 - BHO: {e5d8ba6f-3ce0-d088-b364-0c14839ebcca} - {accbe938-41c0-463b-880d-0ec3f6ab8d5e} - D:\WINDOWS\system32\bctjfpig.dll
O2 - BHO: (no name) - {C7EDAC51-86E0-4414-9839-55E3DF486220} - D:\WINDOWS\system32\awtttqOi.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Games\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nmapp] "D:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [647ec673] rundll32.exe "D:\WINDOWS\system32\oyixynng.dll",b
O4 - HKLM\..\Run: [BM5bde2243] Rundll32.exe "D:\WINDOWS\system32\fxftxaef.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5896] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4164] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1363] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2736] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7192] command /c del "D:\WINDOWS\b152.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1324] cmd /c del "D:\WINDOWS\b152.exe_old"
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Orb] "D:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BPS Spyware Remover] G:\Games\BulletProofSoft.BPS.Spyware.Adware.Remover.v9.3.0.6.WinALL.RETAIL-ARN\BPS Spyware Remover\SpyRem.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1131] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6030] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7871] command /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2607] cmd /c del "D:\Documents and Settings\All Users\Start Menu\Programs\RegistryFix\Uninstall RegistryFix.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB265] command /c del "D:\WINDOWS\b152.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2896] cmd /c del "D:\WINDOWS\b152.exe_old"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - D:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab53083.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab53083.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shoc...otoy/OTOYAX.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab53984.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} - http://www.sunbelt-s.../CounterSpy.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab53852.cab
O20 - Winlogon Notify: hgdba - D:\WINDOWS\
O20 - Winlogon Notify: pmnoLbcA - D:\WINDOWS\SYSTEM32\pmnoLbcA.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - G:\Torrent\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - D:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - D:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - G:\Torrent\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - G:\Torrent\Spyware Doctor\pctsSvc.exe

--
End of file - 10713 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post the ComboFix log
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP