Options
Help, I've got Trojans
When I run Xoft SpySE, the scan results come up with Mudrop DV Trojan, Toolbar888, Vundo Trojan, and Generic Trojan. When I run Spybot Search and Destroy, it shows Virtumonde. I have done everything that I can (which isn't much), and could really use some help. Here is a recent HJT Logfile of HijackThis v1.99.1Scan saved at 6:32:35 AM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\scanner.exe\scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Damned 'Ole Internet
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {386195b4-3fb1-a36a-19f4-04c8db6d96f7} - {7f69d6bd-8c40-4f91-a63a-1bf34b591683} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BM379c6f8e] Rundll32.exe "C:\WINDOWS\system32\dmtwcqvp.dll",s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [7D51360A66070C255E51] Rundll32.exe "C:\WINDOWS\system32\xxmwcjdf.dll",s
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
0
Comments
Please do not start more than one request thread for the same issue - just adds to the work of others here (me, for one). Some serious infection is showing here, so let's start some repairs. Likely you got snookered by XsoftSpy's misleading ad promo touting it would remove just about anything, only to find after installing it that payment is required for it to do anything. And as you are finding out, that anything isn't really much. Listed here in the past, and likely needing listing there again, it is considered an undesirable software to have or use. You can uninstall it and any other Paretologic items showing in Add/Remove Programs to remove it. Your choice, but if you do choose to keep it be very sure it is completely disabled, to keep it out of the way of real repairs.
Also, follow the steps here to disable SpyBot's TeaTimer, as it will interfere with the repairs. Important, as this will block or return changes we try to make there.
Then To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download ComboFix.exe from here to your desktop.
Then disable your net access, and click the downloaded file to run the repair.
When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.
ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.
(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)
Re-enable net access, and post back the C:\ComboFix.txt log as well as a new HijackThis log please.
ComboFix 08-03-08.2 - Owner 2008-03-08 21:53:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.421 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM379c6f8e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aocjsgwd.dll
C:\WINDOWS\system32\aszodxgl.dll
C:\WINDOWS\system32\bhnsapss.dll
C:\WINDOWS\system32\cwfwased.dll
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dmezjfkx.dll
C:\WINDOWS\system32\durvsrrp.dll
C:\WINDOWS\system32\eajocefd.dll
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini2
C:\WINDOWS\system32\fbtlpddo.dll
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fkhtmpxz.dll
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\gnuarokt.dll
C:\WINDOWS\system32\hhxwdyyv.dll
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini2
C:\WINDOWS\system32\iryhdppf.dll
C:\WINDOWS\system32\ixcqhver.dll
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\jotljyel.dll
C:\WINDOWS\system32\jsmxlgvc.dll
C:\WINDOWS\system32\lajhfuss.dll
C:\WINDOWS\system32\ldwdnqfn.dll
C:\WINDOWS\system32\lfcnpvva.dll
C:\WINDOWS\system32\lsijdzgm.dll
C:\WINDOWS\system32\lwdxmljg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnkkycjh.dll
C:\WINDOWS\system32\myxcqpfm.dll
C:\WINDOWS\system32\oylklxbi.dll
C:\WINDOWS\system32\phksxvdc.dll
C:\WINDOWS\system32\qccuxjht.dll
C:\WINDOWS\system32\qkipdbfn.dll
C:\WINDOWS\system32\qlaszqpp.dll
C:\WINDOWS\system32\qmbptdmp.dll
C:\WINDOWS\system32\qrdraztt.dll
C:\WINDOWS\system32\rhosscfg.dll
C:\WINDOWS\system32\rlmadxlr.dll
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\tjstbroo.dll
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\vtgfeqib.dll
C:\WINDOWS\system32\vxipfcyh.dll
C:\WINDOWS\system32\wdrxagkv.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wudvajec.dll
C:\WINDOWS\system32\xcvqiugf.dll
C:\WINDOWS\system32\xdbcypre.dll
C:\WINDOWS\system32\xlpqksrf.dll
C:\WINDOWS\system32\xxmwcjdf.dll
C:\WINDOWS\system32\ygktmmac.dll
C:\WINDOWS\system32\ylidfkmh.dll
C:\WINDOWS\system32\zapifydi.dll
C:\WINDOWS\system32\zuqtdgml.dll
C:\WINDOWS\system32\zweqkyua.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.
2008-03-08 16:05 . 2008-03-08 16:05 2,834,047 --a
C:\WINDOWS\system32\xdbcypre.xml
2008-03-08 11:30 . 2008-03-08 11:30 <DIR> d
C:\Documents and Settings\Owner\Application Data\Move Networks
2008-03-08 10:32 . 2008-03-08 10:32 2,834,047 --a
C:\WINDOWS\system32\eajocefd.xml
2008-03-08 09:43 . 2008-03-08 09:29 2,834,047 --a
C:\WINDOWS\system32\zweqkyua.xml
2008-03-08 09:36 . 2008-03-08 09:29 2,834,047 --a
C:\WINDOWS\system32\rhosscfg.xml
2008-03-06 12:33 . 2008-03-06 12:29 2,834,013 --a
C:\WINDOWS\system32\jotljyel.xml
2008-03-06 04:05 . 2008-03-08 21:48 2,834,047 --a
C:\WINDOWS\system32\xxmwcjdf.xml
2008-03-05 22:11 . 2008-03-06 04:03 2,834,013 --a
C:\WINDOWS\system32\lwdxmljg.xml
2008-03-05 22:04 . 2008-03-05 22:01 2,833,962 --a
C:\WINDOWS\system32\dmezjfkx.xml
2008-03-05 22:02 . 2008-03-05 22:01 2,833,962 --a
C:\WINDOWS\system32\gnuarokt.xml
2008-03-05 15:36 . 2008-03-05 15:02 2,833,961 --a
C:\WINDOWS\system32\xlpqksrf.xml
2008-03-04 21:30 . 2008-03-04 21:29 2,833,944 --a
C:\WINDOWS\system32\vxipfcyh.xml
2008-03-04 21:02 . 2008-03-04 21:00 2,833,945 --a
C:\WINDOWS\system32\ylidfkmh.xml
2008-03-04 16:40 . 2008-03-04 16:40 2,833,945 --a
C:\WINDOWS\system32\cwfwased.xml
2008-03-04 10:44 . 2008-03-05 22:01 2,833,962 --a
C:\WINDOWS\system32\qccuxjht.xml
2008-03-04 10:37 . 2008-03-04 10:37 <DIR> d
C:\Program Files\ParetoLogic
2008-03-04 10:37 . 2008-03-04 10:37 <DIR> d
C:\Program Files\Common Files\ParetoLogic
2008-03-04 09:47 . 2008-03-04 09:43 2,833,944 --a
C:\WINDOWS\system32\hhxwdyyv.xml
2008-03-04 09:22 . 2008-03-04 09:22 <DIR> d
C:\VundoFix Backups
2008-03-04 08:05 . 2008-03-04 10:44 2,833,944 --a
C:\WINDOWS\system32\phksxvdc.xml
2008-03-04 07:59 . 2008-03-04 07:59 <DIR> d
C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-03-04 07:53 . 2008-03-04 07:46 2,833,876 --a
C:\WINDOWS\system32\durvsrrp.xml
2008-03-04 07:50 . 2008-03-04 07:46 2,833,876 --a
C:\WINDOWS\system32\aocjsgwd.xml
2008-03-04 07:36 . 2008-03-08 21:41 <DIR> d
C:\Program Files\XoftSpySE
2008-03-04 00:01 . 2008-03-03 23:59 2,833,774 --a
C:\WINDOWS\system32\fkhtmpxz.xml
2008-03-03 22:54 . 2008-03-03 22:54 <DIR> d
C:\Documents and Settings\Owner\Application Data\ParetoLogic
2008-03-03 22:54 . 2008-03-03 22:54 <DIR> d
C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-03-03 22:54 . 2008-03-03 22:54 <DIR> d
C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-03-03 21:03 . 2008-03-03 23:43 7,168 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-03-03 21:01 . 2008-03-03 20:58 2,833,673 --a
C:\WINDOWS\system32\myxcqpfm.xml
2008-03-03 17:58 . 2008-03-03 17:58 <DIR> d
C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-03 17:56 . 2008-03-03 17:52 2,833,673 --a
C:\WINDOWS\system32\iryhdppf.xml
2008-03-03 17:53 . 2008-03-03 17:52 2,833,673 --a
C:\WINDOWS\system32\qrdraztt.xml
2008-03-03 17:47 . 2008-03-08 06:32 <DIR> d
C:\Program Files\scanner.exe
2008-03-03 17:40 . 2008-03-03 17:32 2,833,673 --a
C:\WINDOWS\system32\zuqtdgml.xml
2008-03-03 17:35 . 2008-03-03 17:32 2,833,673 --a
C:\WINDOWS\system32\fbtlpddo.xml
2008-03-03 17:32 . 2008-03-03 17:32 <DIR> d
C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-03 08:33 . 2008-03-03 08:32 2,833,655 --a
C:\WINDOWS\system32\lfcnpvva.xml
2008-03-03 04:32 . 2008-03-03 04:31 2,833,655 --a
C:\WINDOWS\system32\lsijdzgm.xml
2008-03-03 02:19 . 2008-03-03 02:13 2,833,468 --a
C:\WINDOWS\system32\ldwdnqfn.xml
2008-03-02 07:56 . 2008-03-02 07:54 2,833,316 --a
C:\WINDOWS\system32\tjstbroo.xml
2008-03-02 07:54 . 2008-03-02 07:54 <DIR> d--h
C:\WINDOWS\system32\GroupPolicy
2008-03-02 07:03 . 2008-03-02 06:58 2,833,299 --a
C:\WINDOWS\system32\xcvqiugf.xml
2008-03-02 03:42 . 2005-02-08 06:12 2,670,592
C:\WINDOWS\UNNeroVision.exe
2008-03-02 03:42 . 2005-03-02 04:31 183,036
C:\WINDOWS\UNNeroVision.cfg
2008-03-02 03:41 . 2004-07-09 08:43 364,544
C:\WINDOWS\system32\TwnLib4.dll
2008-03-02 03:41 . 2001-06-26 07:15 38,912
C:\WINDOWS\system32\picn20.dll
2008-03-02 03:40 . 2005-02-08 06:12 2,670,592
C:\WINDOWS\UNNMP.exe
2008-03-02 03:40 . 2005-03-02 04:31 47,678
C:\WINDOWS\UNNMP.cfg
2008-03-02 03:19 . 2008-03-05 07:12 116 --a
C:\WINDOWS\NeroDigital.ini
2008-03-02 03:06 . 2008-03-08 21:56 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-03-02 03:06 . 2008-03-02 03:06 1,409 --a
C:\WINDOWS\QTFont.for
2008-03-02 03:05 . 2008-03-08 21:55 31,056 --a
C:\WINDOWS\system32\BMXStateBkp-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 03:05 . 2008-03-08 21:55 31,056 --a
C:\WINDOWS\system32\BMXState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 03:05 . 2008-03-08 21:55 30,528 --a
C:\WINDOWS\system32\BMXCtrlState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 03:05 . 2008-03-08 21:55 30,528 --a
C:\WINDOWS\system32\BMXBkpCtrlState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 03:05 . 2008-03-08 21:55 11,564 --a
C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 03:05 . 2008-03-08 21:55 1,080 --a
C:\WINDOWS\system32\settingsbkup.sfm
2008-03-02 03:05 . 2008-03-08 21:55 1,080 --a
C:\WINDOWS\system32\settings.sfm
2008-03-02 03:04 . 2008-03-08 21:56 4,958,588 --a
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.CDF
2008-03-02 03:04 . 2008-03-08 21:54 4,958,588 --a
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.BAK
2008-03-02 03:02 . 2006-08-11 14:55 10,240 --a
C:\WINDOWS\CTDCRES.DLL
2008-03-02 03:01 . 2008-03-02 02:58 2,833,265 --a
C:\WINDOWS\system32\zapifydi.xml
2008-03-02 02:52 . 2008-03-02 02:51 2,833,265 --a
C:\WINDOWS\system32\qmbptdmp.xml
2008-03-02 02:45 . 2008-03-02 02:45 <DIR> d
C:\Program Files\C-Media 6501 Sound
2008-03-02 02:45 . 2006-09-03 21:16 5,730,304 -ra
C:\WINDOWS\system\c6501.cpl
2008-03-02 02:45 . 2006-09-05 03:04 1,419,968 -ra
C:\WINDOWS\system32\drivers\c6501.sys
2008-03-02 02:45 . 2001-11-22 22:08 712,704 -ra
C:\WINDOWS\system32\c6501a3d.dll
2008-03-02 02:45 . 2006-08-30 04:43 266,240 -r
C:\WINDOWS\Cmi6501Uninstall.exe
2008-03-02 02:45 . 2006-08-29 23:38 253,952 -ra
C:\WINDOWS\system32\c6501rm.exe
2008-03-02 02:45 . 2005-12-26 03:23 53,248 -ra
C:\WINDOWS\system32\c6501rm.dll
2008-03-02 02:45 . 2006-06-27 00:54 32,768 -ra
C:\WINDOWS\system32\c6501p.dll
2008-03-02 02:45 . 2006-09-05 22:28 4,712 -r
C:\WINDOWS\C6501.ini
2008-03-02 02:45 . 2008-03-08 21:38 429 --a
C:\WINDOWS\system\C6501.ini
2008-03-02 02:44 . 2008-03-02 02:44 12,675 --a
C:\WINDOWS\Ascd_tmp.ini
2008-03-02 02:34 . 2008-03-02 02:30 2,833,265 --a
C:\WINDOWS\system32\oylklxbi.xml
2008-03-02 02:31 . 2006-08-11 14:57 11,776 --a
C:\WINDOWS\INRES.DLL
2008-03-02 02:30 . 2003-10-21 03:54 217,272 --a
C:\WINDOWS\system32\SET1284.tmp
2008-03-02 02:23 . 2008-03-02 02:20 2,833,265 --a
C:\WINDOWS\system32\ygktmmac.xml
2008-03-02 02:21 . 2008-03-02 03:04 <DIR> d
C:\Program Files\Creative
2008-03-02 02:11 . 2008-03-02 02:06 2,833,265 --a
C:\WINDOWS\system32\mnkkycjh.xml
2008-03-02 02:08 . 2008-03-04 08:00 2,833,876 --a
C:\WINDOWS\system32\wudvajec.xml
2008-03-02 01:54 . 2008-03-02 01:52 2,833,265 --a
C:\WINDOWS\system32\qlaszqpp.xml
2008-03-02 01:45 . 2008-03-02 01:43 2,833,265 --a
C:\WINDOWS\system32\jsmxlgvc.xml
2008-03-02 01:31 . 2008-03-02 01:26 2,833,265 --a
C:\WINDOWS\system32\aszodxgl.xml
2008-03-02 01:13 . 2008-03-02 01:13 <DIR> d
C:\Program Files\Real
2008-03-02 01:13 . 2008-03-02 01:13 <DIR> d
C:\Program Files\Common Files\xing shared
2008-03-02 01:13 . 2008-03-02 01:13 <DIR> d
C:\Program Files\Common Files\Real
2008-03-02 01:07 . 2007-09-24 23:31 69,632 --a
C:\WINDOWS\system32\javacpl.cpl
2008-03-02 01:06 . 2008-03-02 01:06 <DIR> d
C:\Program Files\Common Files\Java
2008-03-02 01:05 . 2008-03-02 01:05 382,352 --a
C:\Program Files\jre-6u3-windows-i586-p-iftw.exe
2008-03-01 12:44 . 2008-03-02 09:51 <DIR> d
C:\Rip It 4 Me
2008-03-01 12:23 . 2008-03-01 12:23 <DIR> d
C:\Program Files\DVD Decrypter
2008-03-01 12:22 . 2008-03-01 12:23 899,414 --a
C:\SetupDVDDecrypter_3.5.4.0.exe
2008-03-01 11:29 . 2004-07-26 16:16 1,568,768
C:\WINDOWS\system32\ImagX7.dll
2008-03-01 11:29 . 2004-07-26 16:16 476,320
C:\WINDOWS\system32\ImagXpr7.dll
2008-03-01 11:29 . 2004-07-26 16:16 471,040
C:\WINDOWS\system32\ImagXRA7.dll
2008-03-01 11:29 . 2004-07-26 16:16 262,144
C:\WINDOWS\system32\ImagXR7.dll
2008-03-01 11:29 . 2001-07-09 10:50 155,648 --a
C:\WINDOWS\system32\NeroCheck.exe
2008-03-01 11:29 . 2000-06-26 10:45 106,496
C:\WINDOWS\system32\TwnLib20.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 09:03 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-02 09:03 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-02 09:03
d
w C:\Documents and Settings\Owner\Application Data\Creative
2008-03-02 08:33
d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 07:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-16 07:28 1,305,088 ----a-w C:\Program Files\NF_Movie_Player_211.msi
2008-02-10 15:09
d
w C:\Program Files\Common Files\InstallShield
2008-02-09 23:33
d
w C:\Program Files\Hewlett-Packard
2008-02-09 21:15
d
w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 00:56
d
w C:\Program Files\Yahoo!
2008-02-07 00:56
d
w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-02-06 23:15
d
w C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-02-06 22:29
d
w C:\Documents and Settings\Owner\Application Data\Share-to-Web Upload Folder
2008-02-06 22:28
d
w C:\Program Files\Common Files\Hewlett-Packard
2008-02-05 21:47
d
w C:\Program Files\DIFX
2008-02-05 21:34
d
w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 16:35 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-02 01:13 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-25 23:00 771440]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2005-08-18 02:52 113152]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 17:41 163840]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 12:32 19968 C:\WINDOWS\system32\Ctxfihlp.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 20:05 116328]
"C6501Sound"="c6501.cpl" []
"BM379c6f8e"="C:\WINDOWS\system32\dmtwcqvp.dll" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbfi32]
winbfi32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2006-08-11 14:56]
R3 cm102u32;C-Media CM6501 Like Sound Interface;C:\WINDOWS\system32\drivers\c6501.sys [2006-09-05 03:04]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 08:16:10 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-03-05 00:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-03-06 00:00:01 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2008-03-04 16:37:20 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
"2008-02-17 19:59:07 C:\WINDOWS\Tasks\UPS System Shutdown Program.job"
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 21:56:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-03-08 21:57:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 03:57:29
.
2008-02-16 16:41:24 --- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 9:58:56 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BM379c6f8e] Rundll32.exe "C:\WINDOWS\system32\dmtwcqvp.dll",s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
As it's entries and files/folders are showing in many locations there, let me know if you chose to uninstall Paretologic (Xsoft) so we can add those to the cleanup list.
Be sure to continue to temporarily disable any protective software when running the scan tools we use here.
Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:
Save this to your desktop as "CFScript"
(include the "quotation marks" with the name)
You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.
ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
Post back that log along with the ComboFix.txt and a new HijackThis log please.
Here are the log files from the latest scans. As far as Pareto software goes, I will get rid of all of it.
ComboFix 08-03-08.2 - Owner 2008-03-09 11:01:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.551 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Program Files\scanner.exe
C:\WINDOWS\system32\aocjsgwd.xml
C:\WINDOWS\system32\aszodxgl.xml
C:\WINDOWS\system32\cwfwased.xml
C:\WINDOWS\system32\dmezjfkx.xml
C:\WINDOWS\system32\durvsrrp.xml
C:\WINDOWS\system32\eajocefd.xml
C:\WINDOWS\system32\fbtlpddo.xml
C:\WINDOWS\system32\fkhtmpxz.xml
C:\WINDOWS\system32\gnuarokt.xml
C:\WINDOWS\system32\hhxwdyyv.xml
C:\WINDOWS\system32\iryhdppf.xml
C:\WINDOWS\system32\jotljyel.xml
C:\WINDOWS\system32\jsmxlgvc.xml
C:\WINDOWS\system32\ldwdnqfn.xml
C:\WINDOWS\system32\lfcnpvva.xml
C:\WINDOWS\system32\lsijdzgm.xml
C:\WINDOWS\system32\lwdxmljg.xml
C:\WINDOWS\system32\mnkkycjh.xml
C:\WINDOWS\system32\myxcqpfm.xml
C:\WINDOWS\system32\oylklxbi.xml
C:\WINDOWS\system32\phksxvdc.xml
C:\WINDOWS\system32\qccuxjht.xml
C:\WINDOWS\system32\qlaszqpp.xml
C:\WINDOWS\system32\qmbptdmp.xml
C:\WINDOWS\system32\qrdraztt.xml
C:\WINDOWS\system32\rhosscfg.xml
C:\WINDOWS\system32\SET1284.tmp
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\system32\tjstbroo.xml
C:\WINDOWS\system32\vxipfcyh.xml
C:\WINDOWS\system32\winbfi32.dll
C:\WINDOWS\system32\wudvajec.xml
C:\WINDOWS\system32\xcvqiugf.xml
C:\WINDOWS\system32\xdbcypre.xml
C:\WINDOWS\system32\xlpqksrf.xml
C:\WINDOWS\system32\xxmwcjdf.xml
C:\WINDOWS\system32\ygktmmac.xml
C:\WINDOWS\system32\ylidfkmh.xml
C:\WINDOWS\system32\zapifydi.xml
C:\WINDOWS\system32\zuqtdgml.xml
C:\WINDOWS\system32\zweqkyua.xml
.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.
2008-03-08 23:04 . 2008-03-08 23:04 606 --a
C:\NCO_BHO.reg
2008-03-08 12:30 . 2008-03-08 12:30 <DIR> d
C:\Documents and Settings\Owner\Application Data\Move Networks
2008-03-04 11:37 . 2008-03-04 11:37 <DIR> d
C:\Program Files\ParetoLogic
2008-03-04 11:37 . 2008-03-04 11:37 <DIR> d
C:\Program Files\Common Files\ParetoLogic
2008-03-04 10:22 . 2008-03-04 10:22 <DIR> d
C:\VundoFix Backups
2008-03-04 08:59 . 2008-03-04 08:59 <DIR> d
C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-03-03 23:54 . 2008-03-03 23:54 <DIR> d
C:\Documents and Settings\Owner\Application Data\ParetoLogic
2008-03-03 23:54 . 2008-03-03 23:54 <DIR> d
C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-03-03 23:54 . 2008-03-03 23:54 <DIR> d
C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-03-03 18:58 . 2008-03-03 18:58 <DIR> d
C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-03 18:47 . 2008-03-08 07:32 <DIR> d
C:\Program Files\scanner.exe
2008-03-03 18:32 . 2008-03-03 18:32 <DIR> d
C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-02 08:54 . 2008-03-02 08:54 <DIR> d--h
C:\WINDOWS\system32\GroupPolicy
2008-03-02 04:42 . 2005-02-08 07:12 2,670,592
C:\WINDOWS\UNNeroVision.exe
2008-03-02 04:42 . 2005-03-02 05:31 183,036
C:\WINDOWS\UNNeroVision.cfg
2008-03-02 04:41 . 2004-07-09 09:43 364,544
C:\WINDOWS\system32\TwnLib4.dll
2008-03-02 04:41 . 2001-06-26 08:15 38,912
C:\WINDOWS\system32\picn20.dll
2008-03-02 04:40 . 2005-02-08 07:12 2,670,592
C:\WINDOWS\UNNMP.exe
2008-03-02 04:40 . 2005-03-02 05:31 47,678
C:\WINDOWS\UNNMP.cfg
2008-03-02 04:19 . 2008-03-05 08:12 116 --a
C:\WINDOWS\NeroDigital.ini
2008-03-02 04:06 . 2008-03-08 23:14 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-03-02 04:06 . 2008-03-02 04:06 1,409 --a
C:\WINDOWS\QTFont.for
2008-03-02 04:05 . 2008-03-08 23:51 31,056 --a
C:\WINDOWS\system32\BMXStateBkp-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-08 23:51 31,056 --a
C:\WINDOWS\system32\BMXState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-08 23:51 30,528 --a
C:\WINDOWS\system32\BMXCtrlState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-08 23:51 30,528 --a
C:\WINDOWS\system32\BMXBkpCtrlState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-08 23:51 11,564 --a
C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-08 23:51 1,080 --a
C:\WINDOWS\system32\settingsbkup.sfm
2008-03-02 04:05 . 2008-03-08 23:51 1,080 --a
C:\WINDOWS\system32\settings.sfm
2008-03-02 04:04 . 2008-03-09 10:40 4,958,588 --a
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.CDF
2008-03-02 04:04 . 2008-03-08 23:51 4,958,588 --a
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.BAK
2008-03-02 04:02 . 2006-08-11 15:55 10,240 --a
C:\WINDOWS\CTDCRES.DLL
2008-03-02 03:45 . 2008-03-02 03:45 <DIR> d
C:\Program Files\C-Media 6501 Sound
2008-03-02 03:45 . 2006-09-03 22:16 5,730,304 -ra
C:\WINDOWS\system\c6501.cpl
2008-03-02 03:45 . 2006-09-05 04:04 1,419,968 -ra
C:\WINDOWS\system32\drivers\c6501.sys
2008-03-02 03:45 . 2001-11-22 23:08 712,704 -ra
C:\WINDOWS\system32\c6501a3d.dll
2008-03-02 03:45 . 2006-08-30 05:43 266,240 -r
C:\WINDOWS\Cmi6501Uninstall.exe
2008-03-02 03:45 . 2006-08-30 00:38 253,952 -ra
C:\WINDOWS\system32\c6501rm.exe
2008-03-02 03:45 . 2005-12-26 04:23 53,248 -ra
C:\WINDOWS\system32\c6501rm.dll
2008-03-02 03:45 . 2006-06-27 01:54 32,768 -ra
C:\WINDOWS\system32\c6501p.dll
2008-03-02 03:45 . 2006-09-05 23:28 4,712 -r
C:\WINDOWS\C6501.ini
2008-03-02 03:45 . 2008-03-09 05:04 429 --a
C:\WINDOWS\system\C6501.ini
2008-03-02 03:44 . 2008-03-02 03:44 12,675 --a
C:\WINDOWS\Ascd_tmp.ini
2008-03-02 03:31 . 2006-08-11 15:57 11,776 --a
C:\WINDOWS\INRES.DLL
2008-03-02 03:21 . 2008-03-02 04:04 <DIR> d
C:\Program Files\Creative
2008-03-02 02:13 . 2008-03-02 02:13 <DIR> d
C:\Program Files\Real
2008-03-02 02:13 . 2008-03-02 02:13 <DIR> d
C:\Program Files\Common Files\xing shared
2008-03-02 02:13 . 2008-03-02 02:13 <DIR> d
C:\Program Files\Common Files\Real
2008-03-02 02:07 . 2007-09-25 00:31 69,632 --a
C:\WINDOWS\system32\javacpl.cpl
2008-03-02 02:06 . 2008-03-02 02:06 <DIR> d
C:\Program Files\Common Files\Java
2008-03-02 02:05 . 2008-03-02 02:05 382,352 --a
C:\Program Files\jre-6u3-windows-i586-p-iftw.exe
2008-03-01 13:44 . 2008-03-02 10:51 <DIR> d
C:\Rip It 4 Me
2008-03-01 13:23 . 2008-03-01 13:23 <DIR> d
C:\Program Files\DVD Decrypter
2008-03-01 13:22 . 2008-03-01 13:23 899,414 --a
C:\SetupDVDDecrypter_3.5.4.0.exe
2008-03-01 12:29 . 2004-07-26 17:16 1,568,768
C:\WINDOWS\system32\ImagX7.dll
2008-03-01 12:29 . 2004-07-26 17:16 476,320
C:\WINDOWS\system32\ImagXpr7.dll
2008-03-01 12:29 . 2004-07-26 17:16 471,040
C:\WINDOWS\system32\ImagXRA7.dll
2008-03-01 12:29 . 2004-07-26 17:16 262,144
C:\WINDOWS\system32\ImagXR7.dll
2008-03-01 12:29 . 2001-07-09 11:50 155,648 --a
C:\WINDOWS\system32\NeroCheck.exe
2008-03-01 12:29 . 2000-06-26 11:45 106,496
C:\WINDOWS\system32\TwnLib20.dll
2008-03-01 10:11 . 2008-03-01 10:11 30 --a
C:\WINDOWS\system32\vtgfeqib.xml
2008-03-01 09:08 . 2008-03-01 09:08 <DIR> d
C:\Program Files\Common Files\Apple
2008-03-01 09:08 . 2008-03-01 09:08 <DIR> d
C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 09:07 . 2008-03-01 09:07 <DIR> d
C:\Program Files\ImgBurn
2008-03-01 09:07 . 2008-03-01 09:07 <DIR> d
C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-03-01 09:06 . 2008-03-01 09:06 <DIR> d
C:\Program Files\ReaConverter 4.0 Pro
2008-03-01 09:06 . 2008-03-01 09:06 <DIR> d
C:\Documents and Settings\Owner\Application Data\RCP 4
2008-03-01 08:54 . 2008-03-08 11:07 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 08:48 . 2008-03-01 08:48 <DIR> d
C:\Program Files\DVD Shrink
2008-03-01 08:47 . 2008-03-01 08:47 <DIR> d
C:\Program Files\DVDFab Decrypter 3
2008-03-01 08:44 . 2008-03-01 08:39 30 --a
C:\WINDOWS\system32\wdrxagkv.xml
2008-03-01 08:43 . 2008-03-01 08:42 691,545 --a
C:\WINDOWS\unins000.exe
2008-03-01 08:43 . 2008-03-01 08:43 2,550 --a
C:\WINDOWS\unins000.dat
2008-03-01 08:36 . 2008-03-02 11:28 <DIR> d
C:\Program Files\Satellite PC
2008-03-01 08:35 . 2008-03-01 08:35 <DIR> d
C:\Program Files\WinAVIVideoConverter
2008-03-01 08:34 . 2008-03-08 11:06 <DIR> d
C:\Program Files\SpywareBlaster
2008-03-01 08:34 . 2008-03-01 08:45 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-03-01 08:33 . 2006-12-02 19:08 887,360 --a
C:\Program Files\Nero General-CleanTool_2_1_8_42.exe
2008-03-01 08:17 . 2008-03-01 08:15 30 --a
C:\WINDOWS\system32\bhnsapss.xml
2008-03-01 07:50 . 2008-03-01 07:48 30 --a
C:\WINDOWS\system32\qkipdbfn.xml
2008-03-01 07:20 . 2008-03-01 07:17 30 --a
C:\WINDOWS\system32\lajhfuss.xml
2008-03-01 07:16 . 2008-03-01 07:41 <DIR> d
C:\kill disc
2008-03-01 06:45 . 2008-03-01 06:42 30 --a
C:\WINDOWS\system32\ixcqhver.xml
2008-02-29 13:22 . 2008-03-02 03:06 2,833,265 --a
C:\WINDOWS\system32\rlmadxlr.xml
2008-02-28 14:09 . 2008-02-28 14:26 414 ---hs---- C:\WINDOWS\system32\yrexdtfa.ini
2008-02-28 11:57 . 2008-02-28 11:57 294 ---hs---- C:\WINDOWS\system32\pkvhkrue.ini
2008-02-27 19:32 . 2008-02-28 05:43 954 ---hs---- C:\WINDOWS\system32\nqbauxii.ini
2008-02-27 19:08 . 2008-02-27 19:29 894 ---hs---- C:\WINDOWS\system32\ljjtjqry.ini
2008-02-27 17:21 . 2008-03-02 01:16 <DIR> d
C:\DVD Shrink
2008-02-27 16:42 . 2008-02-27 18:55 774 ---hs---- C:\WINDOWS\system32\wctgrjus.ini
2008-02-26 12:06 . 2008-02-27 16:33 654 ---hs---- C:\WINDOWS\system32\qmupmbji.ini
2008-02-25 18:44 . 2008-02-26 05:35 452 --ahs---- C:\WINDOWS\system32\ojencskh.ini
2008-02-25 18:10 . 2008-02-25 18:44 272 --ahs---- C:\WINDOWS\system32\lhgofyro.ini
2008-02-25 18:03 . 2008-02-25 18:04 5,034 --ahs---- C:\WINDOWS\system32\talbxyhi.ini
2008-02-25 16:47 . 2008-02-25 18:03 4,974 --ahs---- C:\WINDOWS\system32\ciiaogky.ini
2008-02-25 15:57 . 2008-02-25 16:41 4,674 --ahs---- C:\WINDOWS\system32\esehgodi.ini
2008-02-25 15:35 . 2008-02-25 15:46 4,554 --ahs---- C:\WINDOWS\system32\bcctosgd.ini
2008-02-22 06:48 . 2008-02-25 15:30 4,434 --ahs---- C:\WINDOWS\system32\ednbtmqe.ini
2008-02-22 06:43 . 2001-08-17 14:56 7,552 --a
C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-02-22 06:43 . 2001-08-17 14:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 09:03 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-02 09:03 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-02 09:03
d
w C:\Documents and Settings\Owner\Application Data\Creative
2008-03-02 08:33
d--h--w C:\Program Files\InstallShield Installation Information
Logfile of HijackThis v1.99.1
Scan saved at 12:21:52 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\scanner.exe\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Unfortunately the Kaspersky Online Scanner log file said the report is empty.
The scan results showed one virus and one infected object.
I re-did the Kapersky Scan. I was able to save the log file off of this one. Here it is...
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 4:33:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 619352
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
Scan Statistics:
Total number of scanned objects: 83394
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:50:10
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-09_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\BF155601.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\C086BA62.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008030920080310\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFC0B1.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F36BA4C6-AAF7-4DA8-A22B-44BBCF5B3F00}\RP2\A0000166.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F36BA4C6-AAF7-4DA8-A22B-44BBCF5B3F00}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_918.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.CDF Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\24e10e09b94538d183634de9c16fb6f7_d5373f70-152e-47e1-85fa-2fee59cd7445 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3407bfe4671007d3c3053d854e6854dc_d5373f70-152e-47e1-85fa-2fee59cd7445 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\badd736d328e06fc7ae8879252c3d34e_d5373f70-152e-47e1-85fa-2fee59cd7445 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\LightningSand.CFD Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{F36BA4C6-AAF7-4DA8-A22B-44BBCF5B3F00}\RP4\change.log Object is locked skipped
Scan process completed.
Be sure to continue to temporarily disable any protective software when running the scan tools we use here.
Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:
Save this to your desktop as "CFScript"
(include the "quotation marks" with the name)
You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.
ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Just post that log back here please.
Here is the Log file from the CombiFix scan. Yes I have just upgraded my mother board, processor, and video card, Ialso re-installed my sound card.
File::
C:\WINDOWS\system32\vtgfeqib.xml
C:\WINDOWS\system32\wdrxagkv.xml
C:\WINDOWS\system32\bhnsapss.xml
C:\WINDOWS\system32\qkipdbfn.xml
C:\WINDOWS\system32\lajhfuss.xml
C:\WINDOWS\system32\ixcqhver.xml
C:\WINDOWS\system32\rlmadxlr.xml
C:\WINDOWS\system32\yrexdtfa.ini
C:\WINDOWS\system32\pkvhkrue.ini
C:\WINDOWS\system32\nqbauxii.ini
C:\WINDOWS\system32\ljjtjqry.ini
C:\WINDOWS\system32\wctgrjus.ini
C:\WINDOWS\system32\qmupmbji.ini
C:\WINDOWS\system32\ojencskh.ini
C:\WINDOWS\system32\lhgofyro.ini
C:\WINDOWS\system32\talbxyhi.ini
C:\WINDOWS\system32\ciiaogky.ini
C:\WINDOWS\system32\esehgodi.ini
C:\WINDOWS\system32\bcctosgd.ini
C:\WINDOWS\system32\ednbtmqe.ini
Folder::
C:\Program Files\ParetoLogic
C:\Program Files\Common Files\ParetoLogic
C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
C:\Documents and Settings\Owner\Application Data\ParetoLogic
C:\Documents and Settings\All Users\Application Data\ParetoLogic
C:\Program Files\scanner.exe
Sorry, here is the proper log...
omboFix 08-03-08.2 - Owner 2008-03-09 18:05:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.671 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\bcctosgd.ini
C:\WINDOWS\system32\bhnsapss.xml
C:\WINDOWS\system32\ciiaogky.ini
C:\WINDOWS\system32\ednbtmqe.ini
C:\WINDOWS\system32\esehgodi.ini
C:\WINDOWS\system32\ixcqhver.xml
C:\WINDOWS\system32\lajhfuss.xml
C:\WINDOWS\system32\lhgofyro.ini
C:\WINDOWS\system32\ljjtjqry.ini
C:\WINDOWS\system32\nqbauxii.ini
C:\WINDOWS\system32\ojencskh.ini
C:\WINDOWS\system32\pkvhkrue.ini
C:\WINDOWS\system32\qkipdbfn.xml
C:\WINDOWS\system32\qmupmbji.ini
C:\WINDOWS\system32\rlmadxlr.xml
C:\WINDOWS\system32\talbxyhi.ini
C:\WINDOWS\system32\vtgfeqib.xml
C:\WINDOWS\system32\wctgrjus.ini
C:\WINDOWS\system32\wdrxagkv.xml
C:\WINDOWS\system32\yrexdtfa.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware\5.5\Logs\PAS-04-03-08-08-04-53.xml
C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware\5.5\Logs\PAS-04-03-08-09-46-41.xml
C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware\5.5\quarantine.db
C:\Documents and Settings\All Users\Application Data\ParetoLogic
C:\Documents and Settings\All Users\Application Data\ParetoLogic\Privacy Controls\AppPreferences.dat
C:\Documents and Settings\All Users\Application Data\ParetoLogic\Privacy Controls\cleaning.db
C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2\Master.xml
C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2\Patch.xml
C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2\Privacy Controls\Database.xml
C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2\Privacy Controls\Master.xml
C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2\Privacy Controls\Patch.xml
C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2\Privacy Controls\Update.xml
C:\Documents and Settings\All Users\Application Data\ParetoLogic\UUS2\Update.xml
C:\Documents and Settings\Owner\Application Data\ParetoLogic
C:\Documents and Settings\Owner\Application Data\ParetoLogic\Privacy Controls\CleanPreferences.db
C:\Program Files\Common Files\ParetoLogic
C:\Program Files\Common Files\ParetoLogic\UUS2\Images\Logo.png
C:\Program Files\Common Files\ParetoLogic\UUS2\LiteUnzip.dll
C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
C:\Program Files\Common Files\ParetoLogic\UUS2\ParetoLogic Update.chm
C:\Program Files\Common Files\ParetoLogic\UUS2\UUS.dll
C:\Program Files\ParetoLogic
C:\Program Files\ParetoLogic\Privacy Controls\html\0_days.htm
C:\Program Files\ParetoLogic\Privacy Controls\html\1_days.htm
C:\Program Files\ParetoLogic\Privacy Controls\html\15_days.htm
C:\Program Files\ParetoLogic\Privacy Controls\html\2_days.htm
C:\Program Files\ParetoLogic\Privacy Controls\html\30_days.htm
C:\Program Files\ParetoLogic\Privacy Controls\html\5_days.htm
C:\Program Files\ParetoLogic\Privacy Controls\html\email.htm
C:\Program Files\ParetoLogic\Privacy Controls\html\images\10x10.gif
C:\Program Files\ParetoLogic\Privacy Controls\html\images\10x10tile.gif
C:\Program Files\ParetoLogic\Privacy Controls\html\images\contentwrapper.gif
C:\Program Files\ParetoLogic\Privacy Controls\html\images\footerbarfill.gif
C:\Program Files\ParetoLogic\Privacy Controls\html\images\info_bubble.jpg
C:\Program Files\ParetoLogic\Privacy Controls\html\images\privacycontrols2.jpg
C:\Program Files\ParetoLogic\Privacy Controls\html\images\tile_footerbarbase.jpg
C:\Program Files\ParetoLogic\Privacy Controls\html\images\tile_titlebarbase.jpg
C:\Program Files\ParetoLogic\Privacy Controls\html\images\tile_titlebarend.jpg
C:\Program Files\ParetoLogic\Privacy Controls\html\images\tile_titlebarfloat.jpg
C:\Program Files\ParetoLogic\Privacy Controls\html\main.css
C:\Program Files\ParetoLogic\Privacy Controls\images\about-large.png
C:\Program Files\ParetoLogic\Privacy Controls\images\about-small.png
C:\Program Files\ParetoLogic\Privacy Controls\images\AppTitle.png
C:\Program Files\ParetoLogic\Privacy Controls\images\arrow.png
C:\Program Files\ParetoLogic\Privacy Controls\images\bg.png
C:\Program Files\ParetoLogic\Privacy Controls\images\close.png
C:\Program Files\ParetoLogic\Privacy Controls\images\dummy_small.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0001.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0002.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0003.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0004.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0005.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0006.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0007.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0008.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0009.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0010.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0011.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0012.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0013.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0014.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0015.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0016.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0017.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0018.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0019.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0020.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0021.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0022.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0023.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0024.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0025.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0026.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0027.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0028.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0029.png
C:\Program Files\ParetoLogic\Privacy Controls\images\erase0030.png
C:\Program Files\ParetoLogic\Privacy Controls\images\Intro.png
C:\Program Files\ParetoLogic\Privacy Controls\images\Logo.png
C:\Program Files\ParetoLogic\Privacy Controls\images\max-g.png
C:\Program Files\ParetoLogic\Privacy Controls\images\max.png
C:\Program Files\ParetoLogic\Privacy Controls\images\min-g.png
C:\Program Files\ParetoLogic\Privacy Controls\images\min.png
C:\Program Files\ParetoLogic\Privacy Controls\images\nav-about-lg.png
C:\Program Files\ParetoLogic\Privacy Controls\images\nav-scan-lg.png
C:\Program Files\ParetoLogic\Privacy Controls\images\nav-settings-lg.png
C:\Program Files\ParetoLogic\Privacy Controls\images\nav-shred-lg.png
C:\Program Files\ParetoLogic\Privacy Controls\images\privacycontrols_logo.png
C:\Program Files\ParetoLogic\Privacy Controls\images\saw.png
C:\Program Files\ParetoLogic\Privacy Controls\images\scan-categories.png
C:\Program Files\ParetoLogic\Privacy Controls\images\scan-large.png
C:\Program Files\ParetoLogic\Privacy Controls\images\scan-small.png
C:\Program Files\ParetoLogic\Privacy Controls\images\scan-splash.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0001.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0002.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0003.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0004.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0005.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0006.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0007.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0008.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0009.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0010.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0011.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0012.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0013.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0014.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0015.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0016.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0017.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0018.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0019.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0020.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0021.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0022.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0023.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0024.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0025.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0026.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0027.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0028.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0029.png
C:\Program Files\ParetoLogic\Privacy Controls\images\search0030.png
C:\Program Files\ParetoLogic\Privacy Controls\images\settings-large.png
C:\Program Files\ParetoLogic\Privacy Controls\images\settings-small.png
C:\Program Files\ParetoLogic\Privacy Controls\images\shred-large.png
C:\Program Files\ParetoLogic\Privacy Controls\images\shred-small.png
C:\Program Files\ParetoLogic\Privacy Controls\Pareto_PC.exe
C:\Program Files\ParetoLogic\Privacy Controls\Pareto_PC.ico
C:\Program Files\ParetoLogic\Privacy Controls\ParetoLogic PrivacyControls.chm
C:\Program Files\ParetoLogic\Privacy Controls\resources.dll
C:\Program Files\ParetoLogic\Privacy Controls\settings.xml
C:\Program Files\ParetoLogic\Privacy Controls\UNS.xml
C:\Program Files\ParetoLogic\Privacy Controls\Update.dll
C:\Program Files\scanner.exe
C:\Program Files\scanner.exe\backups\backup-20080304-090323-533
C:\Program Files\scanner.exe\backups\backup-20080304-090324-116
C:\Program Files\scanner.exe\backups\backup-20080304-090324-151
C:\Program Files\scanner.exe\backups\backup-20080304-090324-162
C:\Program Files\scanner.exe\backups\backup-20080304-090324-337
C:\Program Files\scanner.exe\backups\backup-20080304-090324-942
C:\Program Files\scanner.exe\backups\backup-20080304-090324-974
C:\Program Files\scanner.exe\hijackthis.log
C:\Program Files\scanner.exe\scanner.exe
C:\WINDOWS\system32\bcctosgd.ini
C:\WINDOWS\system32\bhnsapss.xml
C:\WINDOWS\system32\ciiaogky.ini
C:\WINDOWS\system32\ednbtmqe.ini
C:\WINDOWS\system32\esehgodi.ini
C:\WINDOWS\system32\ixcqhver.xml
C:\WINDOWS\system32\lajhfuss.xml
C:\WINDOWS\system32\lhgofyro.ini
C:\WINDOWS\system32\ljjtjqry.ini
C:\WINDOWS\system32\nqbauxii.ini
C:\WINDOWS\system32\ojencskh.ini
C:\WINDOWS\system32\pkvhkrue.ini
C:\WINDOWS\system32\qkipdbfn.xml
C:\WINDOWS\system32\qmupmbji.ini
C:\WINDOWS\system32\rlmadxlr.xml
C:\WINDOWS\system32\talbxyhi.ini
C:\WINDOWS\system32\vtgfeqib.xml
C:\WINDOWS\system32\wctgrjus.ini
C:\WINDOWS\system32\wdrxagkv.xml
C:\WINDOWS\system32\yrexdtfa.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.
2008-03-09 11:07 . 2008-03-09 11:07 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 11:07 . 2008-03-09 11:07 <DIR> d
C:\WINDOWS\LastGood
2008-03-09 11:07 . 2008-03-09 11:07 <DIR> d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-08 23:04 . 2008-03-08 23:04 606 --a
C:\NCO_BHO.reg
2008-03-08 12:30 . 2008-03-08 12:30 <DIR> d
C:\Documents and Settings\Owner\Application Data\Move Networks
2008-03-04 10:22 . 2008-03-04 10:22 <DIR> d
C:\VundoFix Backups
2008-03-03 23:54 . 2008-03-03 23:54 <DIR> d
C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-03-03 18:58 . 2008-03-03 18:58 <DIR> d
C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-03 18:32 . 2008-03-03 18:32 <DIR> d
C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-02 08:54 . 2008-03-02 08:54 <DIR> d--h
C:\WINDOWS\system32\GroupPolicy
2008-03-02 04:42 . 2005-02-08 07:12 2,670,592
C:\WINDOWS\UNNeroVision.exe
2008-03-02 04:42 . 2005-03-02 05:31 183,036
C:\WINDOWS\UNNeroVision.cfg
2008-03-02 04:41 . 2004-07-09 09:43 364,544
C:\WINDOWS\system32\TwnLib4.dll
2008-03-02 04:41 . 2001-06-26 08:15 38,912
C:\WINDOWS\system32\picn20.dll
2008-03-02 04:40 . 2005-02-08 07:12 2,670,592
C:\WINDOWS\UNNMP.exe
2008-03-02 04:40 . 2005-03-02 05:31 47,678
C:\WINDOWS\UNNMP.cfg
2008-03-02 04:19 . 2008-03-05 08:12 116 --a
C:\WINDOWS\NeroDigital.ini
2008-03-02 04:06 . 2008-03-08 23:14 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-03-02 04:06 . 2008-03-02 04:06 1,409 --a
C:\WINDOWS\QTFont.for
2008-03-02 04:05 . 2008-03-09 16:48 31,636 --a
C:\WINDOWS\system32\BMXStateBkp-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-09 16:48 31,636 --a
C:\WINDOWS\system32\BMXState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-09 16:48 30,648 --a
C:\WINDOWS\system32\BMXCtrlState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-09 16:48 30,648 --a
C:\WINDOWS\system32\BMXBkpCtrlState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-09 16:48 11,564 --a
C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
2008-03-02 04:05 . 2008-03-09 16:48 1,080 --a
C:\WINDOWS\system32\settingsbkup.sfm
2008-03-02 04:05 . 2008-03-09 16:48 1,080 --a
C:\WINDOWS\system32\settings.sfm
2008-03-02 04:04 . 2008-03-09 16:48 4,958,588 --a
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.CDF
2008-03-02 04:04 . 2008-03-09 16:48 4,958,588 --a
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.BAK
2008-03-02 04:02 . 2006-08-11 15:55 10,240 --a
C:\WINDOWS\CTDCRES.DLL
2008-03-02 03:45 . 2008-03-02 03:45 <DIR> d
C:\Program Files\C-Media 6501 Sound
2008-03-02 03:45 . 2006-09-03 22:16 5,730,304 -ra
C:\WINDOWS\system\c6501.cpl
2008-03-02 03:45 . 2006-09-05 04:04 1,419,968 -ra
C:\WINDOWS\system32\drivers\c6501.sys
2008-03-02 03:45 . 2001-11-22 23:08 712,704 -ra
C:\WINDOWS\system32\c6501a3d.dll
2008-03-02 03:45 . 2006-08-30 05:43 266,240 -r
C:\WINDOWS\Cmi6501Uninstall.exe
2008-03-02 03:45 . 2006-08-30 00:38 253,952 -ra
C:\WINDOWS\system32\c6501rm.exe
2008-03-02 03:45 . 2005-12-26 04:23 53,248 -ra
C:\WINDOWS\system32\c6501rm.dll
2008-03-02 03:45 . 2006-06-27 01:54 32,768 -ra
C:\WINDOWS\system32\c6501p.dll
2008-03-02 03:45 . 2006-09-05 23:28 4,712 -r
C:\WINDOWS\C6501.ini
2008-03-02 03:45 . 2008-03-09 05:04 429 --a
C:\WINDOWS\system\C6501.ini
2008-03-02 03:44 . 2008-03-02 03:44 12,675 --a
C:\WINDOWS\Ascd_tmp.ini
2008-03-02 03:31 . 2006-08-11 15:57 11,776 --a
C:\WINDOWS\INRES.DLL
2008-03-02 03:21 . 2008-03-02 04:04 <DIR> d
C:\Program Files\Creative
2008-03-02 02:13 . 2008-03-02 02:13 <DIR> d
C:\Program Files\Real
2008-03-02 02:13 . 2008-03-02 02:13 <DIR> d
C:\Program Files\Common Files\xing shared
2008-03-02 02:13 . 2008-03-02 02:13 <DIR> d
C:\Program Files\Common Files\Real
2008-03-02 02:07 . 2007-09-25 00:31 69,632 --a
C:\WINDOWS\system32\javacpl.cpl
2008-03-02 02:06 . 2008-03-02 02:06 <DIR> d
C:\Program Files\Common Files\Java
2008-03-02 02:05 . 2008-03-02 02:05 382,352 --a
C:\Program Files\jre-6u3-windows-i586-p-iftw.exe
2008-03-01 13:44 . 2008-03-02 10:51 <DIR> d
C:\Rip It 4 Me
2008-03-01 13:23 . 2008-03-01 13:23 <DIR> d
C:\Program Files\DVD Decrypter
2008-03-01 13:22 . 2008-03-01 13:23 899,414 --a
C:\SetupDVDDecrypter_3.5.4.0.exe
2008-03-01 12:29 . 2004-07-26 17:16 1,568,768
C:\WINDOWS\system32\ImagX7.dll
2008-03-01 12:29 . 2004-07-26 17:16 476,320
C:\WINDOWS\system32\ImagXpr7.dll
2008-03-01 12:29 . 2004-07-26 17:16 471,040
C:\WINDOWS\system32\ImagXRA7.dll
2008-03-01 12:29 . 2004-07-26 17:16 262,144
C:\WINDOWS\system32\ImagXR7.dll
2008-03-01 12:29 . 2001-07-09 11:50 155,648 --a
C:\WINDOWS\system32\NeroCheck.exe
2008-03-01 12:29 . 2000-06-26 11:45 106,496
C:\WINDOWS\system32\TwnLib20.dll
2008-03-01 09:08 . 2008-03-01 09:08 <DIR> d
C:\Program Files\Common Files\Apple
2008-03-01 09:08 . 2008-03-01 09:08 <DIR> d
C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 09:07 . 2008-03-01 09:07 <DIR> d
C:\Program Files\ImgBurn
2008-03-01 09:07 . 2008-03-01 09:07 <DIR> d
C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-03-01 09:06 . 2008-03-01 09:06 <DIR> d
C:\Program Files\ReaConverter 4.0 Pro
2008-03-01 09:06 . 2008-03-01 09:06 <DIR> d
C:\Documents and Settings\Owner\Application Data\RCP 4
2008-03-01 08:54 . 2008-03-08 11:07 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 08:48 . 2008-03-01 08:48 <DIR> d
C:\Program Files\DVD Shrink
2008-03-01 08:47 . 2008-03-01 08:47 <DIR> d
C:\Program Files\DVDFab Decrypter 3
2008-03-01 08:43 . 2008-03-01 08:42 691,545 --a
C:\WINDOWS\unins000.exe
2008-03-01 08:43 . 2008-03-01 08:43 2,550 --a
C:\WINDOWS\unins000.dat
2008-03-01 08:36 . 2008-03-02 11:28 <DIR> d
C:\Program Files\Satellite PC
2008-03-01 08:35 . 2008-03-01 08:35 <DIR> d
C:\Program Files\WinAVIVideoConverter
2008-03-01 08:34 . 2008-03-08 11:06 <DIR> d
C:\Program Files\SpywareBlaster
2008-03-01 08:34 . 2008-03-01 08:45 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-03-01 08:33 . 2006-12-02 19:08 887,360 --a
C:\Program Files\Nero General-CleanTool_2_1_8_42.exe
2008-03-01 07:16 . 2008-03-01 07:41 <DIR> d
C:\kill disc
2008-02-27 17:21 . 2008-03-02 01:16 <DIR> d
C:\DVD Shrink
2008-02-22 06:43 . 2001-08-17 14:56 7,552 --a
C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-02-22 06:43 . 2001-08-17 14:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-02-21 22:07 . 2008-02-22 06:41 4,254 --ahs---- C:\WINDOWS\system32\phyehnfa.ini
2008-02-21 22:01 . 2008-02-21 22:01 3,774 --ahs---- C:\WINDOWS\system32\vyiepfce.ini
2008-02-21 05:07 . 2008-02-21 21:53 3,714 --ahs---- C:\WINDOWS\system32\txpvkugm.ini
2008-02-20 12:45 . 2008-02-20 12:55 <DIR> d
C:\Program Files\Yahoo! Games
2008-02-20 05:06 . 2008-02-21 02:26 3,354 --ahs---- C:\WINDOWS\system32\nttbxpgo.ini
2008-02-19 04:49 . 2008-02-20 02:32 3,054 --ahs---- C:\WINDOWS\system32\mwjysoan.ini
2008-02-18 04:45 . 2008-02-19 04:37 2,634 --ahs---- C:\WINDOWS\system32\qdqnhvjy.ini
2008-02-16 23:22 . 2008-02-17 17:59 2,154 --ahs---- C:\WINDOWS\system32\ecdxsccp.ini
2008-02-16 04:24 . 2008-02-16 04:24 <DIR> d
C:\Program Files\Windows Media Connect 2
2008-02-16 04:24 . 2004-08-04 07:00 221,184 --a
C:\WINDOWS\system32\wmpns.dll
2008-02-16 04:22 . 2008-02-16 04:22 <DIR> d
C:\WINDOWS\system32\LogFiles
2008-02-16 04:22 . 2008-02-16 04:23 <DIR> d
C:\WINDOWS\system32\drivers\UMDF
2008-02-16 02:30 . 2008-02-16 02:31 25,755,448 --a
C:\Program Files\installwmp11.exe
2008-02-16 02:28 . 2008-02-16 02:28 <DIR> d
C:\Program Files\Netflix
2008-02-16 01:37 . 2008-02-20 06:25 <DIR> d
C:\Program Files\QuickTime
2008-02-16 01:37 . 2008-02-16 01:37 <DIR> d
C:\Program Files\iTunes
2008-02-16 01:37 . 2008-02-16 01:37 <DIR> d
C:\Program Files\iPod
2008-02-16 01:37 . 2008-02-16 01:37 <DIR> d
C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-02-16 01:37 . 2008-02-16 01:37 <DIR> d
C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-16 01:28 . 2008-02-16 01:31 <DIR> d
C:\Program Files\Quick Time
2008-02-16 01:25 . 2008-02-16 01:35 <DIR> d
C:\Program Files\i Tunes
2008-02-15 23:17 . 2008-02-16 22:52 1,434 --ahs---- C:\WINDOWS\system32\gofmdfxg.ini
2008-02-15 16:56 . 2008-02-15 23:11 474 --ahs---- C:\WINDOWS\system32\texinfom.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 09:03 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-02 09:03 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-02 09:03
d
w C:\Documents and Settings\Owner\Application Data\Creative
2008-03-02 08:33
d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 07:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-16 07:28 1,305,088 ----a-w C:\Program Files\NF_Movie_Player_211.msi
2008-02-10 15:09
d
w C:\Program Files\Common Files\InstallShield
2008-02-09 23:33
d
w C:\Program Files\Hewlett-Packard
2008-02-09 21:15
d
w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 00:56
d
w C:\Program Files\Yahoo!
2008-02-07 00:56
d
w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-02-06 23:15
d
w C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-02-06 22:29
d
w C:\Documents and Settings\Owner\Application Data\Share-to-Web Upload Folder
2008-02-06 22:28
d
w C:\Program Files\Common Files\Hewlett-Packard
2008-02-05 21:47
d
w C:\Program Files\DIFX
2008-02-05 21:34
d
w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-03-08_21.57.21.09"]snapshot@2008-03-08_21.57.21.09[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2008-03-09 04:14:49 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_918.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 20:25 81920]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 17:35 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-02 02:13 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06 45056]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 00:00 771440]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2005-08-18 03:52 113152]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41 163840]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 13:32 19968 C:\WINDOWS\system32\Ctxfihlp.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 21:05 116328]
"C6501Sound"="c6501.cpl" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2006-08-11 15:56]
R3 cm102u32;C-Media CM6501 Like Sound Interface;C:\WINDOWS\system32\drivers\c6501.sys [2006-09-05 04:04]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 17:09]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 08:16:10 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-03-05 00:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-03-09 23:00:00 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2008-03-04 16:37:20 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
"2008-02-17 19:59:07 C:\WINDOWS\Tasks\UPS System Shutdown Program.job"
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 18:06:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-09 18:06:39
ComboFix-quarantined-files.txt 2008-03-09 23:06:37
ComboFix2.txt 2008-03-09 16:02:43
ComboFix3.txt 2008-03-09 15:57:36
ComboFix4.txt 2008-03-09 03:57:33
.
2008-02-16 16:41:24 --- E O F ---
When you get a chance go to Control Panel - Scheduled Tasks and remove these orphaned tasks:
Pareto UNS
ParetoLogic Registration
Pareto_Update
Go to Start - Run, type notepad (and Enter). In the open text box copy/paste all the text in the box below:
Then go to File - Save as..., and save the file to your desktop as "Look32.bat"
(be sure to include the quotes "" in the name). Then click on look32.bat to run the file check. Once that completes a text box will open (this can also be found at c:\find.txt). The log will be too large to post here, so please zip a copy of it and upload it to your reply as an attachment (the "Manage Attachments" button below the "Reply to Thread" view).
We could just create a new bat file, but let's not leave a mess for you to clean up.
Sorry that I have not replied to your last post until now. Unfortunately, my computer crashed. I got the NTDLR is missing screen and have had to reformat my drives. I used Killdisc to wipe my drives and start over. Thank you so much for all of your help. I really appreaciate your time and trouble. I am glad that I have found this forum. Iwill continue to use it in the future.
If it has been 7 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead (grin)