Trojans & Backdoor....help plz
Hello,
I was trying to install something i got from the internet, and turns out it was full of trojans&viruses etc. I ran spybot and it found like 7 entries of a trojan called Virtumond which it said it deleted....but everytime i scan it shows up again. Also I scanned my computer using Bit Defender 2009 and it shows that I have a backdoor installed, which it cannot disinfect. It also showed other Trojans which it was able to delete. Also whenever I am on Firefox, i get pop ups to video sites, sites that tell me i should install a specific antivirus/computer cleaner, which i obviously don't...and sometimes inappropriate stuff pops up as well.
Here are log files of Hijack This and Bit Defender:
BitDefender Log File
Product : BitDefender Total Security 2009
Version : BitDefender UIScanner v.12
Scanning task : Deep System Scan
Log date : 21:44:42 27/09/2008
Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1222566282_1_02.xml
Scan Paths:Path 0000: C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
Path 0001: C:\WINDOWS\System32\svchost.exe
Path 0002: C:\Program Files\uTorrent\uTorrent.exe
Path 0003: C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
Path 0004: C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
Path 0005: C:\Program Files\iPod\bin\iPodService.exe
Path 0006: C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
Path 0007: C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
Path 0008: C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
Path 0009: C:\Program Files\IPMsg\ipmsg.exe
Path 0010: C:\WINDOWS\system32\ctfmon.exe
Path 0011: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Path 0012: C:\Windows\msnsrv.exe
Path 0013: C:\Program Files\DAEMON Tools Lite\daemon.exe
Path 0014: C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
Path 0015: C:\Windows\msnsrv.exe
Path 0016: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
Path 0017: C:\Program Files\Unlocker\UnlockerAssistant.exe
Path 0018: C:\Program Files\iTunes\iTunesHelper.exe
Path 0019: C:\WINDOWS\SOUNDMAN.EXE
Path 0020: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
Path 0021: C:\Program Files\VMware\VMware Workstation\hqtray.exe
Path 0022: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
Path 0023: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
Path 0024: C:\WINDOWS\System32\alg.exe
Path 0025: C:\WINDOWS\system32\wscntfy.exe
Path 0026: C:\WINDOWS\System32\svchost.exe
Path 0027: C:\WINDOWS\system32\vmnetdhcp.exe
Path 0028: C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
Path 0029: C:\WINDOWS\system32\vmnat.exe
Path 0030: C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
Path 0031: C:\Program Files\Tenable\Nessus\nessusd.exe
Path 0032: C:\WINDOWS\system32\svchost.exe
Path 0033: C:\WINDOWS\system32\PSIService.exe
Path 0034: C:\WINDOWS\system32\PnkBstrA.exe
Path 0035: C:\WINDOWS\system32\nvsvc32.exe
Path 0036: C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
Path 0037: C:\WINDOWS\system32\inetsrv\inetinfo.exe
Path 0038: C:\Program Files\Bonjour\mDNSResponder.exe
Path 0039: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Path 0040: C:\WINDOWS\Explorer.EXE
Path 0041: C:\WINDOWS\system32\spoolsv.exe
Path 0042: C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
Path 0043: C:\WINDOWS\system32\svchost.exe
Path 0044: C:\WINDOWS\system32\svchost.exe
Path 0045: C:\WINDOWS\system32\svchost.exe
Path 0046: C:\WINDOWS\System32\svchost.exe
Path 0047: C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
Path 0048: C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
Path 0049: C:\WINDOWS\system32\svchost.exe
Path 0050: C:\WINDOWS\system32\svchost.exe
Path 0051: C:\WINDOWS\system32\lsass.exe
Path 0052: C:\WINDOWS\system32\services.exe
Path 0053: C:\WINDOWS\system32\winlogon.exe
Path 0054: C:\WINDOWS\system32\csrss.exe
Path 0055: \SystemRoot\System32\smss.exe
Path 0056: C:\
Path 0057: D:\
Path 0058: F:\
Path 0059: H:\
Path 0060: J:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target Processing:Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : None
Scan engines summaryNumber of virus signatures : 1819035
Archive plugins : 43
Email plugins : 6
Scan plugins : 12
System plugins : 5
Unpack plugins : 7
Overall scan summaryScanned items : 3127124
Infected items : 10
Suspicious items : 0
Resolved items : 2
Unresolved items : 1062
Password-protected items : 1054
Individual viruses found : 10
Scanned directories : 20797
Scanned boot sectors : 10
Scanned archives : 141942
Input-output errors : 34
Scan time : 06:36:52
Files per second : 131
Scanned processes summaryScanned : 56
Infected : 0
Scanned registry keys summaryScanned : 423
Infected : 0
Scanned cookies summaryScanned : 423
Infected : 0
Remaining issues:Object Name Threat Name Final Status
H:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059302.exe Application.Keygen.BD Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059322.exe Application.MessenPass.N Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059325.exe Application.NetPass.F Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059331.exe Application.Tool.1379 Disinfect Failed
C:\Program Files\Cain\Abel.exe Application.Tool.623 Disinfect Failed
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\Ad-Aware QF 20080127 172344.aawqff=](Embedded EXE g) Backdoor.Generic.47127 Disinfect Failed
