Can you take a look at this hijackthis log please? Also, task manager, regedit are disabled by administrator. thanks
 |
 |
 |
 |
|
|||||||
| Windows XP/2000 - help posted in the Operating Systems forums; I have virus alert in system tray by the clock. Can you take a look at this hijackthis log please? Also, task manager, regedit are disabled by administrator. thanks... |
|
10-10-2008
|
#1 |
|
Silver Member
 
Join Date: Apr 2006
Location: Simi Valley, CA
Posts: 175 PC Experience: Some Experience
|
help
I have virus alert in system tray by the clock.
Can you take a look at this hijackthis log please? Also, task manager, regedit are disabled by administrator. thanks |
|
|
| Advertisement - Register to Remove | |
|
|
10-10-2008
|
#2 |
|
Senior Security Analyst
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,865 PC Experience: Elite PC Guru
|
Re: help
Please do not attatch log.Copy and paste them...thanks.
Run both these programs. Please download Malwarebytes' Anti-Malware from one of these places: |MG| Malwarebytes Anti-Malware 1.28 http://www.besttechie.net/tools/mbam-setup.exe Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire report in your next reply along with a fresh HijackThis log. Please Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ================================================== =================================== ================================================== =================================== Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool: Go here ======> A guide and tutorial on using ComboFix <====== Go here Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2.Do not use for Vista. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should get a prompt that says: The Recovery Console was successfully installed. Please continue as follows: (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (2) Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
__________________
My real name is Eddy
|
|
|
|
|
10-11-2008
|
#3 |
|
Silver Member
Join Date: Apr 2006
Location: Simi Valley, CA
Posts: 175 PC Experience: Some Experience
|
Re: help
here are the logs, sorry i didnt know i was supposed to paste the logs, i just always used to send attachments.
thanks fay Malwarebytes' Anti-Malware 1.28 Database version: 1253 Windows 5.1.2600 Service Pack 2 10/11/2008 3:42:11 AM mbam-log-2008-10-11 (03-42-11).txt Scan type: Quick Scan Objects scanned: 48924 Time elapsed: 28 minute(s), 13 second(s) Memory Processes Infected: 1 Memory Modules Infected: 3 Registry Keys Infected: 29 Registry Values Infected: 23 Registry Data Items Infected: 24 Folders Infected: 2 Files Infected: 60 Memory Processes Infected: C:\Documents and Settings\All Users\Application Data\mpyzqfmb\glctcnun.exe (Trojan.Downloader) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\khfGaaXN.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\qqqvxnyf.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\vtUkllmM.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{0c2aa4ae-6943-4987-9098-2e2c7c284571} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{0c2aa4ae-6943-4987-9098-2e2c7c284571} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{33ac7d18-dc35-4d1a-940e-afd5fc5c3327} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtukllmm (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{33ac7d18-dc35-4d1a-940e-afd5fc5c3327} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{48048F27-CB4E-7749-1F0D-04651192D874} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\peltodgx.bmfr (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{76acfa97-b729-4285-8787-10425443ad95} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{0067e1b4-ecbd-47d6-8f88-80e14fb90295} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ca5df1da-5181-4190-b40b-e3fd8fb1eaed} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\peltodgx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d0b25d9b-fee7-4cca-abf6-7130c66d7efd} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a0b0202f-af0e-4971-9061-c39be55b6f34} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{71e3527a-0a0d-4def-a355-cbb12ecc968c} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{53f07029-e73a-4dbd-aca5-e978da30423a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a82789c7-866a-4f26-bf5d-68e9dffeae1e} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{3396b97e-39f0-49fa-834f-14e7e771d44b} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3396b97e-39f0-49fa-834f-14e7e771d44b} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\600f5591 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\sysprocapl (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\Run\mqyp1ee9qv (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{33ac7d18-dc35-4d1a-940e-afd5fc5c3327} (Trojan.Vundo) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\antivirus (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ca5df1da-5181-4190-b40b-e3fd8fb1eaed} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\rhcrkaj0ev1g (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur191.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur192.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur193.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur194.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur19a.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur2.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur1.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\rwlfsdmk (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\onfwbsak (Trojan.FakeAlert) -> Delete on reboot. HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khfgaaxn -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfgaaxn -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (PC Clean Pro) Good: (Google) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0011903-00102) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoStartMenuMoreProgram s (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\khfGaaXN.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\NXaaGfhk.ini (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\NXaaGfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vtUkllmM.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\qqqvxnyf.