View Full Version : Massive spyware infection.. pls help
Mythos
30 Jul 2007, 6:57pm
Hi,
I was surfing the internet last night when I was suddenly hit with a massive amount of spyware. I ran the recommended Adaware, Spybot Search & Destroy, SuperAntispyware, as well as my own (paid) Spyware Detector. These got rid of a large amount of malware (over 250), but quite a few still linger, according to PandaActiveScan and Kaspersky. Spybot Search & Destroy also reported that some could not be removed. Now, my computer is slow, and I'm getting pop-ups occasionally. The desktop icons also appear different, i.e. looks as if they are all highlighted. Below are the logs from HijackThis, PandaActiveScan, and Kaspersky scan. I deeply appreciate any help. Thanks in advance! -Computer_Illiterate_Guy
Logfile of HijackThis v1.99.1
Scan saved at 1:49:12 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\Julian Chan\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\nujtutsn.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\cuoaxrds.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hmdWCiSg - {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Incident Status Location
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Julian Chan\Cookies\julian chan@ad.yieldmanager[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Julian Chan\Cookies\julian chan@enhance[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Julian Chan\Cookies\julian chan@findwhat[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Julian Chan\Cookies\julian chan@goclick[2].txt
Virus:Generic Trojan Disinfected C:\Documents and Settings\LocalService\Local Settings\Temp\~tmp143
Virus:Generic Trojan Disinfected C:\Documents and Settings\NetworkService\Local Settings\Temp\~tmp143
Adware:Adware/WebSearch Not disinfected C:\Temp\bY001.exe[kmhp83122.exe]
Adware:Adware/WebSearch Not disinfected C:\Temp\bY001.exe[kmhp83122.exe][TTC.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\Temp\bY001.exe[rs25.exe]
Virus:Generic Trojan Disinfected C:\WINDOWS\b104.exe
Adware:Adware/DeluxeComunications Not disinfected C:\WINDOWS\b136.exe
Adware:Adware/Popper Not disinfected C:\WINDOWS\cqrwczx.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\blktilae.exe
Virus:Generic Malware Disinfected C:\WINDOWS\system32\drivers\core.sys
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\kfnvs.dll
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 30, 2007 1:45:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/07/2007
Kaspersky Anti-Virus database records: 369716
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 71466
Number of viruses found: 30
Number of infected objects: 61 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:02:15
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\Julian Chan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Julian Chan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\History\History.IE5\MSHist012007073020070731\index.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temp\~DF1B60.tmp Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temp\~DFD09D.tmp Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Julian Chan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0040584.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042587.exe Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042588.exe Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042589.dll Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042593.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042594.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042594.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042598.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042599.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042600.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042601.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042602.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042605.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042629.exe Infected: Trojan-Downloader.Win32.Agent.byh skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042655.exe Infected: Trojan-Proxy.Win32.Agent.mx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042663.sys Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042664.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042665.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042671.exe Infected: Packed.Win32.Tibs.ay skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042672.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042673.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042695.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042696.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042698.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042700.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042703.exe Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042704.exe Infected: Packed.Win32.Tibs.ay skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042707.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042710.exe Infected: Trojan-Downloader.Win32.Agent.byh skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042711.exe Infected: Email-Worm.Win32.Zhelatin.gd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042713.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042721.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042722.sys Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042723.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042726.dll Infected: Backdoor.Win32.Agent.adr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042727.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042758.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042758.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042758.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042758.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042759.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\change.log Object is locked skipped
C:\Temp\bY001.exe/data0002/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\Temp\bY001.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\Temp\bY001.exe/data0006 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Temp\bY001.exe/data0007 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Temp\bY001.exe/data0008 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Temp\bY001.exe NSIS: infected - 5 skipped
C:\WINDOWS\b136.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\WINDOWS\b136.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b136.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b136.exe NSIS: infected - 3 skipped
C:\WINDOWS\cqrwczx.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\smsys.dat Infected: Trojan-Proxy.Win32.Agent.mx skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0A3E7113-05E4-47F4-A8C6-1B35AB1987F2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\system32\b06FdUe\b06FdUe1083.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cuoaxrds.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\WINDOWS\system32\dllcache\tcpip.sys Infected: Trojan.Win32.Patched.ad skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\drivers\symavc32.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\WINDOWS\system32\drivers\tcpip.sys Infected: Trojan.Win32.Patched.ad skipped
C:\WINDOWS\system32\G3\wr725.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\svchost.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.gp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_100.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_f0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Do not do anything with it yet :D
Then
Open Notepad and copy and paste quote boxes text:
File::
C:\WINDOWS\system32\nujtutsn.dll
C:\WINDOWS\system32\cuoaxrds.dll
Save to nameCFScript
Then drag and drop CFScript to ComboFix.exe As shows below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Reboot your comp and send contens off combofix.txt file to responce.
Send a fresh hijackthis log too :D
Mythos
30 Jul 2007, 9:32pm
Hi,
The Combofix contents are below, as well as a fresh HijackThis log.
Thanks.
P.S. hmm, desktop icons still look a little different...
ComboFix 07-07-30.2 - "Julian Chan" 2007-07-30 16:18:56.1 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents
* Created a new restore point
Rootkit driver lzx32 is present. ... attempting disinfection
lzx32 ...... driver unloaded successfully.
Rootkit driver pe386 is still present. A rootkit scan is required
Rootkit driver lzx32 is still present. A rootkit scan is required
ADS removed - svchost.exe: deleted 58880 bytes in 1 streams.