D:\Seneca Stuff\Operating Systems\SUSE\non-oss-dvd-iso\SUSE-Linux-10.1-GM-DVD-i386.iso=]suse/i586/amavisd-new-2.3.3-17.i586.rpm=]amavisd-new-2.3.3-17.gz=](bz2_data)=]./usr/share/doc/packages/amavisd-new/test-messages/sample-virus-executable.txt=][Subject: Sample virus with an executable][Date: Wed, 14 Apr 2004 20:36:33 +0200]=](MIME part)=](message body) EICAR-Test-File (not a virus) Infected (no action was possible, file was in an archive)
D:\Seneca Stuff\Operating Systems\SUSE\non-oss-dvd-iso\SUSE-Linux-10.1-GM-DVD-i386.iso=]suse/i586/amavisd-new-2.3.3-17.i586.rpm=]amavisd-new-2.3.3-17.gz=](bz2_data)=]./usr/share/doc/packages/amavisd-new/test-messages/sample-42-mail-bomb.txt=][Subject: amavisd test - 42.zip mail bomb]=](MIME part)=]42.zip Trojan.Arcbomb.ZIP Infected (no action was possible, file was in an archive)
Resolved issues:Object Name Threat Name Final Status
C:\Program Files\Tenable\Nessus\plugins\plugin.tar.gz=](gzip)=]./smtp_AV_42zip_DoS.nasl=](base64) Trojan.Arcbomb.ZIP Deleted
J:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059236.EXE Trojan.Tool.Wpakill.C Deleted
HIJACK THIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:25 PM, on 9/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\msnsrv.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\msnsrv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\program files\mozilla firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1EB79D9C-657B-4ACC-A64C-B6DBD28105CF} - C:\WINDOWS\system32\khfCtsSI.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {68A91F35-47DB-44D7-9D28-E67984E6DD79} - C:\WINDOWS\system32\vtUmLbXR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {49b50431-56aa-b978-e4c4-32f5ebc1816a} - {a6181cbe-5f23-4c4e-879b-aa6513405b94} - C:\WINDOWS\system32\slxgew.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MSN] C:\Windows\msnsrv.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - S-1-5-18 Startup: Anapod Manager.lnk.disabled (User 'SYSTEM')
O4 - S-1-5-18 Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Anapod Manager.lnk.disabled (User 'Default user')
O4 - .DEFAULT Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - .DEFAULT Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'Default user')
O4 - Startup: Anapod Manager.lnk.disabled
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Service Manager.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190000497750
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: slxgew.dll
O20 - Winlogon Notify: vtUmLbXR - C:\WINDOWS\SYSTEM32\vtUmLbXR.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 14170 bytes
Thanks for your help!
I was trying to install something i got from the internet, and turns out it was full of trojans&viruses etc. I ran spybot and it found like 7 entries of a trojan called Virtumond which it said it deleted....but everytime i scan it shows up again. Also I scanned my computer using Bit Defender 2009 and it shows that I have a backdoor installed, which it cannot disinfect. It also showed other Trojans which it was able to delete. Also whenever I am on Firefox, i get pop ups to video sites, sites that tell me i should install a specific antivirus/computer cleaner, which i obviously don't...and sometimes inappropriate stuff pops up as well.
Here are log files of Hijack This and Bit Defender:
BitDefender Log File
Product : BitDefender Total Security 2009
Version : BitDefender UIScanner v.12
Scanning task : Deep System Scan
Log date : 21:44:42 27/09/2008
Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1222566282_1_02.xml
Scan Paths:Path 0000: C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
Path 0001: C:\WINDOWS\System32\svchost.exe
Path 0002: C:\Program Files\uTorrent\uTorrent.exe
Path 0003: C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
Path 0004: C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
Path 0005: C:\Program Files\iPod\bin\iPodService.exe
Path 0006: C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
Path 0007: C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
Path 0008: C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
Path 0009: C:\Program Files\IPMsg\ipmsg.exe
Path 0010: C:\WINDOWS\system32\ctfmon.exe
Path 0011: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Path 0012: C:\Windows\msnsrv.exe
Path 0013: C:\Program Files\DAEMON Tools Lite\daemon.exe
Path 0014: C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
Path 0015: C:\Windows\msnsrv.exe
Path 0016: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
Path 0017: C:\Program Files\Unlocker\UnlockerAssistant.exe
Path 0018: C:\Program Files\iTunes\iTunesHelper.exe
Path 0019: C:\WINDOWS\SOUNDMAN.EXE
Path 0020: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
Path 0021: C:\Program Files\VMware\VMware Workstation\hqtray.exe
Path 0022: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
Path 0023: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
Path 0024: C:\WINDOWS\System32\alg.exe
Path 0025: C:\WINDOWS\system32\wscntfy.exe
Path 0026: C:\WINDOWS\System32\svchost.exe
Path 0027: C:\WINDOWS\system32\vmnetdhcp.exe
Path 0028: C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
Path 0029: C:\WINDOWS\system32\vmnat.exe
Path 0030: C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
Path 0031: C:\Program Files\Tenable\Nessus\nessusd.exe
Path 0032: C:\WINDOWS\system32\svchost.exe
Path 0033: C:\WINDOWS\system32\PSIService.exe
Path 0034: C:\WINDOWS\system32\PnkBstrA.exe
Path 0035: C:\WINDOWS\system32\nvsvc32.exe
Path 0036: C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
