Hijackthis
I am having a problem when i use a search engine is always brings me to asiuoqgusdbaksd.com. I tryed to clean up my computer with Trend Micro PC but it says it doesn't find any viruses. My firefox quit working also. I am empty the temp internet files and stuff but I'm not sure what else to do.
0
This discussion has been closed.
Comments
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
Click here to download HJTinstall.exe
Installed Programs
Please could you give me a list of the programs that are installed.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:12:17, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: (no name) - {37F0C601-C555-491B-BDEE-EAAD0BB7A31A} - C:\WINDOWS\system32\ddcCVpml.dll (file missing)
O2 - BHO: 931928 helper - {5F6D7A37-A3D1-47F1-920D-3F48370D509B} - (no file)
O2 - BHO: (no name) - {5FC728BE-EBA3-4076-A401-2EEA7DB4B217} - C:\WINDOWS\system32\cbXNDTMc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [100d4d65] rundll32.exe "C:\WINDOWS\system32\uiadpxxh.dll",b
O4 - HKLM\..\RunOnce: [TSC] "C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe" /HD
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1085031214-484763869-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Matt')
O4 - HKUS\S-1-5-21-1085031214-484763869-725345543-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Matt')
O4 - HKUS\S-1-5-21-1085031214-484763869-725345543-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Matt')
O4 - HKUS\S-1-5-21-1085031214-484763869-725345543-1004\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe (User 'Matt')
O4 - HKUS\S-1-5-21-1085031214-484763869-725345543-1004\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe (User 'Matt')
O4 - HKUS\S-1-5-21-1085031214-484763869-725345543-1004\..\Run: [+,-./0123456789:;<=>exe] !"#$%&'()*+,-./0123456789:;<=>exe (User 'Matt')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: ddcCVpml - ddcCVpml.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 7015 bytes
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
BCM V.92 56K Modem
Bonjour
Compatibility Pack for the 2007 Office system
ContextTool
Dell Photo AIO Printer 924
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel(R) PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Linksys Wireless-G USB Network Adapter
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Mozilla Firefox (3.0)
NVIDIA Windows 2000/XP Display Drivers
OpenOffice.org 2.0
PlayMP3z
QuickTime
RegCure 1.5.0.1
Rhapsody
Security Update for Excel 2007 (KB946974)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB947801)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Visio 2007 (KB947590)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
Update for Office 2007 (KB932080)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb950378)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WordPerfect Office 11
Yahoo! Toolbar
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please download an updated copy from one of the links below
ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3
[*] You must download it to and run it from your Desktop
[*] Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
[*] Double click combofix.exe & follow the prompts.
[*] When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
[*] Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
[IMG]res://shdoclc.dll/pagerror.gif[/IMG]The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.[IMG]res://xpsp3res.dll/xpnetdiag.gif[/IMG]To attempt fixing network connectivity problems, click Tools, and then click "Diagnose Connection Problems..."
Other options to try:
<LI id=instructionsText1>Click the
[URL="javascript:location.reload()"][IMG]res://shdoclc.dll/refresh.gif[/IMG][/URL] [URL="javascript:location.reload()"]Refresh[/URL] button, or try again later.<LI id=instructionsText2>If you typed the page address in the Address bar, make sure that it is spelled correctly.
<LI id=instructionsText3>To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP). <LI id=list4>See if your Internet connection settings are being detected. You can set Microsoft Windows to examine your network and automatically discover network connection settings (if your network administrator has enabled this setting).
<LI id=instructionText6>Click the
Tools menu, and then click Internet Options. <LI id=instructionText7>On the Connections tab, click LAN Settings.[*]Select Automatically detect settings, and then click OK.
<LI id=instructionsText5>Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed. <LI id=instructionsText4>If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
[*]Click the [URL="javascript:history.back(1)"][IMG]res://shdoclc.dll/back.gif[/IMG] Back[/URL] button to try another link.
Cannot find server or DNS Error
Internet Explorer
Restore Host File
Download HostsXpert v4.1 and unzip it to your desktop.
Visit the Website for more information.
Download ComboFix from Here (Link Removed)
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please download SDFix (link removed) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
SDFix: Version 1.204
Run by Matt on Fri 07/11/2008 at 14:18
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\****\Desktop\SDFix
Checking Services :
Name :
clbdriver
Path :
\??\globalroot\systemroot\system32\drivers\vmdesched.sys
clbdriver - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\User\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\User\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\User\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\smdat32a.sys - Deleted
C:\WINDOWS\system32\service.exe - Deleted
Folder C:\WINDOWS\system32\931928 - Removed
Removing Temp Files
ADS Check :
Final Check :
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BitDownload\\BitDownload.exe"="C:\\Program Files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\DOCUME~1\****\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 16 Aug 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 21 Jul 2004 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Wed 21 Jul 2004 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sat 3 Mar 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Fri 11 Jul 2008 265,495 A..H. --- "C:\Documents and Settings\User\Desktop\ComboFix.exe"
Wed 31 Aug 2005 3,661,408 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0075616.exe"
Wed 7 Sep 2005 3,679,896 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0075617.exe"
Fri 16 Sep 2005 366,204 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0075618.exe"
Wed 28 Sep 2005 487,384 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0075619.exe"
Mon 10 Oct 2005 3,784,507 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0075620.exe"
Wed 26 Oct 2005 3,841,248 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0075621.exe"
Sat 5 Nov 2005 227,504 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0075622.exe"
Sat 19 Nov 2005 261,085 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0075623.exe"
Mon 1 Oct 2007 90,112 A..H. --- "C:\System Volume Information\_restore{A7D09120-E8D8-460C-AC40-D5E66B1C701F}\RP248\A0088829.DLL"
Sat 4 Feb 2006 4,200,936 A..H. --- "C:\System Volume Information\_restore{A7D09120-E8D8-460C-AC40-D5E66B1C701F}\RP301\A0103458.exe"
Tue 4 Apr 2006 186,624 A..H. --- "C:\System Volume Information\_restore{A7D09120-E8D8-460C-AC40-D5E66B1C701F}\RP301\A0103460.exe"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del3.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del4.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del44B7.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del44B8.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del5.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del67BE.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del6D03.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del6D04.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del72DD.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del72DE.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del7EA2.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del8AEC.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del90E6.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del942A.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del942B.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del942C.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del942D.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del942E.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del942F.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del98F0.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del98F1.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del98F2.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del98F3.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\Del9CF5.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelA238.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelA239.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelA23A.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelA23B.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelA23C.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelA23D.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelAA82.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelAA83.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelAA84.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelAA85.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelAAC6.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelAAC7.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelAAC8.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelAB49.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelBA97.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelBA98.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelBA99.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelC19A.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelC19B.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelCB1C.tmp"
Tue 6 Jul 2004 0 A..H. --- "C:\Documents and Settings\Darla Hayes\Local Settings\Temp\DelCB1D.tmp"