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\nujtutsn.dll
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\mlnmp.tmp
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\JULIAN~1\APPLIC~1.\.rdr.ini
C:\DOCUME~1\JULIAN~1\APPLIC~1\Microsoft\20509.dat
C:\Program Files\Common Files\racle~1
C:\temp\tn3
C:\WINDOWS\b136.exe
C:\WINDOWS\cqrwczx.exe
C:\WINDOWS\smante~1
C:\WINDOWS\smsys.dat
C:\WINDOWS\system32\650441541.dll
C:\WINDOWS\system32\7225964041.dll
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\b06FdUe
C:\WINDOWS\system32\b06FdUe\b06FdUe1083.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G3\wr725.exe
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_CRT66
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_NTMLSVC
-------\core
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))
2007-07-30 16:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-30 11:18 8,576 --a------ C:\WINDOWS\system32\drivers\umgxwcdgvpci.sys
2007-07-30 11:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-30 09:41 3,072 --a------ C:\DOCUME~1\JULIAN~1\open.exe
2007-07-30 02:51 168,960 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2007-07-30 02:51 168,960 --a------ C:\WINDOWS\system32\drivers\Crt66.sys
2007-07-30 00:56 126,016 --a------ C:\WINDOWS\system32\cuoaxrds.dll
2007-07-30 00:28 0 --a------ C:\WINDOWS\Gwang.exe
2007-07-30 00:10 400,997 --a------ C:\Temp\bY001.exe
2007-07-29 23:59 <DIR> d-------- C:\Temp\brr
2007-07-29 23:59 <DIR> d-------- C:\Temp\0c2
2007-07-29 23:59 <DIR> d-------- C:\Temp
2007-07-19 21:44 <DIR> d-------- C:\Program Files\CT-Art 3.0
2007-07-11 16:08 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2007-07-11 16:07 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-07-11 16:07 123 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-07-11 16:07 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-07-11 14:19 123 --a------ C:\WINDOWS\system\SysSD.dll
2007-07-11 14:18 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-07-11 14:18 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-07-11 14:18 1,044,480 --a------ C:\WINDOWS\system32\VchReg.dll
2007-07-11 14:18 <DIR> d-------- C:\Program Files\SpywareDetector
2007-07-09 04:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-09 03:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-09 02:41 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-08 04:07 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\WinRAR
2007-07-06 15:40 192,512 --a------ C:\WINDOWS\g4356cbvy63.exe
2007-06-25 09:54 53,248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 09:53 53,248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-22 16:51 62,016 --a------ C:\WINDOWS\system32\GlyphInfo.bin
2007-06-22 16:51 6,144 --a------ C:\WINDOWS\system32\AWDCXC32.DLL
2007-06-22 16:51 26,624 --a------ C:\WINDOWS\system32\AWRESX32.DLL
2007-06-22 16:51 24,576 --a------ C:\WINDOWS\system32\AWCODC32.DLL
2007-06-22 16:51 198,724 --a------ C:\WINDOWS\system32\FontInfo.bin
2007-06-22 16:51 11,776 --a------ C:\WINDOWS\system32\AWDENC32.DLL
2007-06-22 16:51 10,240 --a------ C:\WINDOWS\system32\AWVIEW32.DLL
2007-06-22 16:41 <DIR> d-------- C:\WINDOWS\system32\psconv
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{F9DB055D-890A-408E-890F-53B5FA4DD230}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{AA8EBE88-FD5D-4821-B4BC-48467CDC4518}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{564FF64C-E32E-4C24-BD49-7C587F53E99E}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{0CD3E1F3-6027-498A-8A79-081748DB82BE}.exe
2007-06-05 11:59 <DIR> d-------- C:\DOCUME~1\JULIAN~1\Contacts
2007-06-05 11:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-30 11:42 --------- d-------- C:\Program Files\Digital Line Detect
2007-07-30 09:35 375168 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-30 02:50 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-30 00:49 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-30 00:06 --------- d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\ChessBase
2007-07-27 18:51 --------- d-------- C:\Program Files\ICQ
2007-07-20 13:59 --------- d-------- C:\Program Files\America Online 9.0
2007-07-14 20:05 --------- d-------- C:\Program Files\mIRC
2007-06-23 15:43 --------- d-------- C:\Program Files\PDF-Convert
2007-06-22 17:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-22 16:41 --------- d-------- C:\Program Files\psconvert
2007-06-08 12:42 --------- d-------- C:\Program Files\ChessBase
2007-06-05 11:59 --------- d-------- C:\Program Files\MSN Messenger
2007-05-30 17:05 --------- d-------- C:\Program Files\SecureCRT
2007-05-30 17:05 --------- d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\VanDyke
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-08-06 21:27 221832 --a------ C:\Program Files\022_16A.JPG
2006-08-06 21:27 207754 --a------ C:\Program Files\024_14A.JPG
2006-08-06 21:27 181159 --a------ C:\Program Files\021_17A.JPG
2006-08-06 21:26 246024 --a------ C:\Program Files\016_22A.JPG
2006-08-06 21:26 174923 --a------ C:\Program Files\012_26A.JPG
2005-08-24 13:50 457 --a------ C:\Program Files\INSTALL.LOG
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 11:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 01:35]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 14:58]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 09:50]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 09:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-09 14:27]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-15 14:44]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-27 10:45]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-27 10:45]
"RCAutoLiveUpdate"="C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe" [2007-07-27 17:42]
"RCSystemTray"="C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe" [2007-07-27 17:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-01 23:03:03]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-09 14:26:54]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-09 14:09:42]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 20:23:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\ljjkigh.dll [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hmdWCiSg"= {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll [2006-07-30 02:50 14848]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"
R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 MSSQL$CAMBRIDGESOFT;MSSQL$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe -sCAMBRIDGESOFT
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 SQLAgent$CAMBRIDGESOFT;SQLAgent$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlagent.EXE -i CAMBRIDGESOFT
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
Contents of the 'Scheduled Tasks' folder
2007-07-27 22:30:03 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (JMWCHAN-Julian Chan).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 16:24:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-30 16:27:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 16:27
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 4:29:59 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Julian Chan\My Documents\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hmdWCiSg - {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Do not do anything with it yet :D
Then
Open Notepad and copy and paste quote boxes text:
Save to nameCFScript
Then drag and drop CFScript to ComboFix.exe As shows below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Reboot your comp and send contens off combofix.txt file to responce.