Path 0037: C:\WINDOWS\system32\inetsrv\inetinfo.exe
Path 0038: C:\Program Files\Bonjour\mDNSResponder.exe
Path 0039: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Path 0040: C:\WINDOWS\Explorer.EXE
Path 0041: C:\WINDOWS\system32\spoolsv.exe
Path 0042: C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
Path 0043: C:\WINDOWS\system32\svchost.exe
Path 0044: C:\WINDOWS\system32\svchost.exe
Path 0045: C:\WINDOWS\system32\svchost.exe
Path 0046: C:\WINDOWS\System32\svchost.exe
Path 0047: C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
Path 0048: C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
Path 0049: C:\WINDOWS\system32\svchost.exe
Path 0050: C:\WINDOWS\system32\svchost.exe
Path 0051: C:\WINDOWS\system32\lsass.exe
Path 0052: C:\WINDOWS\system32\services.exe
Path 0053: C:\WINDOWS\system32\winlogon.exe
Path 0054: C:\WINDOWS\system32\csrss.exe
Path 0055: \SystemRoot\System32\smss.exe
Path 0056: C:\
Path 0057: D:\
Path 0058: F:\
Path 0059: H:\
Path 0060: J:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target Processing:Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : None
Scan engines summaryNumber of virus signatures : 1819035
Archive plugins : 43
Email plugins : 6
Scan plugins : 12
System plugins : 5
Unpack plugins : 7
Overall scan summaryScanned items : 3127124
Infected items : 10
Suspicious items : 0
Resolved items : 2
Unresolved items : 1062
Password-protected items : 1054
Individual viruses found : 10
Scanned directories : 20797
Scanned boot sectors : 10
Scanned archives : 141942
Input-output errors : 34
Scan time : 06:36:52
Files per second : 131
Scanned processes summaryScanned : 56
Infected : 0
Scanned registry keys summaryScanned : 423
Infected : 0
Scanned cookies summaryScanned : 423
Infected : 0
Remaining issues:Object Name Threat Name Final Status
H:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059302.exe Application.Keygen.BD Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059322.exe Application.MessenPass.N Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059325.exe Application.NetPass.F Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059331.exe Application.Tool.1379 Disinfect Failed
C:\Program Files\Cain\Abel.exe Application.Tool.623 Disinfect Failed
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\Ad-Aware QF 20080127 172344.aawqff=](Embedded EXE g) Backdoor.Generic.47127 Disinfect Failed
D:\Seneca Stuff\Operating Systems\SUSE\non-oss-dvd-iso\SUSE-Linux-10.1-GM-DVD-i386.iso=]suse/i586/amavisd-new-2.3.3-17.i586.rpm=]amavisd-new-2.3.3-17.gz=](bz2_data)=]./usr/share/doc/packages/amavisd-new/test-messages/sample-virus-executable.txt=][Subject: Sample virus with an executable][Date: Wed, 14 Apr 2004 20:36:33 +0200]=](MIME part)=](message body) EICAR-Test-File (not a virus) Infected (no action was possible, file was in an archive)
D:\Seneca Stuff\Operating Systems\SUSE\non-oss-dvd-iso\SUSE-Linux-10.1-GM-DVD-i386.iso=]suse/i586/amavisd-new-2.3.3-17.i586.rpm=]amavisd-new-2.3.3-17.gz=](bz2_data)=]./usr/share/doc/packages/amavisd-new/test-messages/sample-42-mail-bomb.txt=][Subject: amavisd test - 42.zip mail bomb]=](MIME part)=]42.zip Trojan.Arcbomb.ZIP Infected (no action was possible, file was in an archive)
Resolved issues:Object Name Threat Name Final Status
C:\Program Files\Tenable\Nessus\plugins\plugin.tar.gz=](gzip)=]./smtp_AV_42zip_DoS.nasl=](base64) Trojan.Arcbomb.ZIP Deleted
J:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059236.EXE Trojan.Tool.Wpakill.C Deleted
HIJACK THIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:25 PM, on 9/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\msnsrv.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\msnsrv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\program files\mozilla firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1EB79D9C-657B-4ACC-A64C-B6DBD28105CF} - C:\WINDOWS\system32\khfCtsSI.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {68A91F35-47DB-44D7-9D28-E67984E6DD79} - C:\WINDOWS\system32\vtUmLbXR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {49b50431-56aa-b978-e4c4-32f5ebc1816a} - {a6181cbe-5f23-4c4e-879b-aa6513405b94} - C:\WINDOWS\system32\slxgew.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MSN] C:\Windows\msnsrv.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - S-1-5-18 Startup: Anapod Manager.lnk.disabled (User 'SYSTEM')
O4 - S-1-5-18 Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Anapod Manager.lnk.disabled (User 'Default user')
O4 - .DEFAULT Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - .DEFAULT Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'Default user')
O4 - Startup: Anapod Manager.lnk.disabled
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Service Manager.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190000497750
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: slxgew.dll
O20 - Winlogon Notify: vtUmLbXR - C:\WINDOWS\SYSTEM32\vtUmLbXR.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 14170 bytes
Thanks for your help!
0
Comments
Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.
Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
==============================================
Ok. Let's have you download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review (copy and paste them, not attach), so that we may continue cleansing the system:
MBAM log
C:\ComboFix.txt
New HijackThis log
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
Thanks for helping me out.
I did all the things you mentioned. I want to note a few things:
*I have windows XP SP3...but I was still able to install recovery console by following the steps in the tutorial
*While malwarebytes was scanning, bit defender stopped alot of trojans from affecting my computer:
While scanning with Malwarebytes:
Virus Name: Trojan.Generic
Location: C:\WINDOWS\system32\rmrucswj.dll
Deleted because could not be disinfected
Name: Trojan.Clicker.MRG
C:\WINDOWS\system32\ogbprefi.dll
Quarantied
Trojan.Clicker.MRG
C:\Documents and Settings\Jasdeep Singh\Local Settings\Temporary Internet Files\Content.IE5\4HHZYTSK\kb678031[2]
Deleted
Trojan.Generic.747510
C:\Documents and Settings\Jasdeep Singh\Local Settings\Temporary Internet Files\Content.IE5\4HHZYTSK\upd105320[1]
Object moved to quarantine
*After malwarebytes restarted my computer, i recieved like 20 error popups saying the same thing, but the title of the error window was different. They all said: "The application or DLL C:\WINDOWS\system32\Slxgew.dll is not a valid windows image. Please check this against your installation diskette." Some of the titles were: "Explorer.exe - Bad Image/RunDLL32.EXE - Bad Image/nwiz.exe - Bad Image/ntune.exe - Bad Image/GrooveMonitor.exe - Bad Image/etc.....
*I think the popups in Firefox have stopped, and overall my computer seems to be healthier (no choppiness like before.)
Anyways here are the new logs:
MALWAREBYTES:
Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.1.2600 Service Pack 3
9/30/2008 6:35:27 PM
mbam-log-2008-09-30 (18-35-27).txt
Scan type: Quick Scan
Objects scanned: 58717
Time elapsed: 9 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\slxgew.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vtUmLbXR.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68a91f35-47db-44d7-9d28-e67984e6dd79} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtumlbxr (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{68a91f35-47db-44d7-9d28-e67984e6dd79} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6181cbe-5f23-4c4e-879b-aa6513405b94} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6181cbe-5f23-4c4e-879b-aa6513405b94} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{68a91f35-47db-44d7-9d28-e67984e6dd79} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSN (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\vtUmLbXR.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\slxgew.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rmrucswj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jwscurmr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ghdflp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ltxwtaxj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ogbprefi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yxqiinft.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jasdeep Singh\Local Settings\Temporary Internet Files\Content.IE5\29AH8FDD\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jasdeep Singh\Local Settings\Temporary Internet Files\Content.IE5\29AH8FDD\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jasdeep Singh\Local Settings\Temporary Internet Files\Content.IE5\4HHZYTSK\kb678031[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jasdeep Singh\Local Settings\Temporary Internet Files\Content.IE5\4HHZYTSK\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\msnsrv.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\BM3f6cd41c.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM3f6cd41c.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
COMOBOFIX:
ComboFix 08-09-30.02 - JasdeepSingh 2008-09-30 19:09:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.466 [GMT -4:00]
Running from: C:\Documents and Settings\Jasdeep Singh\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\install.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\egpasoqf.ini
C:\WINDOWS\twain_16.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.
2008-09-30 18:17 . 2008-09-30 18:32 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-09-30 18:17 . 2008-09-30 18:17 <DIR> d
C:\Documents and Settings\Jasdeep Singh\Application Data\Malwarebytes
2008-09-30 18:17 . 2008-09-30 18:17 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-30 18:17 . 2008-09-10 00:04 38,528 --a
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-30 18:17 . 2008-09-10 00:03 17,200 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-09-27 21:58 . 2008-09-27 21:58 <DIR> d
C:\Program Files\Trend Micro
2008-09-27 13:04 . 2008-09-27 13:04 850 --a
C:\WINDOWS\system32\ProductTweaks.xml
2008-09-27 13:04 . 2008-09-27 13:04 385 --a
C:\WINDOWS\system32\user_gensett.xml
2008-09-26 23:25 . 2008-09-26 23:25 <DIR> d
C:\WINDOWS\system32\logs
2008-09-26 23:24 . 2008-09-26 23:24 <DIR> d
C:\Documents and Settings\Jasdeep Singh\Application Data\BitDefender
2008-09-26 23:23 . 2008-09-26 23:34 <DIR> d
C:\Documents and Settings\All Users\Application Data\BitDefender
2008-09-26 23:02 . 2008-09-27 12:59 319 --a
C:\WINDOWS\wininit.ini
2008-09-26 22:38 . 2008-09-26 23:31 1,729 --ahs---- C:\WINDOWS\system32\ISstCfhk.ini2
2008-09-26 22:38 . 2008-09-26 23:31 1,729 --ahs---- C:\WINDOWS\system32\ISstCfhk.ini
2008-09-26 22:31 . 2008-09-26 22:31 20,904,672 --a
C:\WINDOWS\SETUPE.EXE
2008-09-25 21:52 . 2008-09-25 22:49 <DIR> d
C:\Documents and Settings\Jasdeep Singh\Application Data\vlc
2008-09-24 03:38 . 2008-09-24 03:38 <DIR> d
C:\Program Files\OpenOffice.org 2.4
2008-09-23 16:23 . 2008-09-23 16:23 <DIR> d
C:\Program Files\Unlocker
2008-09-21 15:42 . 2008-09-21 15:42 <DIR> d
C:\Program Files\Stardock
2008-09-21 15:42 . 2008-09-21 15:42 <DIR> d
C:\Program Files\Common Files\Stardock
2008-09-17 18:16 . 2008-09-17 18:16 <DIR> d
C:\Course Technology
2008-09-17 18:15 . 2008-09-17 19:37 <DIR> d
C:\3528-5
2008-09-16 10:37 . 2008-05-09 06:53 512,000
c--- C:\WINDOWS\system32\dllcache\jscript.dll
2008-09-16 10:37 . 2008-05-09 06:53 430,080
c--- C:\WINDOWS\system32\dllcache\vbscript.dll
2008-09-16 10:37 . 2008-05-09 06:53 180,224
c--- C:\WINDOWS\system32\dllcache\scrobj.dll
2008-09-16 10:37 . 2008-05-09 06:53 172,032
c--- C:\WINDOWS\system32\dllcache\scrrun.dll
2008-09-16 10:37 . 2008-05-08 07:24 155,648
c--- C:\WINDOWS\system32\dllcache\wscript.exe
2008-09-16 10:37 . 2008-05-09 04:45 135,168
c--- C:\WINDOWS\system32\dllcache\cscript.exe
2008-09-16 10:37 . 2008-05-09 06:53 90,112
c--- C:\WINDOWS\system32\dllcache\wshext.dll
2008-09-16 01:09 . 2008-09-16 01:09 <DIR> d
C:\WINDOWS\system32\Lang
2008-09-16 01:09 . 2008-09-16 01:09 940,794 --a
C:\WINDOWS\system32\LoopyMusic.wav
2008-09-16 01:09 . 2008-09-16 01:09 146,650 --a
C:\WINDOWS\system32\BuzzingBee.wav
2008-09-16 01:09 . 2008-09-16 01:09 60,416 --a
C:\WINDOWS\ALCFDRTM.VER
2008-09-16 01:09 . 2008-09-16 01:09 60,416 --a
C:\WINDOWS\ALCFDRTM.EXE
2008-09-16 00:52 . 2004-08-03 19:56 221,184 --a
C:\WINDOWS\system32\wmpns.dll
2008-09-16 00:45 . 2008-09-16 00:45 <DIR> d
C:\WINDOWS\system32\scripting
2008-09-16 00:45 . 2008-09-16 00:45 <DIR> d
C:\WINDOWS\system32\en
2008-09-16 00:45 . 2008-09-16 00:45 <DIR> d
C:\WINDOWS\system32\bits
2008-09-16 00:43 . 2008-09-16 00:43 <DIR> d
C:\WINDOWS\ServicePackFiles
2008-09-15 13:25 . 2008-09-24 17:01 <DIR> d
C:\Documents and Settings\Jasdeep Singh\dwhelper
2008-09-13 18:47 . 2008-04-13 20:12 1,737,856 --a
C:\WINDOWS\system32\mtxparhd.dll
2008-09-13 18:46 . 2004-08-03 22:41 1,041,536
C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-09-13 18:45 . 2008-04-13 20:11 1,888,992 --a
C:\WINDOWS\system32\ati3duag.dll
2008-09-13 17:08 . 2008-09-13 17:08 <DIR> d
C:\Program Files\iPod
2008-09-13 17:07 . 2008-09-13 17:08 <DIR> d
C:\Program Files\iTunes
2008-09-13 17:07 . 2008-09-13 17:08 <DIR> d
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-13 17:05 . 2008-09-13 17:05 <DIR> d
C:\Program Files\Apple Software Update
2008-09-13 16:56 . 2008-09-13 16:56 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-09-13 16:56 . 2008-09-13 16:56 1,409 --a
C:\WINDOWS\QTFont.for
2008-09-13 12:07 . 2008-09-13 12:08 <DIR> d
C:\Program Files\IPMsg
2008-09-11 19:57 . 2008-07-07 16:26 253,952
c--- C:\WINDOWS\system32\dllcache\es.dll
2008-09-11 19:57 . 2008-06-24 12:43 74,240
c--- C:\WINDOWS\system32\dllcache\mscms.dll
2008-09-11 19:56 . 2008-04-11 15:04 691,712
c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-11 19:29 . 2008-09-11 19:29 <DIR> d
C:\Program Files\MWSnap
2008-09-10 23:11 . 2008-09-10 23:11 <DIR> d
C:\NVIDIA
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a
C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a
C:\WINDOWS\system32\QuickTime.qts
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a
C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a
C:\WINDOWS\system32\dnssd.dll
2008-08-14 18:54 . 2008-08-14 18:54 102,208 --a
C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-08-12 18:40 . 2008-08-12 18:40 228,672 --a
C:\WINDOWS\system32\drivers\bdfsfltr.sys
2008-08-12 18:40 . 2008-08-12 18:40 108,864 --a
C:\WINDOWS\system32\drivers\bdfm.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 23:21
d
w C:\Documents and Settings\LocalService\Application Data\VMware
2008-09-30 23:21
d
w C:\Documents and Settings\Jasdeep Singh\Application Data\VMware
2008-09-30 23:21
d
w C:\Documents and Settings\All Users\Application Data\VMware
2008-09-30 23:20
d
w C:\Documents and Settings\Jasdeep Singh\Application Data\OpenOffice.org2
2008-09-30 22:02
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-28 16:16
d
w C:\Program Files\Lavasoft
2008-09-28 16:16
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 16:15
d
w C:\Documents and Settings\Jasdeep Singh\Application Data\uTorrent
2008-09-28 16:14
d
w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-28 02:33
d
w C:\Documents and Settings\Jasdeep Singh\Application Data\mIRC
2008-09-28 02:30
d
w C:\Program Files\mIRC
2008-09-27 17:00
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-27 03:32 39,644 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-27 03:32 366,880 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-27 03:32 243,836 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-27 03:32 17,346,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-27 03:24
d
w C:\Program Files\Common Files\BitDefender
2008-09-27 03:24
d
w C:\Program Files\BitDefender
2008-09-27 02:43
d
w C:\Program Files\Spybot - Search & Destroy
2008-09-25 22:26
d
w C:\Program Files\Java
2008-09-24 07:38
d
w C:\Program Files\OpenOffice.org 2.3
2008-09-21 22:59
d
w C:\Program Files\ScreenshotCaptor
2008-09-15 01:47
d
w C:\Program Files\gmms
2008-09-15 01:45
d
w C:\Program Files\Azureus
2008-09-14 05:38
d
w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-13 21:07
d
w C:\Program Files\QuickTime
2008-09-13 21:07
d
w C:\Program Files\Bonjour
2008-09-13 20:25
d
w C:\Documents and Settings\Jasdeep Singh\Application Data\dvdcss
2008-09-13 01:18
d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 22:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:01 827,904 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-12 22:58 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-01-20 18:12 22,328 ----a-w C:\Documents and Settings\Jasdeep Singh\Application Data\PnkBstrK.sys
2001-11-23 17:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-11-26 20:40 8 --sha-r C:\WINDOWS\system32\46A30C1E32.sys
2007-11-26 20:57 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 532480]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-22 7286784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-22 86016]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 72240]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 55856]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [2008-09-04 716800]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 69632]
"nwiz"="nwiz.exe" [2005-11-22 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
C:\Documents and Settings\Jasdeep Singh\Start Menu\Programs\Startup\
Anapod Manager.lnk.disabled [2007-10-15 1824]
IPMSG for Win32.lnk - C:\Program Files\IPMsg\ipmsg.exe [2008-09-13 159744]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-09-21 3450608]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk.disabled [2007-12-10 920]
Service Manager.lnk.disabled [2008-06-29 1925]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=slxgew.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"C-Media Mixer"=Mixer.exe /startup
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"egui"="C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
"<NO NAME>"=
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Strong DC++\\StrongDC.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\sdc22\\StrongDC.exe"=
"C:\\Program Files\\IPMsg\\ipmsg.exe"=
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1444:TCP"= 1444:TCP:tcp/1444
"1444:UDP"= 1444:UDP:udp/1444
R0 AladdinUsbFilter;AladdinUsbFilterService;C:\WINDOWS\system32\DRIVERS\AladdinUsbFilter.sys [2008-06-07 484352]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-06-29 33824]
R2 BDVEDISK;BDVEDISK;C:\Program Files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82568]
R2 Tenable Nessus;Tenable Nessus;C:\Program Files\Tenable\Nessus\nessusd.exe [2007-07-27 13312]
R2 wntpport;wntpport;C:\WINDOWS\system32\drivers\wntpport.sys [2001-01-19 28416]
R3 bdfm;BDFM;C:\WINDOWS\system32\drivers\bdfm.sys [2008-08-12 108864]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-08-14 102208]
R3 SydexFDD;Sydex Diskette Driver;C:\WINDOWS\system32\Drivers\sydexfdd.sys [2003-08-01 13359]
S0 ddkwtet;ddkwtet;C:\WINDOWS\system32\drivers\unhcho.sys [ ]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 450400]
S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 MsDtsServer;SQL Server Integration Services;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 206192]
S3 msftesql$SINGH;SQL Server FullText Search (SINGH);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2006-02-14 92880]
S3 MSOLAP$SINGH;SQL Server Analysis Services (SINGH);C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [2007-02-14 14625648]
S3 MSSQL$SINGH;SQL Server (SINGH);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-14 28935592]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 42512]
S3 ReportServer$SINGH;SQL Server Reporting Services (SINGH);C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264]
S3 SQLAgent$SINGH;SQL Server Agent (SINGH);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2006-04-14 319776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0709cb41-a5d7-11dc-bbb4-0013d48a6662}]
\Shell\AutoRun\command - J:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79afa7a7-6473-11dc-a1f7-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{1EB79D9C-657B-4ACC-A64C-B6DBD28105CF} - C:\WINDOWS\system32\khfCtsSI.dll
.
Supplementary Scan
.
FireFox -: Profile - C:\Documents and Settings\Jasdeep Singh\Application Data\Mozilla\Firefox\Profiles\mwuudngh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - C:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 19:20:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SINGH]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SINGH"
.
DLLs Loaded Under Running Processes
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
Other Running Processes
.
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-30 19:36:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-30 23:35:34
Pre-Run: 10,450,063,360 bytes free
Post-Run: 10,308,653,056 bytes free
298 --- E O F --- 2008-09-17 04:36:18
HIJACKTHIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:51 PM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Anapod Manager.lnk.disabled
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Service Manager.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190000497750
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: slxgew.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 12508 bytes
Thanks again for your help.
Virus Name: Trojan.Generic.745240
Location: C:\WINDOWS\system32\vtUmLbXR.dll
Object moved to quarantine
I haven't seen this trojan now, but a new trojan was blocked by bit defender recently:
Name: Trojan.Generic.747510
Location: Somewhere in C:\System VOlume information i think.
I think it was deleted because i don't see it in the quarantied list of bitdefender.
Once you get into Safe Mode, run HijackThis and place a checkmark by the following entry:
O20 - AppInit_DLLs: slxgew.dll
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis.
Next, navigate to and delete the following file if it still exists. Do not be concerned if you can't find it anymore:
C:\WINDOWS\system32\Slxgew.dll <--- file
Finally restart your computer. You should get back to normal mode. Post a new HijackThis log, as well as let me know how everything is running now.
My computer is much better. But before deleting that entry, my computer just shut off itself while i was watching a video on VLC media player for some reason. Also my CPU fan is louder than usual
Other than that, everything is fine. Thanks for the help m8!