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\fynxvqqq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Program Files\iwhvmkg\sysprocapl.dll (Trojan.FakeAlert.H) -> Delete on reboot. C:\Documents and Settings\All Users\Application Data\mpyzqfmb\glctcnun.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. C:\Program Files\MicroAV\MicroAV.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\peltodgx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\eldm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\fbxrqtwn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\blphcvkaj0ev1g.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\MicroAV.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vtUlMeDS.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR6.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR8.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YURA.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YURC.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\5ADCE2E5.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DONM7UT7\hyta[1].jpg (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\P4DBG9P0\uaqrta[1].jpg (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\josh striker\Local Settings\Temporary Internet Files\Content.IE5\0E8D81CC\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\MicroAV\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Program Files\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\2.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\a.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\rwlfsdmk.dll (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\onfwbsak.dll (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\dfmlxbpkqma.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lphcvkaj0ev1g.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\phcvkaj0ev1g.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\josh striker\Application Data\TmpRecentIcons\Micro Antivirus 2009.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\josh striker\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\josh striker\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\josh striker\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\josh striker\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\josh striker\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\josh striker\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully. ComboFix 08-10-10.09 - josh striker 2008-10-11 5:10:43.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.286 [GMT -7:00] Command switches used :: C:\Documents and Settings\josh striker\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\josh striker\Application Data\FunWebProducts C:\Program Files\Common Files\{300F5~1 C:\Program Files\Common Files\{600F5~1 C:\Program Files\internet explorer\msimg32.dll C:\Program Files\outlook C:\Program Files\pppatc~1 C:\Program Files\winupdates C:\WINDOWS\dat.txt C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\search_res.txt C:\WINDOWS\system32\asfoyvme.ini C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\WINDOWS\system32\dbfb.dll C:\WINDOWS\system32\ekfikbsk.dll C:\WINDOWS\system32\eksxwrdd.ini C:\WINDOWS\system32\HOWacccf.ini2 C:\WINDOWS\system32\hxqlrbdo.ini C:\WINDOWS\system32\khfGaaXN.dll C:\WINDOWS\system32\mlnnoqru.ini2 C:\WINDOWS\system32\ncmmonuu.ini C:\WINDOWS\system32\NXaaGfhk.ini C:\WINDOWS\system32\NXaaGfhk.ini2 C:\WINDOWS\system32\qktnit.dll C:\WINDOWS\system32\TDSSadw.dll C:\WINDOWS\system32\TDSSerrors.log C:\WINDOWS\system32\tdssinit.dll C:\WINDOWS\system32\tdssl.dll C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\TDSSserf.dll C:\WINDOWS\system32\tdssservers.dat C:\WINDOWS\system32\vtUkllmM.dll C:\WINDOWS\system32\vwroyrhx.ini C:\WINDOWS\system32\winsrc.dll.tmp C:\WINDOWS\system32\wnsapiit.exe C:\WINDOWS\system32\xhryorwv.dll C:\WINDOWS\system32\xpsyhomm.ini C:\WINDOWS\system32\xtuclccq.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MYWEBSEARCHSERVICE -------\Legacy_SYSREST.SYS -------\Service_b79ab35d ((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 ))))))))))))))))))))))))))))))) . 2008-10-11 02:16 . 2008-10-11 02:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-11 02:16 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-11 02:16 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-10 01:36 . 2008-10-10 01:36 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-10 00:11 . 2008-06-10 16:50 590,081 --a------ C:\WINDOWS\_detmp.1 2008-09-26 16:02 . 2008-10-11 04:48 <DIR> d-------- C:\Program Files\iwhvmkg 2008-09-26 16:02 . 2008-10-11 03:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mpyzqfmb 2008-09-26 00:21 . 2008-09-26 00:21 <DIR> d-------- C:\Program Files\The Weather Channel FW 2008-09-25 22:50 . 2008-09-25 22:50 <DIR> d----c--- C:\64eccb145f9f0d6b30295b0895 2008-09-25 16:41 . 2008-09-25 16:41 <DIR> d-------- C:\Program Files\Sun 2008-09-25 16:40 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-09-25 16:32 . 2008-09-25 17:19 <DIR> d-------- C:\Program Files\LimeWire 2008-09-25 01:07 . 2008-09-25 01:07 <DIR> d-------- C:\Program Files\7-Zip 2008-09-25 00:52 . 2008-09-25 00:52 <DIR> d-------- C:\Program Files\Diino 2008-09-25 00:52 . 2008-09-25 00:52 <DIR> d-------- C:\Documents and Settings\josh striker\Application Data\Diino 2008-09-24 21:20 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\drivers\BCMDM.sys 2008-09-24 21:20 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys 2008-09-21 16:06 . 2008-09-21 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-10-11 09:02 --------- d-----w C:\Documents and Settings\josh striker\Application Data\U3 2008-10-10 07:11 --------- d-----w C:\Program Files\SiS Compatible VGA V2.09L 2008-10-10 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-10 07:05 --------- d-----w C:\Program Files\Prima Games 2008-09-26 17:30 --------- d-----w C:\Documents and Settings\josh striker\Application Data\uTorrent 2008-09-26 00:19 --------- d-----w C:\Program Files\Incomplete 2008-09-26 00:19 --------- d-----w C:\Documents and Settings\josh striker\Application Data\LimeWire 2008-09-25 23:40 --------- d-----w C:\Program Files\Java 2008-09-21 23:00 --------- d-----w C:\Program Files\Yahoo! 2008-09-18 06:38 --------- d-----w C:\Program Files\Sonic 2008-08-28 08:35 --------- d-----w C:\Program Files\Winamp Toolbar 2008-08-28 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar 2008-08-28 08:33 --------- d-----w C:\Program Files\Winamp 2008-08-26 08:19 --------- d-----w C:\Program Files\BitLord2 2008-08-26 08:10 --------- d-----w C:\Program Files\uTorrent 2008-08-25 08:58 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-08-25 08:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\services 2008-08-25 08:28 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Malwarebytes 2008-08-25 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-25 07:48 --------- d-----w C:\Program Files\Real 2008-08-25 07:47 --------- d-----w C:\Program Files\NCH Software 2008-08-25 07:18 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP 2008-08-25 06:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software 2008-08-25 06:39 --------- d-----w C:\Program Files\Ahead 2008-08-25 06:26 --------- d-----w C:\Program Files\MSN Messenger 2008-08-25 06:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-08-25 06:10 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Shareaza 2008-08-25 06:03 --------- d-----w C:\Program Files\Google 2008-08-25 05:52 --------- d-----w C:\Program Files\Winnydows 2008-08-25 05:21 --------- d-----w C:\Program Files\Common Files\Adobe 2008-08-25 05:15 --------- d-----w C:\Program Files\EA GAMES 2008-08-24 12:07 --------- d-----w C:\Program Files\ImTOO 2008-08-15 02:57 --------- d-----w C:\Program Files\WebCyberCoach 2008-08-15 02:57 --------- d-----w C:\Program Files\NCH Swift Sound 2008-08-15 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek 2008-08-12 07:54 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Tenderfoot Games 2007-09-17 19:01 12,187 ----a-w C:\Program Files\hijackthis.log 2007-09-16 05:53 401,720 ----a-w C:\Program Files\HiJackThis.exe 2006-12-20 21:31 379 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb1942.dat 2006-11-24 23:48 177,152 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb2289.dat 2006-11-24 23:48 151 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb9325.dat 2006-11-24 23:48 13,046 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb13.dat 2006-11-24 23:48 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb5866.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb8475.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb8174.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb3639.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb3330.dat 2006-10-09 05:05 6,144 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb2332.dat . ------- Sigcheck ------- 2008-04-13 17:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\svchost.exe md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied 2008-04-13 17:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\winlogon.exe md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied 2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 2008-04-13 17:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\explorer.exe 2008-04-13 17:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\services.exe md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied 2008-04-13 17:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\lsass.exe md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied 2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe 2008-04-13 17:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\spoolsv.exe md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2008-08-22 1234160] "DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "isusscheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "isuspm startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "hotkeyscmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 77824] "pctvoice"="pctspk.exe" [2002-07-09 C:\WINDOWS\system32\pctspk.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\1.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Source= D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\78.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] Source= D:\stuff from andy\iTunes Music\My Pictures\photobucket\mary 2.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3] Source= C:\Documents and Settings\josh striker\My Documents\My Pictures\misaluv.jpg FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "MIEaUGJeIS"= {600F553F-CAA5-FF95-D528-6BAE799DAD71} - C:\WINDOWS\system32\ou.dll [2007-04-16 32768] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=epjqeu.dll qktnit.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^IMVU.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\IMVU.lnk backup=C:\WINDOWS\pss\IMVU.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoOE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoSA HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcoholautomount] --a------ 2008-03-20 09:46 217544 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter] --a------ 2008-08-13 18:32 206064 C:\Program Files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a------ 2004-12-06 00:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2005-01-27 00:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dw6] --a------ 2008-06-10 16:18 785520 C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyelinerun] --a------ 2008-07-28 20:24 425988 C:\Program Files\NCH Software\Eyeline\eyeline.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2008-03-11 21:12 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] --a------ 2007-01-01 14:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] --a------ 2005-04-05 18:22 94208 C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] --a------ 2008-02-01 13:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\persistence] --a------ 2005-04-05 18:23 114688 C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sisusbrg] --------- 2002-04-25 09:06 32768 C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundmaxpnp] --a------ 2004-10-14 18:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP] --a------ 2006-05-24 11:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-07-16 13:57 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-03-18 16:17 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcmsmmsg] --a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "idsvc"=3 (0x3) "GoogleDesktopManager-022208-143751"=3 (0x3) "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "WMPNetworkSvc"=2 (0x2) "StyleXPService"=2 (0x2) "StarWindServiceAE"=2 (0x2) "sprtsvc_dellsupportcenter"=2 (0x2) "gusvc"=2 (0x2) "EyelineService"=2 (0x2) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "27627:TCP"= 27627:TCP:BitComet 27627 TCP "27627:UDP"= 27627:UDP:BitComet 27627 UDP "8615:TCP"= 8615:TCP:BitComet 8615 TCP "8615:UDP"= 8615:UDP:BitComet 8615 UDP "86:TCP"= 86:TCP:BroadCam Web Server R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-15 20560] R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 17408] R3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\dr ivers\MusCDriverV32.sys [2008-06-04 508544] S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 118106] S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.s ys [2006-01-07 7548] S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 814277] S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\syste m32\snmvtsvc.exe [2008-06-04 184320] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856] S3 XDva009;XDva009;C:\WINDOWS\system32\XDva009.sys [ ] S4 EyelineService;Eyeline Service;C:\Program Files\NCH Software\Eyeline\eyeline.exe [2008-07-28 425988] S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-03-11 29744] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2008-09-02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] . - - - - ORPHANS REMOVED - - - - BHO-{a35381fe-ac71-4c8f-9a41-679fa6f9d654} - C:\WINDOWS\system32\khfGaaXN.dll BHO-{dadc6754-7102-46de-bfab-63d8635f19a3} - (no file) Toolbar-{dadc6754-7102-46de-bfab-63d8635f19a3} - (no file) WebBrowser-{DADC6754-7102-46DE-BFAB-63D8635F19A3} - (no file) WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file) MSConfigStartUp-antivirus - C:\Program Files\MicroAV\MicroAV.exe MSConfigStartUp-lphcvkaj0ev1g - C:\WINDOWS\system32\lphcvkaj0ev1g.exe MSConfigStartUp-PC-Cleaner - C:\Program Files\PC-Cleaner\PC-Cleaner.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\josh striker\Application Data\Mozilla\Firefox\Profiles\fjjuuexq.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - DeathNoteonly chat group - 4 the death note fans Light and Misa chat FF -: plugin - C:\Program Files\Google\Google Updater\2.2.969.23408\npCIDetect11.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-11 05:27:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\30f69b45-d5fd-4eef-87de-1546f615163c\e0dff043-9c95-42b5-a0aa-fc230c49ad40.27\composite.cab 4081 bytes C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\30f69b45-d5fd-4eef-87de-1546f615163c\e0dff043-9c95-42b5-a0aa-fc230c49ad40.27\e0dff043-9c95-42b5-a0aa-fc230c49ad40.27.xml 3598 bytes C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\30f69b45-d5fd-4eef-87de-1546f615163c\e0dff043-9c95-42b5-a0aa-fc230c49ad40.27\resources.html 8666 bytes C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\30f69b45-d5fd-4eef-87de-1546f615163c\e0dff043-9c95-42b5-a0aa-fc230c49ad40.27\script.htm 2768 bytes C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\30f69b45-d5fd-4eef-87de-1546f615163c\8a412eb0-0619-4348-90d7-b3be69c1fb05.29\8a412eb0-0619-4348-90d7-b3be69c1fb05.29.xml 3666 bytes C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\30f69b45-d5fd-4eef-87de-1546f615163c\8a412eb0-0619-4348-90d7-b3be69c1fb05.29\composite.cab 4120 bytes C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\30f69b45-d5fd-4eef-87de-1546f615163c\8a412eb0-0619-4348-90d7-b3be69c1fb05.29\resources.html 10543 bytes C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\30f69b45-d5fd-4eef-87de-1546f615163c\8a412eb0-0619-4348-90d7-b3be69c1fb05.29\script.htm 2806 bytes C:\Documents and Settings\josh striker\Local Settings\Application Data\SupportSoft\DellSupportCenter\josh striker\data\sprt_job\415ba785-a12a-4346-93b7-5536215fe53e.2 scan completed successfully hidden files: 9 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\xfire_lsp.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe . ************************************************** ************************ . Completion time: 2008-10-11 5:37:07 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-11 12:37:02 Pre-Run: 7,604,097,024 bytes free Post-Run: 7,569,776,640 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect 361 --- E O F --- 2008-09-26 05:46:55 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:01:42 PM, on 9/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Alarm\Alarm.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Funcom\The Longest Journey\game.exe C:\Program Files\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Your Home Page Has Been Changed R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file) O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - (no file) O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll O2 - BHO: Metal_and_Rock_Videos toolbar - {dadc6754-7102-46de-bfab-63d8635f19a3} - C:\Program Files\Metal_and_Rock_Videos\tbMet1.dll O3 - Toolbar: Alive Text to Speech - {954F618B-0DEC-4D1A-9317-E0FC96F87865} - C:\PROGRA~1\ALIVEM~1\TEXTTO~1\IETOOL~1.DLL O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Metal_and_Rock_Videos toolbar - {dadc6754-7102-46de-bfab-63d8635f19a3} - C:\Program Files\Metal_and_Rock_Videos\tbMet1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab O16 - DPF: {86EEF11E-FF16-48CE-B1A2-474B663041A9} - http://acces-direct.net/20222/adh1_sexarea.exe O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab53083.cab O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/install/crusher-us.cab O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O21 - SSODL: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file) O22 - SharedTaskScheduler: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Unknown owner - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe (file missing) O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5020\SAService.exe (file missing) -- End of file - 12185 bytes |
|
|
|
|
10-11-2008
|
#4 |
|
Senior Security Analyst
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,865 PC Experience: Elite PC Guru
|
Re: help
Have "HijackThis" fix the following item/s in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and close"HijackThis".Please close any open programs before doing this fix.
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file) O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - (no file) O2 - BHO: (no name) - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file) O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O21 - SSODL: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file) O22 - SharedTaskScheduler: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file) O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Unknown owner - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe (file missing) O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5020\SAService.exe (file missing) Reboot........................... ================================================== == Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open *notepad* and copy/paste the text in the quotebox below into it:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please. *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*
__________________
My real name is Eddy
|
|
|
|
|
10-12-2008
|
#5 |
|
Silver Member
Join Date: Apr 2006
Location: Simi Valley, CA
Posts: 175 PC Experience: Some Experience
|
Re: help
here r the logs:
ComboFix 08-10-11.01 - josh striker 2008-10-11 16:28:25.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.231 [GMT -7:00] Running from: C:\Documents and Settings\josh striker\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\josh striker\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\_detmp.1 C:\WINDOWS\nsduo.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\mpyzqfmb C:\WINDOWS\_detmp.1 . ((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 ))))))))))))))))))))))))))))))) . 2008-10-11 02:16 . 2008-10-11 02:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-11 02:16 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-11 02:16 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-10 01:36 . 2008-10-10 01:36 <DIR> d-------- C:\Program Files\Trend Micro 2008-09-26 16:02 . 2008-10-11 04:48 <DIR> d-------- C:\Program Files\iwhvmkg 2008-09-26 00:21 . 2008-09-26 00:21 <DIR> d-------- C:\Program Files\The Weather Channel FW 2008-09-25 22:50 . 2008-09-25 22:50 <DIR> d----c--- C:\64eccb145f9f0d6b30295b0895 2008-09-25 16:41 . 2008-09-25 16:41 <DIR> d-------- C:\Program Files\Sun 2008-09-25 16:40 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-09-25 16:32 . 2008-09-25 17:19 <DIR> d-------- C:\Program Files\LimeWire 2008-09-25 01:07 . 2008-09-25 01:07 <DIR> d-------- C:\Program Files\7-Zip 2008-09-25 00:52 . 2008-09-25 00:52 <DIR> d-------- C:\Program Files\Diino 2008-09-25 00:52 . 2008-09-25 00:52 <DIR> d-------- C:\Documents and Settings\josh striker\Application Data\Diino 2008-09-24 21:20 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\drivers\BCMDM.sys 2008-09-24 21:20 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys 2008-09-21 16:06 . 2008-09-21 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-10-11 09:02 --------- d-----w C:\Documents and Settings\josh striker\Application Data\U3 2008-10-10 07:11 --------- d-----w C:\Program Files\SiS Compatible VGA V2.09L 2008-10-10 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-10 07:05 --------- d-----w C:\Program Files\Prima Games 2008-09-26 17:30 --------- d-----w C:\Documents and Settings\josh striker\Application Data\uTorrent 2008-09-26 00:19 --------- d-----w C:\Program Files\Incomplete 2008-09-26 00:19 --------- d-----w C:\Documents and Settings\josh striker\Application Data\LimeWire 2008-09-25 23:40 --------- d-----w C:\Program Files\Java 2008-09-21 23:00 --------- d-----w C:\Program Files\Yahoo! 2008-09-18 06:38 --------- d-----w C:\Program Files\Sonic 2008-08-28 08:35 --------- d-----w C:\Program Files\Winamp Toolbar 2008-08-28 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar 2008-08-28 08:33 --------- d-----w C:\Program Files\Winamp 2008-08-26 08:19 --------- d-----w C:\Program Files\BitLord2 2008-08-26 08:10 --------- d-----w C:\Program Files\uTorrent 2008-08-25 08:58 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-08-25 08:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\services 2008-08-25 08:28 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Malwarebytes 2008-08-25 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-25 07:48 --------- d-----w C:\Program Files\Real 2008-08-25 07:47 --------- d-----w C:\Program Files\NCH Software 2008-08-25 07:18 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP 2008-08-25 06:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software 2008-08-25 06:39 --------- d-----w C:\Program Files\Ahead 2008-08-25 06:26 --------- d-----w C:\Program Files\MSN Messenger 2008-08-25 06:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-08-25 06:10 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Shareaza 2008-08-25 06:03 --------- d-----w C:\Program Files\Google 2008-08-25 05:52 --------- d-----w C:\Program Files\Winnydows 2008-08-25 05:21 --------- d-----w C:\Program Files\Common Files\Adobe 2008-08-25 05:15 --------- d-----w C:\Program Files\EA GAMES 2008-08-24 12:07 --------- d-----w C:\Program Files\ImTOO 2008-08-22 06:59 105,984 ----a-w C:\WINDOWS\system32\jnmltf.dll 2008-08-22 06:59 105,984 ----a-w C:\WINDOWS\system32\hncocxql.dll 2008-08-22 06:56 93,696 ----a-w C:\WINDOWS\system32\wxiyylfm.dll 2008-08-15 02:57 --------- d-----w C:\Program Files\WebCyberCoach 2008-08-15 02:57 --------- d-----w C:\Program Files\NCH Swift Sound 2008-08-15 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek 2008-08-12 07:54 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Tenderfoot Games 2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll 2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2007-09-17 19:01 12,187 ----a-w C:\Program Files\hijackthis.log 2007-09-16 05:53 401,720 ----a-w C:\Program Files\HiJackThis.exe 2006-12-20 21:31 379 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb1942.dat 2006-11-24 23:48 177,152 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb2289.dat 2006-11-24 23:48 151 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb9325.dat 2006-11-24 23:48 13,046 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb13.dat 2006-11-24 23:48 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb5866.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb8475.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb8174.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb3639.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb3330.dat 2006-10-09 05:05 6,144 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb2332.dat . ------- Sigcheck ------- 2008-04-13 17:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\svchost.exe md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied 2008-04-13 17:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\winlogon.exe 2004-08-04 04:00 506368 5595e4328785a8f9ceaeed0d72aa0cd9 C:\WINDOWS\system32\winlogon.exe 2007-06-13 03:23 1035776 7a272482a1a7498259db343750558e22 C:\WINDOWS\explorer.exe 2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 2008-04-13 17:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\explorer.exe 2008-04-13 17:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\services.exe md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied 2008-04-13 17:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\lsass.exe md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied 2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe 2008-04-13 17:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\spoolsv.exe md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied . ((((((((((((((((((((((((((((( snapshot@2008-10-11_ 5.36.27.81 ))))))))))))))))))))))))))))))))))))))))) . + 2008-10-11 23:18:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6f4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2008-08-22 1234160] "DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "isusscheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "isuspm startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "hotkeyscmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 77824] "pctvoice"="pctspk.exe" [2002-07-09 C:\WINDOWS\system32\pctspk.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\1.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Source= D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\78.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] Source= D:\stuff from andy\iTunes Music\My Pictures\photobucket\mary 2.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3] Source= C:\Documents and Settings\josh striker\My Documents\My Pictures\misaluv.jpg FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "MIEaUGJeIS"= {600F553F-CAA5-FF95-D528-6BAE799DAD71} - C:\WINDOWS\system32\ou.dll [2007-04-16 32768] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=epjqeu.dll qktnit.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^IMVU.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\IMVU.lnk backup=C:\WINDOWS\pss\IMVU.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoOE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoSA HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcoholautomount] --a------ 2008-03-20 09:46 217544 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter] --a------ 2008-08-13 18:32 206064 C:\Program Files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a------ 2004-12-06 00:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2005-01-27 00:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dw6] --a------ 2008-06-10 16:18 785520 C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyelinerun] --a------ 2008-07-28 20:24 425988 C:\Program Files\NCH Software\Eyeline\eyeline.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2008-03-11 21:12 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] --a------ 2007-01-01 14:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] --a------ 2005-04-05 18:22 94208 C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] --a------ 2008-02-01 13:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\persistence] --a------ 2005-04-05 18:23 114688 C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sisusbrg] --------- 2002-04-25 09:06 32768 C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundmaxpnp] --a------ 2004-10-14 18:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP] --a------ 2006-05-24 11:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-07-16 13:57 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-03-18 16:17 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcmsmmsg] --a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "idsvc"=3 (0x3) "GoogleDesktopManager-022208-143751"=3 (0x3) "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "WMPNetworkSvc"=2 (0x2) "StyleXPService"=2 (0x2) "StarWindServiceAE"=2 (0x2) "sprtsvc_dellsupportcenter"=2 (0x2) "gusvc"=2 (0x2) "EyelineService"=2 (0x2) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "27627:TCP"= 27627:TCP:BitComet 27627 TCP "27627:UDP"= 27627:UDP:BitComet 27627 UDP "8615:TCP"= 8615:TCP:BitComet 8615 TCP "8615:UDP"= 8615:UDP:BitComet 8615 UDP "86:TCP"= 86:TCP:BroadCam Web Server R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-15 20560] R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 17408] R3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\dr ivers\MusCDriverV32.sys [2008-06-04 508544] S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 118106] S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.s ys [2006-01-07 7548] S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 814277] S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\syste m32\snmvtsvc.exe [2008-06-04 184320] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856] S3 XDva009;XDva009;C:\WINDOWS\system32\XDva009.sys [ ] S4 EyelineService;Eyeline Service;C:\Program Files\NCH Software\Eyeline\eyeline.exe [2008-07-28 425988] S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-03-11 29744] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 *Newly Created Service* - catchme . Contents of the 'Scheduled Tasks' folder 2008-09-02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-11 16:31:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\xfire_lsp.dll . Completion time: 2008-10-11 16:34:06 ComboFix-quarantined-files.txt 2008-10-11 23:33:35 Pre-Run: 7,770,898,432 bytes free Post-Run: 7,764,099,072 bytes free 301 --- E O F --- 2008-09-26 05:46:55 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:39:43 PM, on 10/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = Internet Explorer: Get It Now R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Winamp Toolbar Loader - {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Yahoo! IE Services Button - {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5ca3d70e-1895-11cf-8e15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll O3 - Toolbar: Alive Text to Speech - {954F618B-0DEC-4D1A-9317-E0FC96F87865} - C:\PROGRA~1\ALIVEM~1\TEXTTO~1\IETOOL~1.DLL O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [pctvoice] pctspk.exe O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [isuspm startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\josh striker\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O11 - Options group: [java_sun] Java (Sun) O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab53083.cab O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/install/crusher-us.cab O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab O20 - AppInit_DLLs: epjqeu.dll qktnit.dll O21 - SSODL: MIEaUGJeIS - {600F553F-CAA5-FF95-D528-6BAE799DAD71} - C:\WINDOWS\system32\ou.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Unknown owner - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe (file missing) O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe O24 - Desktop Component 0: (no name) - D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\1.jpg O24 - Desktop Component 1: (no name) - D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\78.jpg O24 - Desktop Component 2: (no name) - D:\stuff from andy\iTunes Music\My Pictures\photobucket\mary 2.jpg O24 - Desktop Component 3: (no name) - C:\Documents and Settings\josh striker\My Documents\My Pictures\misaluv.jpg -- End of file - 9013 bytes |
|
|
|
|
10-12-2008
|
#6 |
|
Senior Security Analyst
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,865 PC Experience: Elite PC Guru
|
Re: help
This should be the last of them.
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open *notepad* and copy/paste the text in the quotebox below into it:
Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please. *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*
__________________
My real name is Eddy
|
|
|
|
|
10-12-2008
|
#7 |
|
Silver Member
Join Date: Apr 2006
Location: Simi Valley, CA
Posts: 175 PC Experience: Some Experience
|
Re: help
more logs:
ComboFix 08-10-11.01 - josh striker 2008-10-11 17:13:22.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -7:00] Running from: C:\Documents and Settings\josh striker\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\josh striker\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\hncocxql.dll C:\WINDOWS\system32\jnmltf.dll C:\WINDOWS\system32\wxiyylfm.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\hncocxql.dll C:\WINDOWS\system32\jnmltf.dll C:\WINDOWS\system32\wxiyylfm.dll . ((((((((((((((((((((((((( Files Created from 2008-09-12 to 2008-10-12 ))))))))))))))))))))))))))))))) . 2008-10-11 16:57 . 2008-02-27 13:49 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys 2008-10-11 02:16 . 2008-10-11 02:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-11 02:16 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-11 02:16 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-10 01:36 . 2008-10-10 01:36 <DIR> d-------- C:\Program Files\Trend Micro 2008-09-26 16:02 . 2008-10-11 04:48 <DIR> d-------- C:\Program Files\iwhvmkg 2008-09-26 00:21 . 2008-09-26 00:21 <DIR> d-------- C:\Program Files\The Weather Channel FW 2008-09-25 22:50 . 2008-09-25 22:50 <DIR> d----c--- C:\64eccb145f9f0d6b30295b0895 2008-09-25 16:41 . 2008-09-25 16:41 <DIR> d-------- C:\Program Files\Sun 2008-09-25 16:40 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-09-25 16:32 . 2008-09-25 17:19 <DIR> d-------- C:\Program Files\LimeWire 2008-09-25 01:07 . 2008-09-25 01:07 <DIR> d-------- C:\Program Files\7-Zip 2008-09-25 00:52 . 2008-09-25 00:52 <DIR> d-------- C:\Program Files\Diino 2008-09-25 00:52 . 2008-09-25 00:52 <DIR> d-------- C:\Documents and Settings\josh striker\Application Data\Diino 2008-09-24 21:20 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\drivers\BCMDM.sys 2008-09-24 21:20 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys 2008-09-21 16:06 . 2008-09-21 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-10-11 09:02 --------- d-----w C:\Documents and Settings\josh striker\Application Data\U3 2008-10-10 07:11 --------- d-----w C:\Program Files\SiS Compatible VGA V2.09L 2008-10-10 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-10 07:05 --------- d-----w C:\Program Files\Prima Games 2008-09-26 17:30 --------- d-----w C:\Documents and Settings\josh striker\Application Data\uTorrent 2008-09-26 00:19 --------- d-----w C:\Program Files\Incomplete 2008-09-26 00:19 --------- d-----w C:\Documents and Settings\josh striker\Application Data\LimeWire 2008-09-25 23:40 --------- d-----w C:\Program Files\Java 2008-09-21 23:00 --------- d-----w C:\Program Files\Yahoo! 2008-09-18 06:38 --------- d-----w C:\Program Files\Sonic 2008-08-28 08:35 --------- d-----w C:\Program Files\Winamp Toolbar 2008-08-28 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar 2008-08-28 08:33 --------- d-----w C:\Program Files\Winamp 2008-08-26 08:19 --------- d-----w C:\Program Files\BitLord2 2008-08-26 08:10 --------- d-----w C:\Program Files\uTorrent 2008-08-25 08:58 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-08-25 08:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\services 2008-08-25 08:28 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Malwarebytes 2008-08-25 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-25 07:48 --------- d-----w C:\Program Files\Real 2008-08-25 07:47 --------- d-----w C:\Program Files\NCH Software 2008-08-25 07:18 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP 2008-08-25 06:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software 2008-08-25 06:39 --------- d-----w C:\Program Files\Ahead 2008-08-25 06:26 --------- d-----w C:\Program Files\MSN Messenger 2008-08-25 06:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-08-25 06:10 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Shareaza 2008-08-25 06:03 --------- d-----w C:\Program Files\Google 2008-08-25 05:52 --------- d-----w C:\Program Files\Winnydows 2008-08-25 05:21 --------- d-----w C:\Program Files\Common Files\Adobe 2008-08-25 05:15 --------- d-----w C:\Program Files\EA GAMES 2008-08-24 12:07 --------- d-----w C:\Program Files\ImTOO 2008-08-15 02:57 --------- d-----w C:\Program Files\WebCyberCoach 2008-08-15 02:57 --------- d-----w C:\Program Files\NCH Swift Sound 2008-08-15 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek 2008-08-12 07:54 --------- d-----w C:\Documents and Settings\josh striker\Application Data\Tenderfoot Games 2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll 2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2007-09-17 19:01 12,187 ----a-w C:\Program Files\hijackthis.log 2007-09-16 05:53 401,720 ----a-w C:\Program Files\HiJackThis.exe 2006-12-20 21:31 379 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb1942.dat 2006-11-24 23:48 177,152 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb2289.dat 2006-11-24 23:48 151 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb9325.dat 2006-11-24 23:48 13,046 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb13.dat 2006-11-24 23:48 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb5866.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb8475.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb8174.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb3639.dat 2006-11-24 08:40 0 -c--a-r C:\Documents and Settings\josh striker\Application Data\internaldb3330.dat 2006-10-09 05:05 6,144 ----a-r C:\Documents and Settings\josh striker\Application Data\internaldb2332.dat . ------- Sigcheck ------- 2008-04-13 17:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\svchost.exe md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied 2008-04-13 17:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\winlogon.exe 2004-08-04 04:00 506368 5595e4328785a8f9ceaeed0d72aa0cd9 C:\WINDOWS\system32\winlogon.exe 2007-06-13 03:23 1035776 7a272482a1a7498259db343750558e22 C:\WINDOWS\explorer.exe 2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 2008-04-13 17:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\explorer.exe 2008-04-13 17:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\services.exe md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied 2008-04-13 17:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\lsass.exe md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied 2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe 2008-04-13 17:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\spoolsv.exe md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied . ((((((((((((((((((((((((((((( snapshot@2008-10-11_ 5.36.27.81 ))))))))))))))))))))))))))))))))))))))))) . + 2008-10-11 23:18:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6f4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2008-08-22 1234160] "DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "isusscheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "isuspm startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "hotkeyscmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 77824] "pctvoice"="pctspk.exe" [2002-07-09 C:\WINDOWS\system32\pctspk.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\1.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Source= D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\78.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] Source= D:\stuff from andy\iTunes Music\My Pictures\photobucket\mary 2.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3] Source= C:\Documents and Settings\josh striker\My Documents\My Pictures\misaluv.jpg FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "MIEaUGJeIS"= {600F553F-CAA5-FF95-D528-6BAE799DAD71} - C:\WINDOWS\system32\ou.dll [2007-04-16 32768] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=epjqeu.dll qktnit.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^IMVU.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\IMVU.lnk backup=C:\WINDOWS\pss\IMVU.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^josh striker^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\josh striker\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoOE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeekmoSA HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcoholautomount] --a------ 2008-03-20 09:46 217544 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter] --a------ 2008-08-13 18:32 206064 C:\Program Files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a------ 2004-12-06 00:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2005-01-27 00:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dw6] --a------ 2008-06-10 16:18 785520 C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyelinerun] --a------ 2008-07-28 20:24 425988 C:\Program Files\NCH Software\Eyeline\eyeline.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2008-03-11 21:12 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] --a------ 2007-01-01 14:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] --a------ 2005-04-05 18:22 94208 C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] --a------ 2008-02-01 13:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\persistence] --a------ 2005-04-05 18:23 114688 C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sisusbrg] --------- 2002-04-25 09:06 32768 C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundmaxpnp] --a------ 2004-10-14 18:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP] --a------ 2006-05-24 11:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-07-16 13:57 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-03-18 16:17 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcmsmmsg] --a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "idsvc"=3 (0x3) "GoogleDesktopManager-022208-143751"=3 (0x3) "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "WMPNetworkSvc"=2 (0x2) "StyleXPService"=2 (0x2) "StarWindServiceAE"=2 (0x2) "sprtsvc_dellsupportcenter"=2 (0x2) "gusvc"=2 (0x2) "EyelineService"=2 (0x2) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "27627:TCP"= 27627:TCP:BitComet 27627 TCP "27627:UDP"= 27627:UDP:BitComet 27627 UDP "8615:TCP"= 8615:TCP:BitComet 8615 TCP "8615:UDP"= 8615:UDP:BitComet 8615 UDP "86:TCP"= 86:TCP:BroadCam Web Server R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-15 20560] R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 17408] R3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\dr ivers\MusCDriverV32.sys [2008-06-04 508544] S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 118106] S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.s ys [2006-01-07 7548] S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 814277] S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\syste m32\snmvtsvc.exe [2008-06-04 184320] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856] S3 XDva009;XDva009;C:\WINDOWS\system32\XDva009.sys [ ] S4 EyelineService;Eyeline Service;C:\Program Files\NCH Software\Eyeline\eyeline.exe [2008-07-28 425988] S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-03-11 29744] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 *Newly Created Service* - BANTEXT *Newly Created Service* - catchme . Contents of the 'Scheduled Tasks' folder 2008-09-02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-11 17:15:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\xfire_lsp.dll . Completion time: 2008-10-11 17:18:19 ComboFix-quarantined-files.txt 2008-10-12 00:17:48 ComboFix2.txt 2008-10-11 23:34:07 Pre-Run: 7,727,722,496 bytes free Post-Run: 7,713,599,488 bytes free 303 --- E O F --- 2008-09-26 05:46:55 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:20:36 PM, on 10/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = Internet Explorer: Get It Now R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Winamp Toolbar Loader - {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Yahoo! IE Services Button - {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5ca3d70e-1895-11cf-8e15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll O3 - Toolbar: Alive Text to Speech - {954F618B-0DEC-4D1A-9317-E0FC96F87865} - C:\PROGRA~1\ALIVEM~1\TEXTTO~1\IETOOL~1.DLL O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [pctvoice] pctspk.exe O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [isuspm startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\josh striker\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O11 - Options group: [java_sun] Java (Sun) O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab53083.cab O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/install/crusher-us.cab O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab O20 - AppInit_DLLs: epjqeu.dll qktnit.dll O21 - SSODL: MIEaUGJeIS - {600F553F-CAA5-FF95-D528-6BAE799DAD71} - C:\WINDOWS\system32\ou.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Unknown owner - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe (file missing) O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe O24 - Desktop Component 0: (no name) - D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\1.jpg O24 - Desktop Component 1: (no name) - D:\stuff from andy\iTunes Music\My Pictures\EVIL PIC\78.jpg O24 - Desktop Component 2: (no name) - D:\stuff from andy\iTunes Music\My Pictures\photobucket\mary 2.jpg O24 - Desktop Component 3: (no name) - C:\Documents and Settings\josh striker\My Documents\My Pictures\misaluv.jpg -- End of file - 8934 bytes |
|
|
|
|
| Bookmarks |
| Tags |
| pending, Resolved, Resolved: |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