Send a fresh hijackthis log too :D
Hi
Please download RustBFix by ejvindh Those alternative links and save it to desktop:
rustbfix.exe (http://www.uploads.ejvindh.net/rustbfix.exe)
rustbfix.exe (http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe)
Run rustbfix.exe. If there is Rustock infection, then tool aks to boot comp. It takes a while so be patient :D
Probably you have to boot another time .
Tool will produce those two files:
(%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Copy and paste those in your next reply with HijackThis log.
Mythos
30 Jul 2007, 10:15pm
Actually, i remember my Spyware Detector had previously tried to block a Rustock rootkit, but I'm not sure if it was successful. Anyway, here are the two logfiles, as well as the latest hijackthis log:
************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Mon 07/30/2007 17:03:26.56
******************* Pre-run Status of system *******************
Rootkit driver xpdx is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
No streams found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************************* End of Logfile ********************************
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qqdixoyk
*******************
Script file located at: \??\C:\WINDOWS\system32\eloskxrx.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry key \Registry\Machine\System\CurrentControlSet\Services\xpdx not found!
Unload of driver xpdx failed!
Could not process line:
xpdx
Status: 0xc0000034
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
Logfile of HijackThis v1.99.1
Scan saved at 5:08:55 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Julian Chan\My Documents\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hmdWCiSg - {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi
Please download RustBFix by ejvindh Those alternative links and save it to desktop:
rustbfix.exe (http://www.uploads.ejvindh.net/rustbfix.exe)
rustbfix.exe (http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe)
Run rustbfix.exe. If there is Rustock infection, then tool aks to boot comp. It takes a while so be patient :D
Probably you have to boot another time .
Tool will produce those two files:
(%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Copy and paste those in your next reply with HijackThis log.
Nuppi
30 Jul 2007, 10:29pm
Hi,
There was marks off rootkit rustock and i think its there still :(
Please downloadGMER (http://www.gmer.net/gmer.zip) and save it to desktop
Unzip it to desktop and doubleclick GMER.exe
Click rootkit- sheet and click scan.
Please don't check "Show All" when scanning is prceed
When its ready , Click Copy.
And paste here ( Its good to save it to your comp ).
Mythos
30 Jul 2007, 11:06pm
Ok, here is the text. I have also included a new hijackthis log, just in case it's useful.
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-30 18:04:13
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.13 ----
? ysdbwubq.sys The system cannot find the file specified.
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [AA65B4EA] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_NAMED_PIPE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLOSE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_WRITE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_INFORMATION [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_INFORMATION [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_EA [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_EA [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FLUSH_BUFFERS [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_VOLUME_INFORMATION [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_VOLUME_INFORMATION [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DIRECTORY_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FILE_SYSTEM_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SHUTDOWN [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_LOCK_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLEANUP [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_MAILSLOT [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_SECURITY [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_SECURITY [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_POWER [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SYSTEM_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CHANGE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_QUOTA [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_QUOTA [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_NAMED_PIPE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLOSE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_WRITE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_INFORMATION [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_INFORMATION [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_EA [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_EA [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FLUSH_BUFFERS [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_VOLUME_INFORMATION [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_VOLUME_INFORMATION [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DIRECTORY_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FILE_SYSTEM_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SHUTDOWN [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_LOCK_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLEANUP [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_MAILSLOT [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_SECURITY [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_SECURITY [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_POWER [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SYSTEM_CONTROL [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CHANGE [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_QUOTA [F7E68840] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_QUOTA [F7E68840] SynTP.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA65B4EA] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA65B4EA] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA65B4EA] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [AA65729C] MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [804F33F8] ntkrnlpa.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [804F33F8] ntkrnlpa.exe
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A9270C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A926D7C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A926960A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A9269AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A9274958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A9277821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA A928038A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A927FD49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A9279BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A927A331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A92884F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A9270B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A926C948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A927646B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A928779D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A9286C4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A926D2FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A92871DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A92821F9
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA3C6701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA3C6701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA3C6701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA3C6701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA3C6701] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [AA3C689D] tfsnifs.sys
---- Files - GMER 1.0.13 ----
ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042813.exe:exe.exe
---- EOF - GMER 1.0.13 ----
Hi,
There was marks off rootkit rustock and i think its there still :(
Please downloadGMER (http://www.gmer.net/gmer.zip) and save it to desktop
Unzip it to desktop and doubleclick GMER.exe
Click rootkit- sheet and click scan.
Please don't check "Show All" when scanning is prceed
When its ready , Click Copy.
And paste here ( Its good to save it to your comp ).
Logfile of HijackThis v1.99.1
Scan saved at 6:05:23 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Julian Chan\My Documents\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hmdWCiSg - {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi,
Please run combofix and send its raport :D
Mythos
31 Jul 2007, 9:34pm
Here's the ComboFix log:
ComboFix 07-07-30.2 - "Julian Chan" 2007-07-31 16:26:49.2 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
Rootkit driver pe386 is still present. A rootkit scan is required
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))
2007-07-30 21:34 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-30 17:03 <DIR> d-------- C:\Rustbfix
2007-07-30 16:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-30 11:18 8,576 --a------ C:\WINDOWS\system32\drivers\umgxwcdgvpci.sys
2007-07-30 11:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-30 09:41 3,072 --a------ C:\DOCUME~1\JULIAN~1\open.exe
2007-07-30 02:51 168,960 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2007-07-30 02:51 168,960 --a------ C:\WINDOWS\system32\drivers\Crt66.sys
2007-07-30 00:56 126,016 --a------ C:\WINDOWS\system32\cuoaxrds.dll
2007-07-30 00:28 0 --a------ C:\WINDOWS\Gwang.exe
2007-07-30 00:10 400,997 --a------ C:\Temp\bY001.exe
2007-07-29 23:59 <DIR> d-------- C:\Temp\brr
2007-07-29 23:59 <DIR> d-------- C:\Temp\0c2
2007-07-29 23:59 <DIR> d-------- C:\Temp
2007-07-19 21:44 <DIR> d-------- C:\Program Files\CT-Art 3.0
2007-07-11 16:08 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2007-07-11 16:07 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-07-11 16:07 123 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-07-11 16:07 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-07-11 14:19 123 --a------ C:\WINDOWS\system\SysSD.dll
2007-07-11 14:18 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-07-11 14:18 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-07-11 14:18 1,044,480 --a------ C:\WINDOWS\system32\VchReg.dll
2007-07-11 14:18 <DIR> d-------- C:\Program Files\SpywareDetector
2007-07-09 04:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-09 03:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-09 02:41 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-08 04:07 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\WinRAR
2007-07-06 15:40 192,512 --a------ C:\WINDOWS\g4356cbvy63.exe
2007-06-25 09:54 53,248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 09:53 53,248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-22 16:51 62,016 --a------ C:\WINDOWS\system32\GlyphInfo.bin
2007-06-22 16:51 6,144 --a------ C:\WINDOWS\system32\AWDCXC32.DLL
2007-06-22 16:51 26,624 --a------ C:\WINDOWS\system32\AWRESX32.DLL
2007-06-22 16:51 24,576 --a------ C:\WINDOWS\system32\AWCODC32.DLL
2007-06-22 16:51 198,724 --a------ C:\WINDOWS\system32\FontInfo.bin
2007-06-22 16:51 11,776 --a------ C:\WINDOWS\system32\AWDENC32.DLL
2007-06-22 16:51 10,240 --a------ C:\WINDOWS\system32\AWVIEW32.DLL
2007-06-22 16:41 <DIR> d-------- C:\WINDOWS\system32\psconv
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{F9DB055D-890A-408E-890F-53B5FA4DD230}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{AA8EBE88-FD5D-4821-B4BC-48467CDC4518}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{564FF64C-E32E-4C24-BD49-7C587F53E99E}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{0CD3E1F3-6027-498A-8A79-081748DB82BE}.exe
2007-06-05 11:59 <DIR> d-------- C:\DOCUME~1\JULIAN~1\Contacts
2007-06-05 11:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-31 02:27 --------- d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\ChessBase
2007-07-30 11:42 --------- d-------- C:\Program Files\Digital Line Detect
2007-07-30 09:35 375168 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-30 02:50 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-30 00:49 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-27 18:51 --------- d-------- C:\Program Files\ICQ
2007-07-20 13:59 --------- d-------- C:\Program Files\America Online 9.0
2007-07-14 20:05 --------- d-------- C:\Program Files\mIRC
2007-06-23 15:43 --------- d-------- C:\Program Files\PDF-Convert
2007-06-22 17:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-22 16:41 --------- d-------- C:\Program Files\psconvert
2007-06-08 12:42 --------- d-------- C:\Program Files\ChessBase
2007-06-05 11:59 --------- d-------- C:\Program Files\MSN Messenger
2007-05-30 17:05 --------- d-------- C:\Program Files\SecureCRT
2007-05-30 17:05 --------- d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\VanDyke
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-08-06 21:27 221832 --a------ C:\Program Files\022_16A.JPG
2006-08-06 21:27 207754 --a------ C:\Program Files\024_14A.JPG
2006-08-06 21:27 181159 --a------ C:\Program Files\021_17A.JPG
2006-08-06 21:26 246024 --a------ C:\Program Files\016_22A.JPG
2006-08-06 21:26 174923 --a------ C:\Program Files\012_26A.JPG
2005-08-24 13:50 457 --a------ C:\Program Files\INSTALL.LOG
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 11:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 01:35]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 14:58]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 09:50]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 09:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-09 14:27]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-15 14:44]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-27 10:45]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-27 10:45]
"RCAutoLiveUpdate"="C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe" [2007-07-27 17:42]
"RCSystemTray"="C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe" [2007-07-27 17:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-01 23:03:03]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-09 14:26:54]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-09 14:09:42]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 20:23:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hmdWCiSg"= {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"
R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 MSSQL$CAMBRIDGESOFT;MSSQL$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe -sCAMBRIDGESOFT
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 SQLAgent$CAMBRIDGESOFT;SQLAgent$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlagent.EXE -i CAMBRIDGESOFT
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
Contents of the 'Scheduled Tasks' folder
2007-07-27 22:30:03 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (JMWCHAN-Julian Chan).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 16:31:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-31 16:34:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-31 16:33
C:\ComboFix2.txt ... 2007-07-30 16:27
--- E O F ---
Mythos
1 Aug 2007, 12:48am
Not sure if it makes any difference, but I ran ComboFix again, this time with all realtime monitoring/protection programs disabled. The log:
ComboFix 07-07-30.2 - "Julian Chan" 2007-07-31 19:42:34.3 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))
2007-07-30 21:34 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-30 17:03 <DIR> d-------- C:\Rustbfix
2007-07-30 16:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-30 11:18 8,576 --a------ C:\WINDOWS\system32\drivers\umgxwcdgvpci.sys
2007-07-30 11:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-30 09:41 3,072 --a------ C:\DOCUME~1\JULIAN~1\open.exe
2007-07-30 02:51 168,960 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2007-07-30 02:51 168,960 --a------ C:\WINDOWS\system32\drivers\Crt66.sys
2007-07-30 00:56 126,016 --a------ C:\WINDOWS\system32\cuoaxrds.dll
2007-07-30 00:28 0 --a------ C:\WINDOWS\Gwang.exe
2007-07-30 00:10 400,997 --a------ C:\Temp\bY001.exe
2007-07-29 23:59 <DIR> d-------- C:\Temp\brr
2007-07-29 23:59 <DIR> d-------- C:\Temp\0c2
2007-07-29 23:59 <DIR> d-------- C:\Temp
2007-07-19 21:44 <DIR> d-------- C:\Program Files\CT-Art 3.0
2007-07-11 16:08 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2007-07-11 16:07 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-07-11 16:07 123 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-07-11 16:07 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-07-11 14:19 123 --a------ C:\WINDOWS\system\SysSD.dll
2007-07-11 14:18 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-07-11 14:18 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-07-11 14:18 1,044,480 --a------ C:\WINDOWS\system32\VchReg.dll
2007-07-11 14:18 <DIR> d-------- C:\Program Files\SpywareDetector
2007-07-09 04:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-09 03:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-09 02:41 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-08 04:07 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\WinRAR
2007-07-06 15:40 192,512 --a------ C:\WINDOWS\g4356cbvy63.exe
2007-06-25 09:54 53,248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 09:53 53,248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-22 16:51 62,016 --a------ C:\WINDOWS\system32\GlyphInfo.bin
2007-06-22 16:51 6,144 --a------ C:\WINDOWS\system32\AWDCXC32.DLL
2007-06-22 16:51 26,624 --a------ C:\WINDOWS\system32\AWRESX32.DLL
2007-06-22 16:51 24,576 --a------ C:\WINDOWS\system32\AWCODC32.DLL
2007-06-22 16:51 198,724 --a------ C:\WINDOWS\system32\FontInfo.bin
2007-06-22 16:51 11,776 --a------ C:\WINDOWS\system32\AWDENC32.DLL
2007-06-22 16:51 10,240 --a------ C:\WINDOWS\system32\AWVIEW32.DLL
2007-06-22 16:41 <DIR> d-------- C:\WINDOWS\system32\psconv
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{F9DB055D-890A-408E-890F-53B5FA4DD230}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{AA8EBE88-FD5D-4821-B4BC-48467CDC4518}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{564FF64C-E32E-4C24-BD49-7C587F53E99E}.exe
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{0CD3E1F3-6027-498A-8A79-081748DB82BE}.exe
2007-06-05 11:59 <DIR> d-------- C:\DOCUME~1\JULIAN~1\Contacts
2007-06-05 11:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-31 19:27 --------- d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\ChessBase
2007-07-30 11:42 --------- d-------- C:\Program Files\Digital Line Detect
2007-07-30 09:35 375168 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-30 02:50 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-30 00:49 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-27 18:51 --------- d-------- C:\Program Files\ICQ
2007-07-20 13:59 --------- d-------- C:\Program Files\America Online 9.0
2007-07-14 20:05 --------- d-------- C:\Program Files\mIRC
2007-06-23 15:43 --------- d-------- C:\Program Files\PDF-Convert
2007-06-22 17:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-22 16:41 --------- d-------- C:\Program Files\psconvert
2007-06-08 12:42 --------- d-------- C:\Program Files\ChessBase
2007-06-05 11:59 --------- d-------- C:\Program Files\MSN Messenger
2007-05-30 17:05 --------- d-------- C:\Program Files\SecureCRT
2007-05-30 17:05 --------- d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\VanDyke
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-08-06 21:27 221832 --a------ C:\Program Files\022_16A.JPG
2006-08-06 21:27 207754 --a------ C:\Program Files\024_14A.JPG
2006-08-06 21:27 181159 --a------ C:\Program Files\021_17A.JPG
2006-08-06 21:26 246024 --a------ C:\Program Files\016_22A.JPG
2006-08-06 21:26 174923 --a------ C:\Program Files\012_26A.JPG
2005-08-24 13:50 457 --a------ C:\Program Files\INSTALL.LOG
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 11:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 01:35]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 14:58]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 09:50]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 09:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-09 14:27]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-15 14:44]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-27 10:45]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-27 10:45]
"RCAutoLiveUpdate"="C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe" [2007-07-27 17:42]
"RCSystemTray"="C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe" [2007-07-27 17:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-01 23:03:03]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-09 14:26:54]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-09 14:09:42]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 20:23:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hmdWCiSg"= {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"
R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 MSSQL$CAMBRIDGESOFT;MSSQL$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe -sCAMBRIDGESOFT
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 SQLAgent$CAMBRIDGESOFT;SQLAgent$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlagent.EXE -i CAMBRIDGESOFT
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
Contents of the 'Scheduled Tasks' folder
2007-07-27 22:30:03 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (JMWCHAN-Julian Chan).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 19:45:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-31 19:46:26
C:\ComboFix-quarantined-files.txt ... 2007-07-31 19:45
C:\ComboFix2.txt ... 2007-07-31 16:34
C:\ComboFix3.txt ... 2007-07-30 16:27
--- E O F ---
Hi,
There will be in somewhere file : ysdbwubq.sys
You have to put hidden files to visible, instructions (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Try to find it, probaply it is
C:\WINDOWS\system32\drivers\ OR
C:\WINDOWS\system32\ OR
C:\WINDOWS\system\ OR
C:\WINDOWS\
Please download registry search tool (http://www.billsway.com/vbspage/)
Open it and make a search "ysdbwubq.sys" file
Then :
Then
Open Notepad and copy and paste quote boxes text:
File::
C:\WINDOWS\system32\drivers\umgxwcdgvpci.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\Crt66.sys
C:\WINDOWS\system32\cuoaxrds.dll
C:\WINDOWS\Gwang.exe
C:\Temp\bY001.exe
C:\WINDOWS\g4356cbvy63.exe
C:\WINDOWS\system32\drivers\ysdbwubq.sys
C:\WINDOWS\system32\ysdbwubq.sys
C:\WINDOWS\system\ysdbwubq.sys
C:\WINDOWS\ysdbwubq.sys
Folder::
C:\Temp\brr
C:\Temp\0c2
Save to nameCFScript
Then drag and drop CFScript to ComboFix.exe As shows below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Reboot your comp
Please do an online scan With Kaspersky (http://www.kaspersky.com/virusscanner) Again
Please send contens off combofix.txt and kaspeskys log
Send a fresh hijackthis log too :D
I made the hidden files visible and followed the instructions. Could not find the ysdbwubq.sys anywhere. I went ahead with the ComboFix and Kaspersky anyway. Here are the logs (as well as a fresh hijackthis log):
ComboFix 07-07-30.2 - "Julian Chan" 2007-08-01 20:04:51.4 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Julian Chan\Desktop\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Temp\0c2
C:\Temp\0c2\tmpFF.log
C:\Temp\brr
C:\Temp\brr\tmpZTF.log
C:\Temp\bY001.exe
C:\WINDOWS\g4356cbvy63.exe
C:\WINDOWS\Gwang.exe
C:\WINDOWS\system32\cuoaxrds.dll
C:\WINDOWS\system32\drivers\Crt66.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\umgxwcdgvpci.sys
((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))
2007-07-30 21:34 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-30 17:03 <DIR> d-------- C:\Rustbfix
2007-07-30 16:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-30 11:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-30 09:41 3,072 --a------ C:\DOCUME~1\JULIAN~1\open.exe
2007-07-29 23:59 <DIR> d-------- C:\Temp
2007-07-19 21:44 <DIR> d-------- C:\Program Files\CT-Art 3.0
2007-07-11 16:08 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2007-07-11 16:07 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-07-11 16:07 123 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-07-11 16:07 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-07-11 14:19 123 --a------ C:\WINDOWS\system\SysSD.dll
2007-07-11 14:18 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-07-11 14:18 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-07-11 14:18 1,044,480 --a------ C:\WINDOWS\system32\VchReg.dll
2007-07-11 14:18 <DIR> d-------- C:\Program Files\SpywareDetector
2007-07-09 04:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-09 03:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-09 02:41 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-08 04:07 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\WinRAR
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-01 11:19 --------- d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\ChessBase
2007-07-30 11:42 --------- d-------- C:\Program Files\Digital Line Detect
2007-07-30 09:35 375168 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-30 02:50 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-30 00:49 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-27 18:51 --------- d-------- C:\Program Files\ICQ
2007-07-20 13:59 --------- d-------- C:\Program Files\America Online 9.0
2007-07-14 20:05 --------- d-------- C:\Program Files\mIRC
2007-06-25 09:54 53248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 09:53 53248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-23 15:43 --------- d-------- C:\Program Files\PDF-Convert
2007-06-22 17:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-22 16:51 62016 --a------ C:\WINDOWS\system32\GlyphInfo.bin
2007-06-22 16:51 198724 --a------ C:\WINDOWS\system32\FontInfo.bin
2007-06-22 16:41 --------- d-------- C:\Program Files\psconvert
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{F9DB055D-890A-408E-890F-53B5FA4DD230}.exe
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{AA8EBE88-FD5D-4821-B4BC-48467CDC4518}.exe
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{564FF64C-E32E-4C24-BD49-7C587F53E99E}.exe
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{0CD3E1F3-6027-498A-8A79-081748DB82BE}.exe
2007-06-08 12:42 --------- d-------- C:\Program Files\ChessBase
2007-06-05 11:59 --------- d-------- C:\Program Files\MSN Messenger
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-08-06 21:27 221832 --a------ C:\Program Files\022_16A.JPG
2006-08-06 21:27 207754 --a------ C:\Program Files\024_14A.JPG
2006-08-06 21:27 181159 --a------ C:\Program Files\021_17A.JPG
2006-08-06 21:26 246024 --a------ C:\Program Files\016_22A.JPG
2006-08-06 21:26 174923 --a------ C:\Program Files\012_26A.JPG
2005-08-24 13:50 457 --a------ C:\Program Files\INSTALL.LOG
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 11:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 01:35]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 14:58]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 09:50]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 09:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-09 14:27]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-15 14:44]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-27 10:45]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-27 10:45]
"RCAutoLiveUpdate"="C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe" [2007-07-27 17:42]
"RCSystemTray"="C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe" [2007-07-27 17:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-01 23:03:03]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-09 14:26:54]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-09 14:09:42]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 20:23:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hmdWCiSg"= {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"
R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 MSSQL$CAMBRIDGESOFT;MSSQL$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe -sCAMBRIDGESOFT
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 SQLAgent$CAMBRIDGESOFT;SQLAgent$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlagent.EXE -i CAMBRIDGESOFT
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
Contents of the 'Scheduled Tasks' folder
2007-07-27 22:30:03 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (JMWCHAN-Julian Chan).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 20:08:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-01 20:08:59
C:\ComboFix-quarantined-files.txt ... 2007-08-01 20:08
C:\ComboFix2.txt ... 2007-07-31 19:46
C:\ComboFix3.txt ... 2007-07-31 16:34
--- E O F ---
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 01, 2007 9:47:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 2/08/2007
Kaspersky Anti-Virus database records: 370666
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 70813
Number of viruses found: 20
Number of infected objects: 50
Number of suspicious objects: 0
Duration of the scan process: 01:07:21
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\Julian Chan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Julian Chan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\History\History.IE5\MSHist012007080120070802\index.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temp\~DF228A.tmp Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temp\~DF2297.tmp Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temp\~DFE797.tmp Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temp\~DFF285.tmp Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Julian Chan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Julian Chan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000007.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0002/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0006 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0007 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0008 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir NSIS: infected - 5 skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\cqrwczx.exe.vir Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\QooBox\Quarantine\C\WINDOWS\smsys.dat.vir Infected: Trojan-Proxy.Win32.Agent.mx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\b02FdUe\b02FdUe1065.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\b06FdUe\b06FdUe1083.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cuoaxrds.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Crt66.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\symavc32.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\G3\wr725.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nujtutsn.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042605.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042606.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lc skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP529\A0042607.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042655.exe Infected: Trojan-Proxy.Win32.Agent.mx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042664.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042665.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042671.exe Infected: Packed.Win32.Tibs.ay skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042673.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042696.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042698.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042700.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042703.exe Infected: Trojan-Proxy.Win32.Xorpix.be skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042704.exe Infected: Packed.Win32.Tibs.ay skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042707.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042721.exe Infected: Trojan-Downloader.Win32.Tibs.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP530\A0042759.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042813.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.gp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042822.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042822.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042822.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042822.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042825.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042826.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042827.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042828.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP531\A0042833.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP535\A0043513.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP535\A0043514.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP535\A0043515.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP535\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\tcpip.sys Infected: Trojan.Win32.Patched.ad skipped
C:\WINDOWS\system32\drivers\tcpip.sys Infected: Trojan.Win32.Patched.ad skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_648.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 8:19:52 PM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Julian Chan\My Documents\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hmdWCiSg - {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi, now its better, and we clean rests now :D
Please remove all old java versions via add remove application
Please download newest version here. (http://www.java.com/en/download/index.jsp)
Install it
Lets clean the system restore
Put system restore off: Instructions (http://www.pchell.com/virus/systemrestore.shtml)
Please do not boot yet.
Please rescan by hijackthis and check:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Then
Open Notepad and copy and paste quote boxes text:
File::
C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys
Folder::
C:\QooBox\Quarantine
Save to nameCFScript
Then drag and drop CFScript to ComboFix.exe As shows below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Reboot your comp and tell is problem away :D
Hi, I've done all that. ComboFix and Hijackthis logs are below. Does everything look OK now?
ComboFix 07-07-30.2 - "Julian Chan" 2007-08-02 3:50:07.5 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Julian Chan\Desktop\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\QooBox\Quarantine
C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys
((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))
2007-08-01 20:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-30 21:34 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-30 17:03 <DIR> d-------- C:\Rustbfix
2007-07-30 16:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-30 11:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-30 09:41 3,072 --a------ C:\DOCUME~1\JULIAN~1\open.exe
2007-07-29 23:59 <DIR> d-------- C:\Temp
2007-07-19 21:44 <DIR> d-------- C:\Program Files\CT-Art 3.0
2007-07-11 16:08 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2007-07-11 16:07 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-07-11 16:07 123 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-07-11 16:07 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-07-11 14:19 123 --a------ C:\WINDOWS\system\SysSD.dll
2007-07-11 14:18 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-07-11 14:18 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-07-11 14:18 1,044,480 --a------ C:\WINDOWS\system32\VchReg.dll
2007-07-11 14:18 <DIR> d-------- C:\Program Files\SpywareDetector
2007-07-09 04:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-09 03:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-09 03:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-09 02:41 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-08 04:07 <DIR> d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\WinRAR
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-02 03:09 --------- d-------- C:\DOCUME~1\JULIAN~1\APPLIC~1\ChessBase
2007-07-30 11:42 --------- d-------- C:\Program Files\Digital Line Detect
2007-07-30 02:50 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-30 00:49 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-27 18:51 --------- d-------- C:\Program Files\ICQ
2007-07-20 13:59 --------- d-------- C:\Program Files\America Online 9.0
2007-07-14 20:05 --------- d-------- C:\Program Files\mIRC
2007-06-25 09:54 53248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 09:53 53248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-23 15:43 --------- d-------- C:\Program Files\PDF-Convert
2007-06-22 17:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-22 16:51 62016 --a------ C:\WINDOWS\system32\GlyphInfo.bin
2007-06-22 16:51 198724 --a------ C:\WINDOWS\system32\FontInfo.bin
2007-06-22 16:41 --------- d-------- C:\Program Files\psconvert
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{F9DB055D-890A-408E-890F-53B5FA4DD230}.exe
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{AA8EBE88-FD5D-4821-B4BC-48467CDC4518}.exe
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{564FF64C-E32E-4C24-BD49-7C587F53E99E}.exe
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{0CD3E1F3-6027-498A-8A79-081748DB82BE}.exe
2007-06-08 12:42 --------- d-------- C:\Program Files\ChessBase
2007-06-05 11:59 --------- d-------- C:\Program Files\MSN Messenger
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-08-06 21:27 221832 --a------ C:\Program Files\022_16A.JPG
2006-08-06 21:27 207754 --a------ C:\Program Files\024_14A.JPG
2006-08-06 21:27 181159 --a------ C:\Program Files\021_17A.JPG
2006-08-06 21:26 246024 --a------ C:\Program Files\016_22A.JPG
2006-08-06 21:26 174923 --a------ C:\Program Files\012_26A.JPG
2005-08-24 13:50 457 --a------ C:\Program Files\INSTALL.LOG
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 11:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 01:35]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 14:58]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 09:50]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 09:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-09 14:27]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-15 14:44]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-27 10:45]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-27 10:45]
"RCAutoLiveUpdate"="C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe" [2007-07-27 17:42]
"RCSystemTray"="C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe" [2007-07-27 17:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-01 23:03:03]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-09 14:26:54]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-09 14:09:42]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 20:23:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hmdWCiSg"= {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"
R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 MSSQL$CAMBRIDGESOFT;MSSQL$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe -sCAMBRIDGESOFT
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 SQLAgent$CAMBRIDGESOFT;SQLAgent$CAMBRIDGESOFT;C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlagent.EXE -i CAMBRIDGESOFT
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
*Newly Created Service* - APPMGMT
Contents of the 'Scheduled Tasks' folder
2007-07-27 22:30:03 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (JMWCHAN-Julian Chan).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 03:53:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-02 3:54:21
C:\ComboFix-quarantined-files.txt ... 2007-08-01 20:08
C:\ComboFix2.txt ... 2007-08-01 20:08
C:\ComboFix3.txt ... 2007-07-31 19:46
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 4:00:25 AM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Julian Chan\My Documents\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hmdWCiSg - {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi,
Allmost
Please rescan by hijackthis and check :
O21 - SSODL: hmdWCiSg - {04FB1AEC-AE51-B046-1E79-ED984C139048} - C:\WINDOWS\system32\kfnvs.dll (file missing)
Close all programs and click fix checked
boot comp and send a fresh hijack log
Done. Here's the latest log:
Logfile of HijackThis v1.99.1
Scan saved at 12:14:09 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Julian Chan\My Documents\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
:D
Hi,
Now its clean :D
Happy surfing :D
Thank you for all your help and time!!
P.S. Any tips on how to prevent a future infection? I got this even with my Spyware Detector v 2.0 realtime protection turned on!
#
Now that you're clean, here are some tips how to stay clean.
#
#
-> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
#
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
#
#
-> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
#
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.
#
#
-> Use CCleaner -> http://www.ccleaner.com
#
Download and install CCleaner. Clean your registry and temporary files with it regularly.
#
#
-> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
#
Download and install Ad-Aware. Update it and scan your computer regularly with it.
#
#
-> Use Ewido -> http://www.ewido.net/en
#
Download and install Ewido. Update it and scan your computer regularly with it.
#
#
-> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
#
SpywareBlaster will prevent spyware from being installed to your computer.
#
#
-> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
#
This prevents your computer from connecting to harmful sites.
#
#
-> Change your browser to Firefox -> http://www.mozilla.org
#
Firefox is faster, safer and quicker browser than Internet Explorer.
#
#
-> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
#
Visit Windows Update regularly.
#
#
-> Keep your antivirus and firewall up-to-date
#
Scan your computer regularly with your antivirus.
#
#
-> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
#
So how did I get infected in the first place?
#
#
Stay clean ;)
Hi ,
Wait a second :D
Please run that GMER again. We see if that nasty rootkit is away :D
Glad I could be of assistance! The help you received here was free. Please read through some of these Prevention Tips (http://icrontic.com/forum/showthread.php?t=39435) that Short-Media offers.
This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread (http://icrontic.com/forum/newthread.php?do=newthread&f=57) instead :)
Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here (http://icrontic.com/forum/showthread.php?t=29803)
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.