Here is the HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:07 PM, on 10/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\dwwin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Anapod Manager.lnk.disabled
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Service Manager.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190000497750
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 12314 bytes
Here are the ActiveScan results:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-10-02 07:25:30
PROTECTIONS: 1
MALWARE: 19
SUSPECTS: 10
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Bit-Defender Internet Security 2008 12.0.10.1 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00371793 HackTool/NetPass.B HackTools No 1 Yes No D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059325.exe
00530899 Application/NirCmd.A HackTools No 0 Yes No D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059310.exe
01182314 Hacktool/CookiesView HackTools No 0 Yes No D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059324.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP344\A0059572.EXE
02176689 HackTool/MailPassView.F HackTools No 0 Yes No D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059331.exe
02667795 HackTool/Cain.D HackTools No 0 Yes No C:\Program Files\Cain\Cain.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP344\A0059554.sys
02904583 Spyware/LinkReplacer Spyware No 1 Yes No J:\System Volume Information\_restore{6B911120-0068-486A-81F0-FD23ACBD94EF}\RP21\A0000341.exe
02905032 Application/MessenPass HackTools No 0 Yes No D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059322.exe
02933758 Application/ProduKey HackTools No 0 Yes No D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059327.exe
02934030 Trj/Rizalof.RV Virus/Trojan No 1 Yes No D:\SEAGATE\dc finished\Adobe Photoshop CS3 + Regkey & Activation (Works Fine).zip[Adobe_CS3_Keygens_-_by_Wiseman/Adobe CS3 Keygens - by Wiseman/PhotoShop CS3 Extended Keygen + Activation.exe]
02987812 HackTool/Cain HackTools No 0 Yes No C:\Program Files\Cain\Winrtgen\Winrtgen.exe
02987813 HackTool/Cain HackTools No 0 Yes No C:\Program Files\Cain\Abel.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Cain\Abel.exe
03252395 Generic Trojan Virus/Trojan No 0 Yes No D:\SEAGATE\dc finished\Adobe Photoshop CS3 + Regkey & Activation (Works Fine).zip[Adobe_CS3_Keygens_-_by_Wiseman/Adobe CS3 Keygens - by Wiseman/Dreamweaver CS3 Keygen VLK.exe]
03445437 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{6B911120-0068-486A-81F0-FD23ACBD94EF}\RP21\A0000343.exe
03446216 Generic Trojan Virus/Trojan No 0 Yes No D:\SEAGATE\dc finished\Adobe Photoshop CS3 + Regkey & Activation (Works Fine).zip[Adobe_CS3_Keygens_-_by_Wiseman/Adobe CS3 Keygens - by Wiseman/InCopy CS3 Keygen VLK.exe]
03648670 W32/Netsky.CI.worm Virus No 0 Yes No C:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP344\A0059547.exe
03648670 W32/Netsky.CI.worm Virus No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\install.exe.vir
03738686 Generic Malware Virus/Trojan No 0 No No H:\icrontic\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Jasdeep Singh\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Jasdeep Singh\Desktop\Virus\Icrontic\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location ?
;===================================================================================================================================================================================
No C:\Documents and Settings\All Users\Application Data\Apple\Installer Cache\Apple Mobile Device Support 2.1.0.25\AppleMobileDeviceSupport.msi[unk_0051][EventFixer.exe]
No C:\Documents and Settings\Jasdeep Singh\Desktop\bitdefender_totalsecurity_2009_32b.exe[C:\Documents and Settings\Jasdeep Singh\Desktop\bitdefender_totalsecurity_2009_32b.exe][bdts.msi][unk_0073]
No C:\Program Files\Common Files\Apple\Mobile Device Support\bin\EventFixer.exe ?
No C:\Program Files\Common Files\BitDefender\Setup Information\{E892011A-4DA1-415E-9AAD-5956ED628822}\bdts.msi[unk_0073]
No C:\Program Files\InstallShield Installation Information\{6D025DA9-C5C9-44D5-9B6E-83D42648F453}\10.0.0104\data1.cab[SMG.EXE]
No C:\Program Files\mIRC\mirc.exe ?
No C:\WINDOWS\Installer\2e687a.msi[unk_0092] ?
No C:\Program Files\Wilcom\ES2006\BIN\SMG.EXE ?
No D:\SEAGATE\dc finished\Adobe Photoshop CS3 + Regkey & Activation (Works Fine).zip[Adobe_CS3_Keygens_-_by_Wiseman/Adobe CS3 Keygens - by Wiseman/Fireworks CS3 Keygen VLK.exe]
No D:\SEAGATE\dc finished\Adobe Photoshop CS3 + Regkey & Activation (Works Fine).zip[Adobe_CS3_Keygens_-_by_Wiseman/Adobe CS3 Keygens - by Wiseman/InDesign CS3 Keygen VLK.exe]
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ?
;===================================================================================================================================================================================
;===================================================================================================================================================================================
I will strongly recommend that you delete this:
D:\SEAGATE\dc finished\Adobe Photoshop CS3 + Regkey & Activation (Works Fine).zip
Next, if you don't use Cain / CainAbel, go to Control Panel > Add/Remove Programs and uninstall it if found.
Then navigate to and delete the following folder if still present
C:\Program Files\Cain\
The rest of the stuff are relatively harmless, so we will get rid of them after you finished the above.