Tue 1 Jul 2008 1,713,921 ..SH. --- "C:\Documents and Settings\Matt\Local Settings\Temp\nnipdisj.tmp"
Tue 18 Oct 2005 9,352,392 A..H. --- "C:\Documents and Settings\Matt Hayes\Local Settings\Temp\BIT3A.tmp"
Wed 6 Apr 2005 218 A..H. --- "C:\Documents and Settings\Matt Hayes\Local Settings\Temp\e.dll"
Wed 6 Apr 2005 218 A..H. --- "C:\Documents and Settings\Matt Hayes\Local Settings\Temp\z41t.dll"
Tue 21 Dec 2004 552 A..H. --- "C:\Documents and Settings\Peter Hayes\Local Settings\Temp\bvd.dll"
Sun 13 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT6.tmp"
Mon 1 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\14a2354517107bc1d6b9d1d0c325d0d8\BIT4.tmp"
Sun 13 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT4.tmp"
Sun 13 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT8.tmp"
Sun 13 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT3.tmp"
Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b5ceb6274f4d7fd206d6adab3df8e834\BIT5.tmp"
Sun 13 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT7.tmp"
Mon 1 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c8e1092e4a07bde9d108020eaac84239\BIT3.tmp"
Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d7694bef8bd7032a201cda9934644640\BIT3.tmp"
Sun 13 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT9.tmp"
Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3ae0283cc5a5b1aa1e0729354e5096d\BIT4.tmp"
Sun 13 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT5.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BITC.tmp"
Sat 16 Aug 2003 4,348 ...H. --- "C:\Documents and Settings\Matt Hayes\My Documents\My Music\License Backup\drmv1key.bak"
Thu 30 Dec 2004 20 A..H. --- "C:\Documents and Settings\Matt Hayes\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 21 Jul 2004 400 ...H. --- "C:\Documents and Settings\Matt Hayes\My Documents\My Music\License Backup\drmv2key.bak"
Thu 30 Dec 2004 1,536 A..H. --- "C:\Documents and Settings\Matt Hayes\My Documents\My Music\License Backup\drmv2lic.bak"
Sat 3 Mar 2007 4,348 ...H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv1key.bak"
Sat 3 Mar 2007 20 A..H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 3 Mar 2007 400 ...H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv2key.bak"
Sat 3 Mar 2007 1,536 A..H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv2lic.bak"
Tue 8 Oct 2002 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Sat 3 Mar 2007 4,348 ...H. --- "C:\Documents and Settings\User\Application Data\Real\rhapsody\wmlicbackup\drmv1key.bak"
Sun 18 Mar 2007 20 A..H. --- "C:\Documents and Settings\User\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak"
Sat 3 Mar 2007 400 ...H. --- "C:\Documents and Settings\User\Application Data\Real\rhapsody\wmlicbackup\drmv2key.bak"
Sun 18 Mar 2007 1,536 A..H. --- "C:\Documents and Settings\User\Application Data\Real\rhapsody\wmlicbackup\drmv2lic.bak"
Sat 16 Aug 2003 4,348 A..H. --- "C:\Documents and Settings\User\My Documents\Matt's My Documents\My Music\License Backup\drmv1key.bak"
Thu 30 Dec 2004 20 A..H. --- "C:\Documents and Settings\User\My Documents\Matt's My Documents\My Music\License Backup\drmv1lic.bak"
Wed 21 Jul 2004 400 A..H. --- "C:\Documents and Settings\User\My Documents\Matt's My Documents\My Music\License Backup\drmv2key.bak"
Thu 30 Dec 2004 1,536 A..H. --- "C:\Documents and Settings\User\My Documents\Matt's My Documents\My Music\License Backup\drmv2lic.bak"
Fri 20 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Fri 20 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Fri 20 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Fri 20 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Finished!
An the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:10, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: (no name) - {5FC728BE-EBA3-4076-A401-2EEA7DB4B217} - C:\WINDOWS\system32\cbXNDTMc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [100d4d65] rundll32.exe "C:\WINDOWS\system32\uiadpxxh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 5867 bytes
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present - Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
Let's see if you can access the main site for ComboFix now
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.188 [GMT -5:00]
Running from: C:\Documents and Settings\****\Desktop\bghg.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Amber Hayes\Local Settings\Temporary Internet Files\temp.dmf
C:\Documents and Settings\User\Start Menu\Programs\PlayMP3z
C:\Documents and Settings\User\Start Menu\Programs\PlayMP3z\Run PlayMP3z.lnk
C:\Program Files\ContextTool
C:\Program Files\ContextTool\pcre3.dll
C:\Program Files\ContextTool\uninstall.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\enpq.exe
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\cMTDNXbc.ini
C:\WINDOWS\system32\cMTDNXbc.ini2
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\FgQAHkkj.ini
C:\WINDOWS\system32\FgQAHkkj.ini2
C:\WINDOWS\system32\hxxpdaiu.ini
C:\WINDOWS\system32\lqktwjlt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oxyuwjmu.ini
C:\WINDOWS\system32\pavmosne.ini
C:\WINDOWS\system32\pfntpkul.ini
C:\WINDOWS\system32\uiadpxxh.dll
C:\WINDOWS\system32\yeocstgu.ini
.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.
