Sign In
Create Account
1
I already started a thread on this in the general forum (http://www.malwareby...749) but because of some problems I was told to make a thread here.
Basically it wouldn't let me run mbam.exe and now when I start my computer up it only shows my wallpaper and I don't have any access to my icons, the taskbar, or the start menu. The only way I got to these forums was by typing firefox.exe into "new task" on windows task manager. mbam.exe is still blocked, even when I tried to run it in safe mode with networking.
Any help is greatly appreciated.
-
This topic is locked
Back to top
#2
Posted 20 June 2009 - 05:05 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Lets see if we can finish what we started elsewhere,sorry for the move but tools i would like you to try need to be used under guidance unless you are a very advanced user so we tend not to post this stuff in general forum 
STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
#3
Posted 20 June 2009 - 05:43 PM
-
- Members
-
- 25 posts
New Member
I tried downloading and running combofix.exe and I went to open it and nothing happened, so I redownloaded it to try again with another link, but it saved it as combofix(2).exe and it says I can't run it under that name, but I can't get to my desktop/any folders to rename it. I already printed out the instructions so now I just have to get it to run.
#4
Posted 20 June 2009 - 06:39 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Ok try booting into safemode...this should give your desktop back.
Rename combofix.exe to winlogon.exe and see if it runs.
Rename combofix.exe to winlogon.exe and see if it runs.
#5
Posted 20 June 2009 - 11:12 PM
-
- Members
-
- 25 posts
New Member
I still can't get to my desktop through safe mode, all it is is a black screen that says safe mode in the bottom 2 corners, and some text at the top. Still no taskbar or start menu either.
#6
Posted 21 June 2009 - 12:06 AM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Ok this is definetly very tricky it appears.
Try downloading ComboFix again but save it as winlogon.exe
Boot into safe mode and use taskmanager to launch that file(if you have saved to desktop then it will be listed in desktop folder).
Lets see if that works
Try downloading ComboFix again but save it as winlogon.exe
Boot into safe mode and use taskmanager to launch that file(if you have saved to desktop then it will be listed in desktop folder).
Lets see if that works
#7
Posted 21 June 2009 - 01:52 AM
-
- Members
-
- 25 posts
New Member
Ok, I was able to run by renaming it, but this time when I ran it, a message popped up saying something about files from a rootkit or something, and it gave me a list of files and told me to write them down as it may need them later, then it rebooted my computer and nothing happened when it started up. I re-ran the program and this time it said Deleting files: and went through a bunch, then ended at "could not find batch file" and then stopped doing anything.
This happens at the part when it says it's scanning for infected files. On the link you posted it says it should go through the stages, but instead does this. Oh, and I ran it in both normal mode and safe mode.
This happens at the part when it says it's scanning for infected files. On the link you posted it says it should go through the stages, but instead does this. Oh, and I ran it in both normal mode and safe mode.
#8
Posted 21 June 2009 - 11:58 AM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Ok so what were some of the files by name ?
#9
Posted 21 June 2009 - 01:07 PM
-
- Members
-
- 25 posts
New Member
C:\WINDOWS\system32\drivers\UACaibiqhbtiyxwbdu.sys
C:\WINDOWS\system32\UACdqjomloeqwupfqm.dll
C:\WINDOWS\system32\UACosjnbajxqlixtfk.dat
C:\WINDOWS\system32\UACukckwktbtqtuxji.dll
C:\WINDOWS\system32\UACrifpllviburuboe.dll
C:\WINDOWS\system32\UACngyxkhoscdppakt.dll
C:\WINDOWS\system32\UACmxrqhdtxybmrkqn.db
C:\WINDOWS\system32\UACtchngrrskymdtta.dll
C:\WINDOWS\system32\UACkypycjlunobckdq.dll
C:\WINDOWS\system32\UACutswwxymyeltecu.log
C:\WINDOWS\system32\UACjgmgvmmrkfoyoam.log
C:\WINDOWS\system32\UACrrucjnwillbmttpm.log
That's what it told me to write down, I hope I didn't make any typos.
C:\WINDOWS\system32\UACdqjomloeqwupfqm.dll
C:\WINDOWS\system32\UACosjnbajxqlixtfk.dat
C:\WINDOWS\system32\UACukckwktbtqtuxji.dll
C:\WINDOWS\system32\UACrifpllviburuboe.dll
C:\WINDOWS\system32\UACngyxkhoscdppakt.dll
C:\WINDOWS\system32\UACmxrqhdtxybmrkqn.db
C:\WINDOWS\system32\UACtchngrrskymdtta.dll
C:\WINDOWS\system32\UACkypycjlunobckdq.dll
C:\WINDOWS\system32\UACutswwxymyeltecu.log
C:\WINDOWS\system32\UACjgmgvmmrkfoyoam.log
C:\WINDOWS\system32\UACrrucjnwillbmttpm.log
That's what it told me to write down, I hope I didn't make any typos.
#10
Posted 21 June 2009 - 01:53 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Oh joy CLB driver/WinNT Alureon infection onboard,
Right we are going to need to attack this one file inorder to kill the that rootkit infection
C:\WINDOWS\system32\drivers\UACaibiqhbtiyxwbdu.sys
Check the following walkthgrough as a guide>>>
http://www.malwareby...showtopic=12709
Download and save Rootrepeal as svchost.exe to your desktop.
Use task manager to now launch RootRepeal(svchost.exe).
Run hidden file scan only, locate from the output listing UACaibiqhbtiyxwbdu.sys ,highlight the line and select wipe file option.
Once wipe performed then immediately restart the computer.
Open MBAM,update it and run quick scan.Allow it to delete what it finds and reboot the computer.
Rerun combofix as first instructed and post back the MBAM scan log+ ComboFix log + HiJackThis log.
Thanks in advance
Right we are going to need to attack this one file inorder to kill the that rootkit infection
C:\WINDOWS\system32\drivers\UACaibiqhbtiyxwbdu.sys
Check the following walkthgrough as a guide>>>
http://www.malwareby...showtopic=12709
Download and save Rootrepeal as svchost.exe to your desktop.
Use task manager to now launch RootRepeal(svchost.exe).
Run hidden file scan only, locate from the output listing UACaibiqhbtiyxwbdu.sys ,highlight the line and select wipe file option.
Once wipe performed then immediately restart the computer.
Open MBAM,update it and run quick scan.Allow it to delete what it finds and reboot the computer.
Rerun combofix as first instructed and post back the MBAM scan log+ ComboFix log + HiJackThis log.
Thanks in advance
#11
Posted 21 June 2009 - 08:18 PM
-
- Members
-
- 25 posts
New Member
I ran the scan the first time, and didn't see the file you mentioned, so I re-ran it, and this time it came up with less files it detected, but this is the report.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/21 16:06
Program Version: Version 1.3.0.0
Windows Version: Windows XP Media Center Edition SP2
==================================================
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\drivers\fabbtoltv.sys
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
Status: Could not get file information (Error 0xc0000008)
==EOF==
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/21 16:06
Program Version: Version 1.3.0.0
Windows Version: Windows XP Media Center Edition SP2
==================================================
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\drivers\fabbtoltv.sys
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
Status: Could not get file information (Error 0xc0000008)
==EOF==
#12
Posted 21 June 2009 - 08:28 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Ok maybe ComboFix hit out CLB variant but now there is anothe Rootkit file present.
If possible can you run Rootrepeal again,
Please use it to wipe the following file only,
Path: C:\WINDOWS\system32\drivers\fabbtoltv.sys
Reboot and check again if any of the tools are now working.
If possible can you run Rootrepeal again,
Please use it to wipe the following file only,
Path: C:\WINDOWS\system32\drivers\fabbtoltv.sys
Reboot and check again if any of the tools are now working.
#13
Posted 21 June 2009 - 08:54 PM
-
- Members
-
- 25 posts
New Member
Ok, I wiped it but nothing changed. Oh and, for some reason I was able to open RootRepeal without changing the name to scvhost.exe.
#14
Posted 21 June 2009 - 09:21 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Ok just want to doublecheck at this point when i say are tools working i mean,will MBAM run or ComboFix complete its scan.
The lock out(s) will not be cured by removing malware,these are system settings that can addressed once the active malware has been removed.
Also is Rootrepeal still showing str.sys as hidden from WinAPI ?
The lock out(s) will not be cured by removing malware,these are system settings that can addressed once the active malware has been removed.
Also is Rootrepeal still showing str.sys as hidden from WinAPI ?
#15
Posted 21 June 2009 - 11:55 PM
-
- Members
-
- 25 posts
New Member
Oh didn't know what you meant by tools, haha. But what a relief it is to see mbam run again. I'm going to reboot and run combokill next, here's the mbam log.
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2
6/21/2009 7:52:03 PM
mbam-log-2009-06-21 (19-52-03).txt
Scan type: Quick Scan
Objects scanned: 101422
Time elapsed: 7 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{7ce793ca-d16f-4e25-b347-50aac438750c} (Trojan.Vundo.H) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7ce793ca-d16f-4e25-b347-50aac438750c}
(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{e3c9ce04-ed8e-488a-b76b-9eef26b4f65c} (Trojan.Vundo.H) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e3c9ce04-ed8e-488a-b76b-9eef26b4f65c}
(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127
ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted
successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8
cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted
successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c4863
5ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted
successfully.
HKEY_USERS\S-1-5-18
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650
-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2
-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2
-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent)
-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net
(Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID
(Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad:
(C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good:
(Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted
successfully.
Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted
successfully.
c:\WINDOWS\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted
successfully.
c:\documents and settings\Owner\local settings\Temp\~TMB6.tmp
(Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\prun.tmp
(Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\owesrcanmx.tmp
(Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\UACda04.tmp (Trojan.TDSS) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and
deleted successfully.
c:\documents and settings\Owner\Desktop\winlogon.exe
(Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
I'm going to reboot and run combokill next, here's the mbam log.Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2
6/21/2009 7:52:03 PM
mbam-log-2009-06-21 (19-52-03).txt
Scan type: Quick Scan
Objects scanned: 101422
Time elapsed: 7 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{7ce793ca-d16f-4e25-b347-50aac438750c} (Trojan.Vundo.H) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7ce793ca-d16f-4e25-b347-50aac438750c}
(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{e3c9ce04-ed8e-488a-b76b-9eef26b4f65c} (Trojan.Vundo.H) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e3c9ce04-ed8e-488a-b76b-9eef26b4f65c}
(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127
ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted
successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8
cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted
successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c4863
5ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted
successfully.
HKEY_USERS\S-1-5-18
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650
-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2
-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2
-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent)
-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net
(Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID
(Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad:
(C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good:
(Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted
successfully.
Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted
successfully.
c:\WINDOWS\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted
successfully.
c:\documents and settings\Owner\local settings\Temp\~TMB6.tmp
(Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\prun.tmp
(Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\owesrcanmx.tmp
(Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\UACda04.tmp (Trojan.TDSS) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and
deleted successfully.
c:\documents and settings\Owner\Desktop\winlogon.exe
(Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
#16
Posted 22 June 2009 - 12:32 AM
-
- Members
-
- 25 posts
New Member
Awesome, now I have my desktop back, can't thank you enough Combokill worked and heres the report(sorry for the double post).
Also how do I get the HiJackThis log?
ComboFix 09-06-20.04 - Owner 06/21/2009 20:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.555 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\.#
c:\recycler\S-1-5-21-2376729691-3291624240-4135725320-500
c:\recycler\S-1-5-21-2926536862-2784431789-1591830859-500
c:\temp\1cb
C:\WinLogon
c:\documents and settings\Owner\Application Data\.#\MBX@270@B14950.###
c:\documents and settings\Owner\Application Data\.#\MBX@270@B14960.###
c:\documents and settings\Owner\Application Data\.#\MBX@270@B14970.###
c:\documents and settings\Owner\Application Data\.#\MBX@270@B14D50.###
c:\documents and settings\Owner\Application Data\.#\MBX@5D0@B148E0.###
c:\documents and settings\Owner\Application Data\.#\MBX@5D0@B148F0.###
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Tasks\fpwwnqzb.job
c:\winlogon\CfReboot.dat
c:\winlogon\d-del4AV.dat
c:\winlogon\d-delA.dat
c:\winlogon\drev.dat
c:\winlogon\ErrTrap1
c:\winlogon\LSPDone
c:\winlogon\mtee.cfexe
c:\winlogon\MWindows.dat
c:\winlogon\mynul.dat
c:\winlogon\mypictures.folder.dat
c:\winlogon\n.com
c:\winlogon\N_\11479
c:\winlogon\N_\19260
c:\winlogon\N_\20289
c:\winlogon\N_\26290
c:\winlogon\N_\3919
c:\winlogon\N_\8852
c:\winlogon\N_\9086
c:\winlogon\N_\9459
c:\winlogon\N_\9612
c:\winlogon\ND_.bat
c:\winlogon\ndis_combofix.dat
c:\winlogon\netsvc.bad.dat
c:\winlogon\netsvc.dat
c:\winlogon\NetworkService.dat
c:\winlogon\NirCmd.cfexe
c:\winlogon\Nircmd.com
c:\winlogon\NirCmdC.cfexe
c:\winlogon\NlsLanguageDefault
c:\winlogon\notifykeys.dat
c:\winlogon\NT-OS.cmd
c:\winlogon\NULL
c:\winlogon\OsId.txt
c:\winlogon\OSid.vbs
c:\winlogon\OsVer
c:\winlogon\Owner.user.cf
c:\winlogon\pend.txt
c:\winlogon\personal.folder.dat
c:\winlogon\pev.cfexe
c:\winlogon\pev.exe
c:\winlogon\Policies.dat
c:\winlogon\PreDIR
c:\winlogon\Prep.inf
c:\winlogon\ProcessKiLL00
c:\winlogon\ProcessKiLL01
c:\winlogon\Profiles.Folder.dat
c:\winlogon\progfile.dat
c:\winlogon\programs.folder.dat
c:\winlogon\Purity.dat
c:\winlogon\pv.cfexe
c:\winlogon\RCLink.dat
c:\winlogon\RcRdy
c:\winlogon\RcVer00
c:\winlogon\REGDACL.sed
c:\winlogon\RegDo.sed
c:\winlogon\region.dat
c:\winlogon\RegScan.cmd
c:\winlogon\regt.cfexe
c:\winlogon\Resident.txt
c:\winlogon\RestoreO4.bat
c:\winlogon\Rkey.cmd
c:\winlogon\rogues.dat
c:\winlogon\run.sed
c:\winlogon\run2.sed
c:\winlogon\Rust.str
c:\winlogon\safeboot.dat
c:\winlogon\safeboot.def.dat
c:\winlogon\safeboot.def.vista.dat
c:\winlogon\SafeBootRepair.bat
c:\winlogon\sed.cfexe
c:\winlogon\SetEnvmt.bat
c:\winlogon\SetPath.bat
c:\winlogon\setpath.cfexe
c:\winlogon\SF.exe
c:\winlogon\sfx.cmd
c:\winlogon\SnapShot.cmd
c:\winlogon\SRestore.cmd
c:\winlogon\srizbi.md5
c:\winlogon\startmenu.folder.dat
c:\winlogon\startup.folder.dat
c:\winlogon\SuppScan.cmd
c:\winlogon\Suspect_feixue
c:\winlogon\Suspect_ntfy.dat
c:\winlogon\svc_wht.dat
c:\winlogon\SvcDrv.vbs
c:\winlogon\svchost.dat
c:\winlogon\SvcTarget.dat
c:\winlogon\SWREG.cfexe
c:\winlogon\swreg.exe
c:\winlogon\swsc.cfexe
c:\winlogon\swxcacls.cfexe
c:\winlogon\SysPath.dat
c:\winlogon\system_ini.dat
c:\winlogon\tail.cfexe
c:\winlogon\templates.folder.dat
c:\winlogon\toolbar.sed
c:\winlogon\unhand.dat
c:\winlogon\v_wht.dat
c:\winlogon\version.txt
c:\winlogon\VInfo
c:\winlogon\ViPev00
c:\winlogon\ViPev01
c:\winlogon\vistareg.dat
c:\winlogon\vRun_DLL
c:\winlogon\vundonames.dat
c:\winlogon\w2kreg.dat
c:\winlogon\whitedir.dat
c:\winlogon\whitedirCreated.dat
c:\winlogon\Windir.dat
c:\winlogon\Wmi_rem.vbs
c:\winlogon\WowDone.dat
c:\winlogon\XP.mac
c:\winlogon\xpreg.dat
c:\winlogon\zDomain.dat
c:\winlogon\zhsvc.dat
c:\winlogon\zip.cfexe
c:\winlogon\Zlob01
D:\Autorun.inf
D:\Desktop.ini
c:\windows\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_TNIDRIVER
((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.
2009-06-20 03:01 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-20 03:01 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-20 03:01 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-20 03:01 . 2009-06-22 00:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 03:01 . 2009-06-20 03:01 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-20 03:01 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-20 03:01 . 2009-06-22 00:12 -------- d-----w- c:\program files\Spyware Doctor
2009-06-20 03:01 . 2009-06-20 03:01 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-06-20 03:01 . 2009-06-20 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-19 01:39 . 2009-06-19 01:39 174 ----a-w- C:\nm8912.bat
2009-06-19 01:39 . 2009-06-19 01:39 14336 ---h--w- c:\windows\ld10.exe
2009-06-19 01:39 . 2009-06-19 01:39 80128 ----a-w- c:\windows\system32\drivers\fabbtoltv.sys
2009-06-06 23:45 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 23:45 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 06:03 . 2008-09-08 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-20 15:14 . 2008-08-12 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-16 03:35 . 2006-04-23 20:45 -------- d-----w- c:\program files\Steam
2009-06-05 02:03 . 2006-05-08 00:14 10132 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-05-12 22:34 . 2005-01-10 01:26 86168 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 03:20 . 2009-05-12 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-12 03:18 . 2006-02-15 12:32 -------- d-----w- c:\program files\Microsoft Works
2009-05-12 03:18 . 2009-05-12 03:18 -------- d-----w- c:\program files\MSBuild
2009-05-12 03:16 . 2009-05-12 03:16 -------- d-----w- c:\program files\Microsoft.NET
2009-05-12 03:12 . 2009-05-12 03:12 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-05-07 20:12 . 2006-04-23 20:59 -------- d-----w- c:\program files\Graal
2007-04-09 02:41 . 2007-04-09 02:41 1458917 ----a-w- c:\program files\WinRAR.rar
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-03 2832280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-13 1121792]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-13 180269]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-06-12 1181576]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-25 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 19:13 49152 ----a-w- c:\progra~1\COMMON~1\stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17243:TCP"= 17243:TCP:BitComet 17243 TCP
"17243:UDP"= 17243:UDP:BitComet 17243 UDP
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/19/2009 11:01 PM 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/19/2009 11:01 PM 348752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2007 11:00 PM 24652]
S1 sfloppyy;sfloppyy;c:\windows\system32\drivers\sfloppyy.sys --> c:\windows\system32\drivers\sfloppyy.sys [?]
S2 ejicdaf;ejicdaf;c:\windows\system32\drivers\fabbtoltv.sys [6/18/2009 9:39 PM 80128]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-06-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-08 23:30]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 20:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
- - - - - - - > 'explorer.exe'(5996)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\progra~1\COMMON~1\stardock\MCPCore.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\stardock\SDMCP.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Doctor\pctsSvc.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Zune\ZuneNss.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-06-22 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-22 00:28
Pre-Run: 68,838,322,176 bytes free
Post-Run: 72,846,827,520 bytes free
350 --- E O F --- 2009-01-15 08:02
Combokill worked and heres the report(sorry for the double post).Also how do I get the HiJackThis log?
ComboFix 09-06-20.04 - Owner 06/21/2009 20:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.555 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\.#
c:\recycler\S-1-5-21-2376729691-3291624240-4135725320-500
c:\recycler\S-1-5-21-2926536862-2784431789-1591830859-500
c:\temp\1cb
C:\WinLogon
c:\documents and settings\Owner\Application Data\.#\MBX@270@B14950.###
c:\documents and settings\Owner\Application Data\.#\MBX@270@B14960.###
c:\documents and settings\Owner\Application Data\.#\MBX@270@B14970.###
c:\documents and settings\Owner\Application Data\.#\MBX@270@B14D50.###
c:\documents and settings\Owner\Application Data\.#\MBX@5D0@B148E0.###
c:\documents and settings\Owner\Application Data\.#\MBX@5D0@B148F0.###
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Tasks\fpwwnqzb.job
c:\winlogon\CfReboot.dat
c:\winlogon\d-del4AV.dat
c:\winlogon\d-delA.dat
c:\winlogon\drev.dat
c:\winlogon\ErrTrap1
c:\winlogon\LSPDone
c:\winlogon\mtee.cfexe
c:\winlogon\MWindows.dat
c:\winlogon\mynul.dat
c:\winlogon\mypictures.folder.dat
c:\winlogon\n.com
c:\winlogon\N_\11479
c:\winlogon\N_\19260
c:\winlogon\N_\20289
c:\winlogon\N_\26290
c:\winlogon\N_\3919
c:\winlogon\N_\8852
c:\winlogon\N_\9086
c:\winlogon\N_\9459
c:\winlogon\N_\9612
c:\winlogon\ND_.bat
c:\winlogon\ndis_combofix.dat
c:\winlogon\netsvc.bad.dat
c:\winlogon\netsvc.dat
c:\winlogon\NetworkService.dat
c:\winlogon\NirCmd.cfexe
c:\winlogon\Nircmd.com
c:\winlogon\NirCmdC.cfexe
c:\winlogon\NlsLanguageDefault
c:\winlogon\notifykeys.dat
c:\winlogon\NT-OS.cmd
c:\winlogon\NULL
c:\winlogon\OsId.txt
c:\winlogon\OSid.vbs
c:\winlogon\OsVer
c:\winlogon\Owner.user.cf
c:\winlogon\pend.txt
c:\winlogon\personal.folder.dat
c:\winlogon\pev.cfexe
c:\winlogon\pev.exe
c:\winlogon\Policies.dat
c:\winlogon\PreDIR
c:\winlogon\Prep.inf
c:\winlogon\ProcessKiLL00
c:\winlogon\ProcessKiLL01
c:\winlogon\Profiles.Folder.dat
c:\winlogon\progfile.dat
c:\winlogon\programs.folder.dat
c:\winlogon\Purity.dat
c:\winlogon\pv.cfexe
c:\winlogon\RCLink.dat
c:\winlogon\RcRdy
c:\winlogon\RcVer00
c:\winlogon\REGDACL.sed
c:\winlogon\RegDo.sed
c:\winlogon\region.dat
c:\winlogon\RegScan.cmd
c:\winlogon\regt.cfexe
c:\winlogon\Resident.txt
c:\winlogon\RestoreO4.bat
c:\winlogon\Rkey.cmd
c:\winlogon\rogues.dat
c:\winlogon\run.sed
c:\winlogon\run2.sed
c:\winlogon\Rust.str
c:\winlogon\safeboot.dat
c:\winlogon\safeboot.def.dat
c:\winlogon\safeboot.def.vista.dat
c:\winlogon\SafeBootRepair.bat
c:\winlogon\sed.cfexe
c:\winlogon\SetEnvmt.bat
c:\winlogon\SetPath.bat
c:\winlogon\setpath.cfexe
c:\winlogon\SF.exe
c:\winlogon\sfx.cmd
c:\winlogon\SnapShot.cmd
c:\winlogon\SRestore.cmd
c:\winlogon\srizbi.md5
c:\winlogon\startmenu.folder.dat
c:\winlogon\startup.folder.dat
c:\winlogon\SuppScan.cmd
c:\winlogon\Suspect_feixue
c:\winlogon\Suspect_ntfy.dat
c:\winlogon\svc_wht.dat
c:\winlogon\SvcDrv.vbs
c:\winlogon\svchost.dat
c:\winlogon\SvcTarget.dat
c:\winlogon\SWREG.cfexe
c:\winlogon\swreg.exe
c:\winlogon\swsc.cfexe
c:\winlogon\swxcacls.cfexe
c:\winlogon\SysPath.dat
c:\winlogon\system_ini.dat
c:\winlogon\tail.cfexe
c:\winlogon\templates.folder.dat
c:\winlogon\toolbar.sed
c:\winlogon\unhand.dat
c:\winlogon\v_wht.dat
c:\winlogon\version.txt
c:\winlogon\VInfo
c:\winlogon\ViPev00
c:\winlogon\ViPev01
c:\winlogon\vistareg.dat
c:\winlogon\vRun_DLL
c:\winlogon\vundonames.dat
c:\winlogon\w2kreg.dat
c:\winlogon\whitedir.dat
c:\winlogon\whitedirCreated.dat
c:\winlogon\Windir.dat
c:\winlogon\Wmi_rem.vbs
c:\winlogon\WowDone.dat
c:\winlogon\XP.mac
c:\winlogon\xpreg.dat
c:\winlogon\zDomain.dat
c:\winlogon\zhsvc.dat
c:\winlogon\zip.cfexe
c:\winlogon\Zlob01
D:\Autorun.inf
D:\Desktop.ini
c:\windows\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_TNIDRIVER
((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.
2009-06-20 03:01 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-20 03:01 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-20 03:01 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-20 03:01 . 2009-06-22 00:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 03:01 . 2009-06-20 03:01 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-20 03:01 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-20 03:01 . 2009-06-22 00:12 -------- d-----w- c:\program files\Spyware Doctor
2009-06-20 03:01 . 2009-06-20 03:01 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-06-20 03:01 . 2009-06-20 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-19 01:39 . 2009-06-19 01:39 174 ----a-w- C:\nm8912.bat
2009-06-19 01:39 . 2009-06-19 01:39 14336 ---h--w- c:\windows\ld10.exe
2009-06-19 01:39 . 2009-06-19 01:39 80128 ----a-w- c:\windows\system32\drivers\fabbtoltv.sys
2009-06-06 23:45 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 23:45 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 06:03 . 2008-09-08 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-20 15:14 . 2008-08-12 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-16 03:35 . 2006-04-23 20:45 -------- d-----w- c:\program files\Steam
2009-06-05 02:03 . 2006-05-08 00:14 10132 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-05-12 22:34 . 2005-01-10 01:26 86168 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 03:20 . 2009-05-12 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-12 03:18 . 2006-02-15 12:32 -------- d-----w- c:\program files\Microsoft Works
2009-05-12 03:18 . 2009-05-12 03:18 -------- d-----w- c:\program files\MSBuild
2009-05-12 03:16 . 2009-05-12 03:16 -------- d-----w- c:\program files\Microsoft.NET
2009-05-12 03:12 . 2009-05-12 03:12 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-05-07 20:12 . 2006-04-23 20:59 -------- d-----w- c:\program files\Graal
2007-04-09 02:41 . 2007-04-09 02:41 1458917 ----a-w- c:\program files\WinRAR.rar
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-03 2832280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-13 1121792]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-13 180269]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-06-12 1181576]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-25 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 19:13 49152 ----a-w- c:\progra~1\COMMON~1\stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17243:TCP"= 17243:TCP:BitComet 17243 TCP
"17243:UDP"= 17243:UDP:BitComet 17243 UDP
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/19/2009 11:01 PM 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/19/2009 11:01 PM 348752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2007 11:00 PM 24652]
S1 sfloppyy;sfloppyy;c:\windows\system32\drivers\sfloppyy.sys --> c:\windows\system32\drivers\sfloppyy.sys [?]
S2 ejicdaf;ejicdaf;c:\windows\system32\drivers\fabbtoltv.sys [6/18/2009 9:39 PM 80128]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-06-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-08 23:30]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 20:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
- - - - - - - > 'explorer.exe'(5996)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\progra~1\COMMON~1\stardock\MCPCore.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\stardock\SDMCP.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Doctor\pctsSvc.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Zune\ZuneNss.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-06-22 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-22 00:28
Pre-Run: 68,838,322,176 bytes free
Post-Run: 72,846,827,520 bytes free
350 --- E O F --- 2009-01-15 08:02
#17
Posted 22 June 2009 - 09:14 AM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Cool looks like were well on our way now the tools are operational
[*]Please download this program Trend Micro HijackThis to your desktop.
[*]Double-click on it to run and install it.
[*]Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.
[*]Copy and paste the contents of that file into your next post.
[*]Please download this program Trend Micro HijackThis to your desktop.
[*]Double-click on it to run and install it.
[*]Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.
[*]Copy and paste the contents of that file into your next post.
#18
Posted 22 June 2009 - 01:41 PM
-
- Members
-
- 25 posts
New Member
Ok, here's the HiJackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:03 AM, on 6/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10939 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:03 AM, on 6/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10939 bytes
#19
Posted 22 June 2009 - 01:49 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Ok well Both Combofix and Hijackthis are showing clear from malware infection so how is your computer now,any issue's remaining ?
#20
Posted 22 June 2009 - 02:34 PM
-
- Members
-
- 25 posts
New Member
Nope everything seems to be running fine now, is there anything left to do?
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