Product : BitDefender Total Security 2009
Version : BitDefender UIScanner v.12
Scanning task : Deep System Scan
Log date : 11:18:46 04/10/2008
Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1223133526_1_02.xml
Scan Paths:Path 0000: C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
Path 0001: C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
Path 0002: C:\WINDOWS\System32\alg.exe
Path 0003: C:\WINDOWS\System32\svchost.exe
Path 0004: C:\Program Files\iPod\bin\iPodService.exe
Path 0005: C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
Path 0006: C:\WINDOWS\system32\vmnetdhcp.exe
Path 0007: C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
Path 0008: C:\WINDOWS\system32\vmnat.exe
Path 0009: C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
Path 0010: C:\Program Files\Tenable\Nessus\nessusd.exe
Path 0011: C:\WINDOWS\system32\svchost.exe
Path 0012: C:\WINDOWS\system32\PSIService.exe
Path 0013: C:\WINDOWS\system32\PnkBstrA.exe
Path 0014: C:\WINDOWS\system32\nvsvc32.exe
Path 0015: C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
Path 0016: C:\WINDOWS\system32\inetsrv\inetinfo.exe
Path 0017: C:\Program Files\Bonjour\mDNSResponder.exe
Path 0018: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Path 0019: C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
Path 0020: C:\Program Files\IPMsg\ipmsg.exe
Path 0021: C:\Program Files\MWSnap\MWSnap.exe
Path 0022: C:\Program Files\DAEMON Tools Lite\daemon.exe
Path 0023: C:\WINDOWS\system32\ctfmon.exe
Path 0024: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Path 0025: C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
Path 0026: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
Path 0027: C:\Program Files\iTunes\iTunesHelper.exe
Path 0028: C:\WINDOWS\SOUNDMAN.EXE
Path 0029: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
Path 0030: C:\Program Files\VMware\VMware Workstation\hqtray.exe
Path 0031: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
Path 0032: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
Path 0033: C:\WINDOWS\Explorer.EXE
Path 0034: C:\WINDOWS\system32\spoolsv.exe
Path 0035: C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
Path 0036: C:\WINDOWS\system32\svchost.exe
Path 0037: C:\WINDOWS\system32\svchost.exe
Path 0038: C:\WINDOWS\system32\svchost.exe
Path 0039: C:\WINDOWS\System32\svchost.exe
Path 0040: C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
Path 0041: C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
Path 0042: C:\WINDOWS\system32\svchost.exe
Path 0043: C:\WINDOWS\system32\svchost.exe
Path 0044: C:\WINDOWS\system32\lsass.exe
Path 0045: C:\WINDOWS\system32\services.exe
Path 0046: C:\WINDOWS\system32\winlogon.exe
Path 0047: C:\WINDOWS\system32\csrss.exe
Path 0048: \SystemRoot\System32\smss.exe
Path 0049: C:\
Path 0050: D:\
Path 0051: F:\
Path 0052: H:\
Path 0053: J:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target Processing:Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : None
Scan engines summaryNumber of virus signatures : 1833437
Archive plugins : 43
Email plugins : 6
Scan plugins : 12
System plugins : 5
Unpack plugins : 7
Overall scan summaryScanned items : 4557277
Infected items : 7
Suspicious items : 0
Resolved items : 0
Unresolved items : 922
Password-protected items : 915
Individual viruses found : 7
Scanned directories : 21784
Scanned boot sectors : 10
Scanned archives : 248481
Input-output errors : 34
Scan time : 09:00:20
Files per second : 140
Scanned processes summaryScanned : 49
Infected : 0
Scanned registry keys summaryScanned : 423
Infected : 0
Scanned cookies summaryScanned : 423
Infected : 0
Remaining issues:Object Name Threat Name Final Status
H:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059302.exe Application.Keygen.BD Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059322.exe Application.MessenPass.N Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059325.exe Application.NetPass.F Disinfect Failed
D:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP340\A0059331.exe Application.Tool.1379 Disinfect Failed
C:\System Volume Information\_restore{F1D71F1A-5442-45C3-926A-804F0320BABF}\RP346\A0061083.exe Application.Tool.623 Disinfect Failed
D:\Seneca Stuff\Operating Systems\SUSE\non-oss-dvd-iso\SUSE-Linux-10.1-GM-DVD-i386.iso=]suse/i586/amavisd-new-2.3.3-17.i586.rpm=]amavisd-new-2.3.3-17.gz=](bz2_data)=]./usr/share/doc/packages/amavisd-new/test-messages/sample-virus-executable.txt=][Subject: Sample virus with an executable][Date: Wed, 14 Apr 2004 20:36:33 +0200]=](MIME part)=](message body) EICAR-Test-File (not a virus) Infected (no action was possible, file was in an archive)
D:\Seneca Stuff\Operating Systems\SUSE\non-oss-dvd-iso\SUSE-Linux-10.1-GM-DVD-i386.iso=]suse/i586/amavisd-new-2.3.3-17.i586.rpm=]amavisd-new-2.3.3-17.gz=](bz2_data)=]./usr/share/doc/packages/amavisd-new/test-messages/sample-42-mail-bomb.txt=][Subject: amavisd test - 42.zip mail bomb]=](MIME part)=]42.zip Trojan.Arcbomb.ZIP Infected (no action was possible, file was in an archive)
This will clear away any of the files and folders that were created by ComboFix.
Go to :
Start > Run then copy and paste the following highlighted text below into the box and click OK.
ComboFix /u
Next, flush System Restore by following the instructions here:
http://safecomputing.umn.edu/guides/systemrestore.html
Let me know how your computer is running now.
I'll post this problem under one of the computer hardware sections.
Other than that, there are no problems with my computer.
Thanks alot for your help
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead