Adobe Flash Player ActiveX Adobe Reader 7.0.9 Adssite Browser Optimizer Agere Systems PCI Soft Modem Aimersoft DVD to iPhone Converter(Build 1.0.21) Aimersoft iPhone Converter Suite(Build 1.0.23) Aimersoft iPhone Video Converter(Build 1.1.0) Anapod Explorer (remove only) AOL Toolbar AOL Uninstaller (Choose which Products to Remove) Apple Mobile Device Support Apple Software Update ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver Audio CD Copier avast! Antivirus AVG Free Edition AviSynth 2.5 Befree4iPhone Bonjour CCleaner (remove only) CCScore Clié Favorites Deewoo Network Manager removal DigiGuide TV Guide DivX Content Uploader DivX Web Player eBay Toolbar Enhancement Browser Tools Rightonadz ESSBrwr ESSCDBK ESScore ESSgui ESSini ESSPCD ESSPDock ESSSONIC ESSTOOLS essvatgt Extension Changer FinalBurner Free v1.10.0.73 FixTunes (remove only) Free Audio Editor 2008 v4.7 Google Earth Google Toolbar for Internet Explorer High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hitware Popup Killer Lite 3.0.1.12 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB888795) Hotfix for Windows XP (KB891593) Hotfix for Windows XP (KB893357) Hotfix for Windows XP (KB895953) Hotfix for Windows XP (KB895961) Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB899337) Hotfix for Windows XP (KB899510) Hotfix for Windows XP (KB902841) Hotfix for Windows XP (KB912024) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) Hotfix for Windows XP (KB935448) hp officejet k series Intellisync Lite InterVideo FilterSDK for Hauppauge iPhoneBrowser iPhoneRingToneMaker 2.1.3 iTunes J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 8 J2SE Runtime Environment 5.0 Update 9 Java(TM) 6 Update 2 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) SE Runtime Environment 6 Update 1 Jesterware iPhone Video Converter Jesterware iPhone Video Converter kgcbase Kodak EasyShare software KSU Learn2 Player (Uninstall Only) LimeWire PRO 4.4.4 Linksys Viewer & Recorder Utility Macromedia Shockwave Player MCEBrowser Media Center Extender Media Center Extender Microsoft .NET Framework 1.0 Hotfix (KB887998) Microsoft .NET Framework 1.0 Hotfix (KB930494) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft AutoRoute Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2000 SR-1 Premium Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable MP3 Wav Editor 3.30 MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MyPhoneExplorer netbrdg NoAdware v4.0 Nokia Connectivity Cable Driver Nokia Software Updater Notifier OfotoXMI Palm Desktop ParetoLogic Anti-Spyware Power2Go 4.0 PowerDVD QuickTime RealPlayer Basic Realtek High Definition Audio Driver Remote Desktop Control 1.8 Roxio Burn Engine SC Audio DJ Mixer 2.3.0.0 Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937894) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB948881) Serif MoviePlus 5 SFR SHASTA SKIN0001 SKINXSDK Sonic MyDVD Serif Edition Sony Ericsson PC Suite Spybot - Search & Destroy 1.3 staticcr Symphony LED display driver installion(ForOEM) SYSTRAN Premium 4.0 tooltips TouchCopy TrojanHunter 4.0 Update for Windows Media Player 10 (KB910393) Update for Windows Media Player 10 (KB913800) Update for Windows Media Player 10 (KB926251) Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update Rollup 2 for Windows XP Media Center Edition 2005 Videora iPod Converter 3.07 Virtual Earth 3D (Beta) VPRINTOL WavePad Uninstall WebGraphics Optimizer 4.2 WiDESYNC 2.0 Windows Imaging Component Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Connect Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885295 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890546 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891220 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Media Center Edition 2005 KB888316 Windows XP Media Center Edition 2005 KB890760 Windows XP Media Center Edition 2005 KB895198 Windows XP Media Center Edition 2005 KB895678 Windows XP Media Center Edition 2005 KB905589 Windows XP Media Center Edition 2005 KB925766 WinRAR archiver WinSCP 4.0.5 WIRELESS XoftSpy
I haven't got rid of the Xsoftspy program as I paid for this program (its spyware removal software). If you really want me to remove it I will.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:17:56, on 15/05/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal
It is not mandatory that you remove Xsoftspy, only recommended. Xsoftspy is known to generate false warnings about files being infected when they are not. LINK. In either event, let's continue.
Please download Combofix and save to your desktop:
Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the contents of the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang.
ComboFix 08-05-15.3 - Paul 2008-05-16 18:31:28.1 - NTFSx86 Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe * Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . The following files were disabled during the run: C:\Program Files\TrojanHunter 4.0\THSec.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
C:\.protected C:\Documents and Settings\MCX1\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\MCX2\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Paul\Application Data\Dxccwrd.dll C:\Documents and Settings\Paul\Application Data\Dxcdmns.dll C:\Documents and Settings\Paul\Application Data\Dxcknwrd.dll C:\Documents and Settings\Paul\Application Data\Dxcuknwrd.dll C:\Documents and Settings\Paul\Start Menu\Programs\Startup\Deewoo.lnk C:\Documents and Settings\Paul\Start Menu\Programs\Startup\ta_start.lnk C:\Program Files\TrojanHunter 4.0\THSec.dll C:\WINDOWS\dobe~1 C:\WINDOWS\sstem~1 C:\WINDOWS\system32\drivers\etc\.protected C:\WINDOWS\system32\dwdsrngt.exe C:\WINDOWS\system32\gzmrot-uninst.exe C:\WINDOWS\system32\gzmrotate.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\zxdnt3d.cfg
Save the File as
CFScript(exactly as shown no spaces) ->> Save it to your
Desktop
Using the Image as a reference, drag
CFScript into
ComboFix.exe
You will be prompted to run Combofix again, Do so Following the same rules as indicated in my first post Then post the contents of the C:\ComboFix.txt log in your reply
ComboFix 08-05-15.3 - Paul 2008-05-19 17:21:37.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.516 [GMT 1:00] Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Paul\Desktop\CFScript.txt * Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE :: C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll C:\WINDOWS\system32\mwinmkdm.exe C:\WINDOWS\system32\winpfz33.sys . /wow section - STAGE 41 pv: No matching processes found The process cannot access the file because it is being used by another process. The process cannot access the file because it is being used by another process. The process cannot access the file because it is being used by another process. The process cannot access the file because it is being used by another process. The process cannot access the file because it is being used by another process.
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
Run an online virus scan called Kaspersky from HERE.
1. Click on " Kaspersky Online Scanner" 2. A new smaller window will pop up. Press on " Accept". After reading the contents. 3. Now Kaspersky will update the anti-virus database. Let it run. 4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK. 5. Then click on " My Computer". And the scan will start. 6. When the scan is complete Select "Save error report as" Then in the file name just type in kaspersky Under "save as type" select text .txt Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
Scan Statistics: Total number of scanned objects: 80118 Number of viruses found: 18 Number of infected objects: 63 Number of suspicious objects: 0 Duration of the scan process: 01:17:51
Infected Object Name / Virus Name / Last Action C:\!KillBox\gifamcg.dll Infected: Trojan.Win32.Obfuscated.ev skipped C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_1084625360_15073280_4248 Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_1084625360_5701632_4801 Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_1084625360_86114304_4249 Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{50238F4F-CC03-4C8B-AF75-91C51CFED8CF}.TmpSBE Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{50613A00-0782-46E6-B068-88EE7593A5A3}.TmpSBE Object is locked skipped C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{AEBFB2A3-C41D-434D-BB61-1A8B0A5546E1}.TmpSBE Object is locked skipped C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\01AC84FE-3175-4544-B72E-FD7620\5F5069F8-3452-47AD-AF7C-942BBD Infected: not-a-virus:AdWare.Win32.MediaTickets.n skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\51137278-4F7F-4C14-905E-E64A6B\285FD5C1-983E-4A54-86B2-41FA0B Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5FA9AE38-41E0-45B5-A504-F7D70D\DBCF1F2A-66EE-42D4-BE4B-71DB6C/data0002 Infected: Trojan-Downloader.MSIL.Agent.c skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5FA9AE38-41E0-45B5-A504-F7D70D\DBCF1F2A-66EE-42D4-BE4B-71DB6C NSIS: infected - 1 skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\8A5B67BB-FF64-4BF6-BD57-43FC24\29DE9792-108B-4DF3-8D9A-150901 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\9D491C5B-628D-4E02-8A3B-430653\444E6724-3521-4869-8315-909B0B Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\9D491C5B-628D-4E02-8A3B-430653\9D652315-268A-45A6-B054-C7E7AE Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\9D491C5B-628D-4E02-8A3B-430653\C0F1AFB8-2FFA-43B1-B821-6D84F5 Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\History\History.IE5\MSHist012008051920080520\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Temp\~DFB361.tmp Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Temp\~DFB36C.tmp Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Temp\~DFE960.tmp Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following files
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip C:\Documents and Settings\Paul\My Documents\Downloads\pass your bike test theory hentai anime.zip C:\Documents and Settings\Paul\My Documents\Downloads\sdsetup.exe C:\Documents and Settings\Paul\My Documents\My Music\iphone ringtone maker.zip C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip C:\Program Files\Morpheus\morpheustoolbar.exe
Close windows explorer ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
And in your reply give me an update on how your PC is running now.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:38:50, on 20/05/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal
Your log does show you are running 2 Antivirus programs: Avast! and AVG.
Running 2 Antivirus programs is never a good idea. Since they both do the same job, running 2 can cause conflicts, system slowdowns, and may even allow some malware to slip by. I recommend that you unistall one of them through Add or Remove Programs.
Once done, reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
And in your reply, tell me which one you decided to keep
bamajim
10.4K Posts
0
May 14th, 2008 15:00
That's quite an infection you have there. It will take a couple of runs at this to completely remove it so please be patient
Re Run Hijackthis
Then select " Open uninstall manager"
Then " save list" and save it to your desktop
Copy and paste that list as a reply to this thread
"The world is what you make of it"
audi321
33 Posts
0
May 14th, 2008 21:00
Ok, here goes......
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Adssite Browser Optimizer
Agere Systems PCI Soft Modem
Aimersoft DVD to iPhone Converter(Build 1.0.21)
Aimersoft iPhone Converter Suite(Build 1.0.23)
Aimersoft iPhone Video Converter(Build 1.1.0)
Anapod Explorer (remove only)
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audio CD Copier
avast! Antivirus
AVG Free Edition
AviSynth 2.5
Befree4iPhone
Bonjour
CCleaner (remove only)
CCScore
Clié Favorites
Deewoo Network Manager removal
DigiGuide TV Guide
DivX Content Uploader
DivX Web Player
eBay Toolbar
Enhancement Browser Tools Rightonadz
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Extension Changer
FinalBurner Free v1.10.0.73
FixTunes (remove only)
Free Audio Editor 2008 v4.7
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hitware Popup Killer Lite 3.0.1.12
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
hp officejet k series
Intellisync Lite
InterVideo FilterSDK for Hauppauge
iPhoneBrowser
iPhoneRingToneMaker 2.1.3
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Jesterware iPhone Video Converter
Jesterware iPhone Video Converter
kgcbase
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
LimeWire PRO 4.4.4
Linksys Viewer & Recorder Utility
Macromedia Shockwave Player
MCEBrowser
Media Center Extender
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft AutoRoute
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MP3 Wav Editor 3.30
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MyPhoneExplorer
netbrdg
NoAdware v4.0
Nokia Connectivity Cable Driver
Nokia Software Updater
Notifier
OfotoXMI
Palm Desktop
ParetoLogic Anti-Spyware
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Remote Desktop Control 1.8
Roxio Burn Engine
SC Audio DJ Mixer 2.3.0.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Serif MoviePlus 5
SFR
SHASTA
SKIN0001
SKINXSDK
Sonic MyDVD Serif Edition
Sony Ericsson PC Suite
Spybot - Search & Destroy 1.3
staticcr
Symphony LED display driver installion(ForOEM)
SYSTRAN Premium 4.0
tooltips
TouchCopy
TrojanHunter 4.0
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update Rollup 2 for Windows XP Media Center Edition 2005
Videora iPod Converter 3.07
Virtual Earth 3D (Beta)
VPRINTOL
WavePad Uninstall
WebGraphics Optimizer 4.2
WiDESYNC 2.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890760
Windows XP Media Center Edition 2005 KB895198
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
WinSCP 4.0.5
WIRELESS
XoftSpy
bamajim
10.4K Posts
0
May 15th, 2008 11:00
1. Go to Add or Remove Programs (Click Start ->> Control Panel ->> Add or Remove Programs)
XoftSpy
Close Add or Remove Programs ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log.
"The world is what you make of it"
audi321
33 Posts
0
May 15th, 2008 16:00
I haven't got rid of the Xsoftspy program as I paid for this program (its spyware removal software). If you really want me to remove it I will.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:56, on 15/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\dwdsrngt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Paul\My Documents\Downloads\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\SDDetect.exe
C:\WINDOWS\system32\mwinmkdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?mcState=initialized&seamless=novl&sitedomain=sns.webmail.aol.com&lang=en&locale=gb&authLev=2&siteState=ver%3a1%252c0%26ld%3aemail.aol.co.uk%26pv%3aAOL%26lc%3aen-gb%26ud%3aaol.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?mcstate=initialized&seamless=novl&sitedomain=sns.webmail.aol.com&lang=en&locale=gb&authlev=2&sitestate=ver%3a1%252c0%26ld%3aemail.aol.co.uk%26pv%3aaol%26lc%3aen-gb%26ud%3aaol.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: rightonadz.biz browser optimizer - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - C:\WINDOWS\system32\gzmrotate.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: rightonadz browser optimizer - {967860c8-23ae-bd9a-4820-c4051dda1e57} - C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {CFB25594-4D5F-11D6-AB7B-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{61-11-1D-D0-ZN}] C:\windows\system32\dwdsrngt.exe P2D002
O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinmkdm.exe P2D002
O4 - HKLM\..\Run: [{3a913fb7-0ba6-6fcb-3d65-6306f2354358}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll" DllInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Documents and Settings\Paul\My Documents\Downloads\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BeFree4iPhone] "C:\Program Files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe" /min
O4 - HKCU\..\Policies\Explorer\Run: [{40A611D0-0BB8-2057-0909-05050531002c}] "C:\Program Files\Common Files\{40A611D0-0BB8-2057-0909-05050531002c}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mwinmkdm.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: LED Display Driver.lnk = C:\WINDOWS\SDDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.1.3/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://sell-vehicle.ebay.co.uk/images/eps/eBay_Enhanced_Picture_Control_v1-0-3-50.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160508098234
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RDC-Host - AQUATRA, Inc. - C:\Program Files\Remote Desktop Control\apc_host.exe
--
End of file - 12889 bytes
bamajim
10.4K Posts
0
May 16th, 2008 11:00
It is not mandatory that you remove Xsoftspy, only recommended. Xsoftspy is known to generate false warnings about files being infected when they are not.
LINK. In either event, let's continue.
Please download Combofix and save to your desktop:
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
"The world is what you make of it"
audi321
33 Posts
0
May 16th, 2008 16:00
Wow, that took some time!
ComboFix 08-05-15.3 - Paul 2008-05-16 18:31:28.1 - NTFSx86
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program Files\TrojanHunter 4.0\THSec.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\.protected
C:\Documents and Settings\MCX1\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\MCX2\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Paul\Application Data\Dxccwrd.dll
C:\Documents and Settings\Paul\Application Data\Dxcdmns.dll
C:\Documents and Settings\Paul\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Paul\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Paul\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Paul\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\TrojanHunter 4.0\THSec.dll
C:\WINDOWS\dobe~1
C:\WINDOWS\sstem~1
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\gzmrot-uninst.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\zxdnt3d.cfg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_IPRIP
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.
2008-05-16 18:36 . 2008-05-16 18:36 43 --a------ C:\Documents and Settings\Paul\chdata.xml
2008-05-15 18:16 . 2008-05-15 18:16 63,916 --a------ C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll-uninst.exe
2008-05-14 11:21 . 2008-05-14 11:21
2008-05-12 16:03 . 2008-05-12 16:03 330,240 --a------ C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll
2008-05-07 16:19 . 2008-05-07 16:19 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-05-06 20:33 . 2008-05-06 20:33
2008-05-06 08:19 . 2008-05-06 08:19 13,942 --a------ C:\WINDOWS\system32\N90-002.ico
2008-05-06 06:34 . 2008-05-06 06:34
2008-05-06 06:34 . 2008-05-06 06:34
2008-05-06 06:19 . 2008-05-06 06:19
2008-05-06 04:18 . 2008-05-06 04:18 200,774 --a------ C:\WINDOWS\system32\mwinmkdm.exe
2008-05-06 04:18 . 2008-05-15 18:15 859 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-06 04:06 . 2008-05-06 04:06
2008-05-06 04:06 . 2008-05-06 04:14
2008-05-06 03:42 . 2008-05-06 03:42
2008-05-06 03:41 . 2008-05-06 03:41
2008-05-06 03:40 . 2008-05-06 03:40
2008-05-06 03:38 . 2008-05-06 03:38
2008-05-06 03:28 . 2008-05-06 03:28
2008-05-06 03:28 . 2008-05-06 03:32
2008-05-06 03:28 . 2005-03-29 07:57 2,084,864 --a------ C:\WINDOWS\system32\NCTAudioDesign2.dll
2008-05-06 03:28 . 2005-05-18 11:52 1,212,416 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2008-05-06 03:28 . 2005-04-15 12:08 880,640 --a------ C:\WINDOWS\system32\NCTAudioEditor2.dll
2008-05-06 03:28 . 2004-11-04 13:31 835,584 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
2008-05-06 03:28 . 2005-04-04 17:21 602,112 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll
2008-05-06 03:28 . 2005-03-28 15:54 479,232 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll
2008-05-06 03:28 . 2005-03-28 15:54 475,136 --a------ C:\WINDOWS\system32\NCTAudioVisualizationEx2.dll
2008-05-06 03:28 . 2005-03-28 15:52 417,792 --a------ C:\WINDOWS\system32\NCTTextToAudio2.dll
2008-05-06 03:28 . 2005-03-28 15:56 417,792 --a------ C:\WINDOWS\system32\NCTAudioDisplay2.dll
2008-05-06 03:28 . 2006-03-23 12:56 113,486 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-05-06 03:22 . 2008-05-06 03:22
2008-05-06 03:19 . 2008-05-06 03:25
2008-05-06 03:08 . 2008-05-06 03:08
2008-05-06 01:31 . 2008-05-15 18:00
2008-05-06 01:31 . 2008-05-06 01:31
2008-05-06 01:17 . 2008-05-08 20:57
2008-05-06 01:13 . 2008-05-06 01:13
2008-05-05 23:10 . 2008-05-05 23:11
2008-05-05 23:10 . 2008-05-05 23:10
2008-04-25 21:07 . 2008-04-25 21:07 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2008-04-25 21:07 . 2008-04-25 21:07 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2008-04-16 01:59 . 2008-04-16 01:59
2008-04-16 01:59 . 2002-07-30 08:38 647,168 --a------ C:\WINDOWS\system32\CDWriterXP.ocx
2008-04-16 01:59 . 2002-03-25 00:03 380,928 --a------ C:\WINDOWS\system32\CDRipperX.ocx
2008-04-16 01:59 . 1998-06-18 03:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-04-16 01:21 . 2008-04-16 01:21
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 17:38 --------- d-----w C:\Program Files\TrojanHunter 4.0
2008-05-16 07:00 --------- d-----w C:\Documents and Settings\Paul\Application Data\AVG7
2008-05-05 22:15 --------- d-----w C:\Program Files\QuickTime
2008-04-16 17:54 --------- d-----w C:\Documents and Settings\Paul\Application Data\FinalBurner DATA
2008-04-16 00:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 10:17 --------- d-----w C:\Program Files\Java
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{967860c8-23ae-bd9a-4820-c4051dda1e57}]
2008-05-12 16:03 330240 --a------ C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"PopUpStopperFreeEdition"="C:\Documents and Settings\Paul\My Documents\Downloads\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" [2003-04-29 11:40 524288]
"HitwarePKLite"="C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe" [2004-06-18 13:42 177664]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 09:52 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]
"BeFree4iPhone"="C:\Program Files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe" [2008-04-25 21:12 1265664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 14:42 212992]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 22:05 339968]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 16:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-15 18:26 26112]
"THGuard"="C:\Program Files\TrojanHunter 4.0\THGuard.exe" [2004-09-02 14:47 1073664]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 10:24 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 15:32 2807808 C:\WINDOWS\ALCWZRD.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-03-20 22:15 652528]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 17:59 124520]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2006-09-25 16:42 108160]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 09:01 579584]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"{61-11-1D-D0-ZN}"="C:\windows\system32\dwdsrngt.exe" [ ]
"{3a913fb7-0ba6-6fcb-3d65-6306f2354358}"="C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll" [2008-05-12 16:03 330240]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-12-22 10:04 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40 18432]
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2006-06-26 18:13:10 299008]
HPAiODevice(hp officejet k series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe [2002-11-20 13:05:22 151552]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 05:10:26 282624]
LED Display Driver.lnk - C:\WINDOWS\SDDetect.exe [2005-01-04 22:11:19 20480]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{40A611D0-0BB8-2057-0909-05050531002c}"= "C:\Program Files\Common Files\{40A611D0-0BB8-2057-0909-05050531002c}\Update.exe" mc-110-12-0000272
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Remote Desktop Control\\apc_Admin.exe"=
"C:\\Program Files\\Remote Desktop Control\\apc_host.exe"=
"C:\\Program Files\\Remote Desktop Control\\apc_hostconfig.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\E.W.E.-Software\\Befree4iPhone\\befree4iphone.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;C:\WINDOWS\system32\drivers\hcw88aud.sys [2007-01-23 21:25]
R2 RDC-Host;RDC-Host;C:\Program Files\Remote Desktop Control\apc_host.exe [2007-09-03 19:02]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;C:\WINDOWS\system32\drivers\hcw88bda.sys [2007-01-23 21:25]
R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;C:\WINDOWS\system32\drivers\hcw88tse.sys [2007-01-23 21:36]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;C:\WINDOWS\system32\drivers\hcw88tun.sys [2007-01-23 21:23]
R3 hcw88vid;Hauppauge WinTV 88x Video;C:\WINDOWS\system32\drivers\hcw88vid.sys [2007-01-23 21:36]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;C:\WINDOWS\system32\drivers\HCW88BAR.sys [2007-01-23 22:36]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;C:\WINDOWS\system32\Drivers\hcw95bda.sys [2007-10-25 09:47]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;C:\WINDOWS\system32\DRIVERS\hcw95rc.sys [2007-10-25 09:52]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
QWAVE REG_MULTI_SZ QWAVE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 17:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-05-16 09:32:49 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 18:38:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2008-05-16 18:46:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 17:46:21
Pre-Run: 212,601,360,384 bytes free
Post-Run: 213,087,207,424 bytes free
229 --- E O F --- 2008-05-16 02:02:19
bamajim
10.4K Posts
0
May 19th, 2008 12:00
Sorry for the delay.
1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll
C:\WINDOWS\system32\mwinmkdm.exe
C:\WINDOWS\system32\winpfz33.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{967860c8-23ae-bd9a-4820-c4051dda1e57}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{61-11-1D-D0-ZN}"=-
"{3a913fb7-0ba6-6fcb-3d65-6306f2354358}"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop
Using the Image as a reference, drag CFScript into ComboFix.exe
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
"The world is what you make of it"
audi321
33 Posts
0
May 19th, 2008 15:00
ComboFix 08-05-15.3 - Paul 2008-05-19 17:21:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.516 [GMT 1:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Paul\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll
C:\WINDOWS\system32\mwinmkdm.exe
C:\WINDOWS\system32\winpfz33.sys
.
/wow section - STAGE 41
pv: No matching processes found
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll
C:\WINDOWS\system32\mwinmkdm.exe
C:\WINDOWS\system32\winpfz33.sys
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-16 18:44 . 2008-05-16 18:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 18:44 . 2008-05-16 18:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 18:36 . 2008-05-16 18:36 43 --a------ C:\Documents and Settings\Paul\chdata.xml
2008-05-15 18:16 . 2008-05-15 18:16 63,916 --a------ C:\WINDOWS\system32\{a36c525a-b6b2-080a-514d-85018463ebe6}.dll-uninst.exe
2008-05-14 11:21 . 2008-05-14 11:21
2008-05-07 16:19 . 2008-05-07 16:19 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-05-06 20:33 . 2008-05-06 20:33
2008-05-06 08:19 . 2008-05-06 08:19 13,942 --a------ C:\WINDOWS\system32\N90-002.ico
2008-05-06 06:34 . 2008-05-06 06:34
2008-05-06 06:34 . 2008-05-06 06:34
2008-05-06 06:19 . 2008-05-06 06:19
2008-05-06 04:06 . 2008-05-06 04:06
2008-05-06 04:06 . 2008-05-06 04:14
2008-05-06 03:42 . 2008-05-06 03:42
2008-05-06 03:41 . 2008-05-06 03:41
2008-05-06 03:40 . 2008-05-06 03:40
2008-05-06 03:38 . 2008-05-06 03:38
2008-05-06 03:28 . 2008-05-06 03:28
2008-05-06 03:28 . 2008-05-06 03:32
2008-05-06 03:28 . 2005-03-29 07:57 2,084,864 --a------ C:\WINDOWS\system32\NCTAudioDesign2.dll
2008-05-06 03:28 . 2005-05-18 11:52 1,212,416 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2008-05-06 03:28 . 2005-04-15 12:08 880,640 --a------ C:\WINDOWS\system32\NCTAudioEditor2.dll
2008-05-06 03:28 . 2004-11-04 13:31 835,584 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
2008-05-06 03:28 . 2005-04-04 17:21 602,112 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll
2008-05-06 03:28 . 2005-03-28 15:54 479,232 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll
2008-05-06 03:28 . 2005-03-28 15:54 475,136 --a------ C:\WINDOWS\system32\NCTAudioVisualizationEx2.dll
2008-05-06 03:28 . 2005-03-28 15:52 417,792 --a------ C:\WINDOWS\system32\NCTTextToAudio2.dll
2008-05-06 03:28 . 2005-03-28 15:56 417,792 --a------ C:\WINDOWS\system32\NCTAudioDisplay2.dll
2008-05-06 03:28 . 2006-03-23 12:56 113,486 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-05-06 03:22 . 2008-05-06 03:22
2008-05-06 03:19 . 2008-05-06 03:25
2008-05-06 03:08 . 2008-05-06 03:08
2008-05-06 01:31 . 2008-05-15 18:00
2008-05-06 01:31 . 2008-05-06 01:31
2008-05-06 01:17 . 2008-05-08 20:57
2008-05-06 01:13 . 2008-05-06 01:13
2008-05-05 23:10 . 2008-05-05 23:11
2008-05-05 23:10 . 2008-05-05 23:10
2008-04-25 21:07 . 2008-04-25 21:07 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2008-04-25 21:07 . 2008-04-25 21:07 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 07:00 --------- d-----w C:\Documents and Settings\Paul\Application Data\AVG7
2008-05-16 17:46 --------- d-----w C:\Program Files\TrojanHunter 4.0
2008-05-05 22:15 --------- d-----w C:\Program Files\QuickTime
2008-04-16 17:54 --------- d-----w C:\Documents and Settings\Paul\Application Data\FinalBurner DATA
2008-04-16 00:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 00:59 --------- d-----w C:\Program Files\Audio CD Copier
2008-04-16 00:21 --------- d-----w C:\Documents and Settings\Paul\Application Data\FinalBurner Audio CD
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 10:17 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"PopUpStopperFreeEdition"="C:\Documents and Settings\Paul\My Documents\Downloads\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" [2003-04-29 11:40 524288]
"HitwarePKLite"="C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe" [2004-06-18 13:42 177664]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 09:52 68856]
"BeFree4iPhone"="C:\Program Files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe" [2008-04-25 21:12 1265664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 14:42 212992]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 22:05 339968]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 16:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-15 18:26 26112]
"THGuard"="C:\Program Files\TrojanHunter 4.0\THGuard.exe" [2004-09-02 14:47 1073664]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 10:24 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 15:32 2807808 C:\WINDOWS\ALCWZRD.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-03-20 22:15 652528]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 17:59 124520]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2006-09-25 16:42 108160]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 09:01 579584]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-12-22 10:04 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40 18432]
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2006-06-26 18:13:10 299008]
HPAiODevice(hp officejet k series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe [2002-11-20 13:05:22 151552]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 05:10:26 282624]
LED Display Driver.lnk - C:\WINDOWS\SDDetect.exe [2005-01-04 22:11:19 20480]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{40A611D0-0BB8-2057-0909-05050531002c}"= "C:\Program Files\Common Files\{40A611D0-0BB8-2057-0909-05050531002c}\Update.exe" mc-110-12-0000272
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Remote Desktop Control\\apc_Admin.exe"=
"C:\\Program Files\\Remote Desktop Control\\apc_host.exe"=
"C:\\Program Files\\Remote Desktop Control\\apc_hostconfig.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\E.W.E.-Software\\Befree4iPhone\\befree4iphone.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;C:\WINDOWS\system32\drivers\hcw88aud.sys [2007-01-23 21:25]
R2 RDC-Host;RDC-Host;C:\Program Files\Remote Desktop Control\apc_host.exe [2007-09-03 19:02]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;C:\WINDOWS\system32\drivers\hcw88bda.sys [2007-01-23 21:25]
R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;C:\WINDOWS\system32\drivers\hcw88tse.sys [2007-01-23 21:36]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;C:\WINDOWS\system32\drivers\hcw88tun.sys [2007-01-23 21:23]
R3 hcw88vid;Hauppauge WinTV 88x Video;C:\WINDOWS\system32\drivers\hcw88vid.sys [2007-01-23 21:36]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;C:\WINDOWS\system32\drivers\HCW88BAR.sys [2007-01-23 22:36]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;C:\WINDOWS\system32\Drivers\hcw95bda.sys [2007-10-25 09:47]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;C:\WINDOWS\system32\DRIVERS\hcw95rc.sys [2007-10-25 09:52]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 20:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
QWAVE REG_MULTI_SZ QWAVE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 17:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-05-19 08:25:31 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 17:25:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-19 17:26:30
ComboFix-quarantined-files.txt 2008-05-19 16:26:25
ComboFix2.txt 2008-05-16 17:46:26
Pre-Run: 212,984,725,504 bytes free
Post-Run: 213,096,927,232 bytes free
191 --- E O F --- 2008-05-16 02:02:19
bamajim
10.4K Posts
0
May 19th, 2008 18:00
Good work.
Run an online virus scan called Kaspersky from HERE.
2. A new smaller window will pop up. Press on " Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK.
5. Then click on " My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
"The world is what you make of it"
audi321
33 Posts
0
May 20th, 2008 06:00
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0004 Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0005/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0005/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0005 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0006/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip ZIP: infected - 14 skipped
C:\Documents and Settings\Paul\My Documents\Downloads\install.exe/data0001/file77 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Paul\My Documents\Downloads\install.exe/data0001 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Paul\My Documents\Downloads\install.exe EmbeddedEXE: infected - 2 skipped
C:\Documents and Settings\Paul\My Documents\Downloads\pass your bike test theory hentai anime.zip/setup.exe/data0005 Infected: not-a-virus:AdWare.Win32.BHO.go skipped
C:\Documents and Settings\Paul\My Documents\Downloads\pass your bike test theory hentai anime.zip/setup.exe/data0006/stream/data0004 Infected: not-a-virus:AdWare.Win32.BHO.go skipped
C:\Documents and Settings\Paul\My Documents\Downloads\pass your bike test theory hentai anime.zip/setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.BHO.go skipped
C:\Documents and Settings\Paul\My Documents\Downloads\pass your bike test theory hentai anime.zip/setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.BHO.go skipped
C:\Documents and Settings\Paul\My Documents\Downloads\pass your bike test theory hentai anime.zip/setup.exe Infected: not-a-virus:AdWare.Win32.BHO.go skipped
C:\Documents and Settings\Paul\My Documents\Downloads\pass your bike test theory hentai anime.zip ZIP: infected - 5 skipped
C:\Documents and Settings\Paul\My Documents\Downloads\sdsetup.exe/file090 Infected: not-a-virus:Monitor.Win32.KeyLogger.dq skipped
C:\Documents and Settings\Paul\My Documents\Downloads\sdsetup.exe Inno: infected - 1 skipped
C:\Documents and Settings\Paul\My Documents\My Music\iphone ringtone maker.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\Documents and Settings\Paul\My Documents\My Music\iphone ringtone maker.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0003/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0003/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0003/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0003/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0003/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0004 Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0005/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0005/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0005 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0006/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip/setup.exe Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip ZIP: infected - 14 skipped
C:\Documents and Settings\Paul\ntuser.dat Object is locked skipped
C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\Remote Desktop Control\apc_host.exe Infected: not-a-virus:RemoteAdmin.Win32.RemoteDesktopControl.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsrngt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gzmrotate.dll.vir Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mwinmkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP815\A0074164.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP815\A0074173.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP817\A0074190.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP817\A0074197.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP818\A0074206.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP820\A0074216.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP820\A0074227.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP820\A0074230.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP820\A0074253.dll Object is locked skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP824\A0074339.dll Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP824\A0074363.dll Infected: not-a-virus:AdWare.Win32.Agent.clk skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP826\A0074409.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP826\A0074411.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP828\A0074509.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{012DF123-A588-4295-8C10-651CFFCE4564}\RP828\change.log Object is locked skipped
C:\VundoFix Backups\xraibgj.dll.bad Infected: Trojan.Win32.Obfuscated.ev skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Agere Systems PCI Soft Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E53AFEB3-CB39-4898-8A98-F7B5D471C827}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{03CF3B14-FFFD-4D5A-A31E-E956B3A015C5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7a8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
audi321
33 Posts
0
May 20th, 2008 06:00
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 20, 2008 8:00:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 786342
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
Scan Statistics:
Total number of scanned objects: 80118
Number of viruses found: 18
Number of infected objects: 63
Number of suspicious objects: 0
Duration of the scan process: 01:17:51
Infected Object Name / Virus Name / Last Action
C:\!KillBox\gifamcg.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_1084625360_15073280_4248 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_1084625360_5701632_4801 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_1084625360_86114304_4249 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{50238F4F-CC03-4C8B-AF75-91C51CFED8CF}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{50613A00-0782-46E6-B068-88EE7593A5A3}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{AEBFB2A3-C41D-434D-BB61-1A8B0A5546E1}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\01AC84FE-3175-4544-B72E-FD7620\5F5069F8-3452-47AD-AF7C-942BBD Infected: not-a-virus:AdWare.Win32.MediaTickets.n skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\51137278-4F7F-4C14-905E-E64A6B\285FD5C1-983E-4A54-86B2-41FA0B Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5FA9AE38-41E0-45B5-A504-F7D70D\DBCF1F2A-66EE-42D4-BE4B-71DB6C/data0002 Infected: Trojan-Downloader.MSIL.Agent.c skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5FA9AE38-41E0-45B5-A504-F7D70D\DBCF1F2A-66EE-42D4-BE4B-71DB6C NSIS: infected - 1 skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\8A5B67BB-FF64-4BF6-BD57-43FC24\29DE9792-108B-4DF3-8D9A-150901 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\9D491C5B-628D-4E02-8A3B-430653\444E6724-3521-4869-8315-909B0B Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\9D491C5B-628D-4E02-8A3B-430653\9D652315-268A-45A6-B054-C7E7AE Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\9D491C5B-628D-4E02-8A3B-430653\C0F1AFB8-2FFA-43B1-B821-6D84F5 Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\History\History.IE5\MSHist012008051920080520\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temp\~DFB361.tmp Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temp\~DFB36C.tmp Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temp\~DFE960.tmp Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Paul\My Documents\Downloads\gazetteer.zip/setup.exe/data0003/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
bamajim
10.4K Posts
0
May 20th, 2008 11:00
Just a few things to clean up.
1. Using Windows Explorer
Locate and Delete the following files
C:\Documents and Settings\Paul\My Documents\Downloads\pass your bike test theory hentai anime.zip
C:\Documents and Settings\Paul\My Documents\Downloads\sdsetup.exe
C:\Documents and Settings\Paul\My Documents\My Music\iphone ringtone maker.zip
C:\Documents and Settings\Paul\My Documents\My Music\[Full] iphone ringtone maker with Bonus.zip
C:\Program Files\Morpheus\morpheustoolbar.exe
Close windows explorer ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
And in your reply give me an update on how your PC is running now.
"The world is what you make of it"
audi321
33 Posts
0
May 20th, 2008 15:00
Hi Bamajim, pc running a lot better now!
Thanks for all your help again!!!
Paul
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:50, on 20/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Paul\My Documents\Downloads\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\SDDetect.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Remote Desktop Control\apc_host.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\Paul\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr710_en_US.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig710\ENU\setup.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?mcState=initialized&seamless=novl&sitedomain=sns.webmail.aol.com&lang=en&locale=gb&authLev=2&siteState=ver%3a1%252c0%26ld%3aemail.aol.co.uk%26pv%3aAOL%26lc%3aen-gb%26ud%3aaol.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?mcstate=initialized&seamless=novl&sitedomain=sns.webmail.aol.com&lang=en&locale=gb&authlev=2&sitestate=ver%3a1%252c0%26ld%3aemail.aol.co.uk%26pv%3aaol%26lc%3aen-gb%26ud%3aaol.com
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {CFB25594-4D5F-11D6-AB7B-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Documents and Settings\Paul\My Documents\Downloads\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BeFree4iPhone] "C:\Program Files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe" /min
O4 - HKCU\..\Policies\Explorer\Run: [{40A611D0-0BB8-2057-0909-05050531002c}] "C:\Program Files\Common Files\{40A611D0-0BB8-2057-0909-05050531002c}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: LED Display Driver.lnk = C:\WINDOWS\SDDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.1.3/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://sell-vehicle.ebay.co.uk/images/eps/eBay_Enhanced_Picture_Control_v1-0-3-50.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160508098234
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RDC-Host - AQUATRA, Inc. - C:\Program Files\Remote Desktop Control\apc_host.exe
--
End of file - 12233 bytes
bamajim
10.4K Posts
0
May 20th, 2008 18:00
I'm glad to hear it and you are most welcome.
Almost there.
Your log does show you are running 2 Antivirus programs: Avast! and AVG.
Running 2 Antivirus programs is never a good idea.
Since they both do the same job, running 2 can cause conflicts, system slowdowns, and may even allow some malware to slip by.
I recommend that you unistall one of them through Add or Remove Programs.
Once done, reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
And in your reply, tell me which one you decided to keep
"The world is what you make of it"