2008-07-11 14:12 . 2008-07-11 14:12 <DIR> d
C:\WINDOWS\ERUNT
2008-07-11 13:59 . 2008-07-09 11:52 <DIR> d
C:\SDFix
2008-07-10 00:41 . 2008-07-10 00:41 <DIR> d--h
C:\WINDOWS\PIF
2008-07-09 12:48 . 2008-07-09 14:46 <DIR> d
C:\Documents and Settings\****\Application Data\OpenOffice.org2
2008-07-07 13:05 . 2008-07-08 13:08 <DIR> d
C:\Program Files\Windows Live Safety Center
2008-07-07 12:44 . 2008-07-07 12:44 2,946 --a
C:\WINDOWS\system32\tmp.reg
2008-07-07 12:42 . 2007-09-06 00:22 289,144 --a
C:\WINDOWS\system32\VCCLSID.exe
2008-07-07 12:42 . 2006-04-27 17:49 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2008-07-07 12:42 . 2008-05-29 09:35 86,528 --a
C:\WINDOWS\system32\VACFix.exe
2008-07-07 12:42 . 2008-05-18 21:40 82,944 --a
C:\WINDOWS\system32\IEDFix.exe
2008-07-07 12:42 . 2008-07-02 13:33 82,432 --a
C:\WINDOWS\system32\IEDFix.C.exe
2008-07-07 12:42 . 2008-05-23 18:21 81,920 --a
C:\WINDOWS\system32\404Fix.exe
2008-07-07 12:42 . 2003-06-05 21:13 53,248 --a
C:\WINDOWS\system32\Process.exe
2008-07-07 12:42 . 2004-07-31 18:50 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2008-07-07 12:42 . 2007-10-04 00:36 25,600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-07-07 11:29 . 2008-07-07 11:29 <DIR> d---s---- C:\Documents and Settings\****\UserData
2008-07-07 06:26 . 2008-07-07 06:27 <DIR> d
C:\WINDOWS\system32\NtmsData
2008-07-07 04:32 . 2008-07-07 04:32 230 --a
C:\WINDOWS\system32\spupdsvc.inf
2008-07-04 16:12 . 2008-07-04 16:12 <DIR> d
C:\Program Files\RegCure
2008-07-04 16:06 . 2008-07-04 16:07 <DIR> d
C:\Documents and Settings\****\Application Data\MSN6
2008-07-04 13:31 . 2008-07-04 13:31 <DIR> d
C:\Documents and Settings\****\Application Data\Yahoo!
2008-07-04 13:24 . 2008-07-07 11:29 <DIR> d
C:\Documents and Settings\****
2008-07-04 12:49 . 2008-07-04 12:49 <DIR> d
C:\Documents and Settings\Administrator
2008-07-03 13:08 . 2008-07-03 13:08 <DIR> d
C:\Documents and Settings\User\Application Data\TmpRecentIcons
2008-07-01 13:45 . 2008-07-02 04:01 1,282 --ahs---- C:\WINDOWS\system32\frojidme.ini
2008-07-01 04:01 . 2001-08-23 10:00 4,224 --a
C:\WINDOWS\system32\beep.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 17:51
d
w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2008-07-07 13:38
d
w C:\Program Files\Trend Micro
2008-07-03 19:41
d
w C:\Program Files\DivX
2008-07-03 19:36
d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 18:14
d
w C:\Documents and Settings\Matt\Application Data\OpenOffice.org2
2008-06-13 13:10 272,128
w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 08:01
d
w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-14 19:28
d
w C:\Documents and Settings\Matt\Application Data\Leadertech
2008-05-14 19:28
d
w C:\Documents and Settings\Matt\Application Data\AdobeUM
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-03-14 14:59 4493312]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 15:26 3429904]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-03 20:30 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 WUSB54Gv4SVC;WUSB54Gv4SVC;C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54Gv4.exe []
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-07-12 06:00:00 C:\WINDOWS\Tasks\AA0CD060918B4A4C.job"
- c:\docume~1\user\applic~1\eggsme~1\Peakeachchic.exe
"2008-06-28 23:35:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-12 06:02:16 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-10 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 01:03:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-12 1:08:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 06:08:06
Pre-Run: 53,975,293,952 bytes free
Post-Run: 56,123,117,568 bytes free
150 --- E O F --- 2008-07-11 08:02:06
How are things running now ?
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary and let the database download.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review:
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
Please post the Kaspersky log in your reply
Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead