hacker/virus help!!
ok guys, I need help.
I think someone hacked into my computer or something yesturday.
My computer went all woozy n stuff so I restarted and I saw that there was a new User Log created under the name of something like l0923k4 etc etc random one like that.
Then I removed it (it was adminstrative as well) and my SpySweeper has been somehow terminated since this occured and is asking me to reinstall it, when I went to install norton I googled the site and whenever I clicked the link it would direct me to a dead link but other sites worked fine.
THen my internet has been lagging big time and I got a pop up from norton saying "your internet connection is ebing interfered etc etc"
and Today I just saw that my firewall got shut off (windows firewall) so I clicked to enable it and it said thsi option is not able to occur go to Control panel and do it manually so I clicked that and it says the ability to open this option is disabled.
And so now I installed NOD32 and it installed but it isnt working. Says error communicating with kernel.
What should I do?
I think someone hacked into my computer or something yesturday.
My computer went all woozy n stuff so I restarted and I saw that there was a new User Log created under the name of something like l0923k4 etc etc random one like that.
Then I removed it (it was adminstrative as well) and my SpySweeper has been somehow terminated since this occured and is asking me to reinstall it, when I went to install norton I googled the site and whenever I clicked the link it would direct me to a dead link but other sites worked fine.
THen my internet has been lagging big time and I got a pop up from norton saying "your internet connection is ebing interfered etc etc"
and Today I just saw that my firewall got shut off (windows firewall) so I clicked to enable it and it said thsi option is not able to occur go to Control panel and do it manually so I clicked that and it says the ability to open this option is disabled.
And so now I installed NOD32 and it installed but it isnt working. Says error communicating with kernel.
What should I do?
0
Comments
You should start sending Hijacthis log on your next message.
Download HJTInstall.exe to your Desktop.
I did some googling and someone else seemed to have a simliar problem adn it said that they used malewarebytes anti malware to scan the computer or something.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/comb...o-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
I send you via PM how to remove this RootKit.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:20 PM, on 11/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204188025250
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8734 bytes
ComboFix 08-11-28.02 - Edwin T 2008-11-28 15:58:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1611 [GMT -8:00]
Running from: c:\documents and settings\Edwin T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edwin T\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\Drivers\TDSSofxh.sys
c:\windows\system32\Drivers\TDSSpaxt.sys
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSfxwp.dll
c:\windows\system32\TDSSnmxh.dll
c:\windows\system32\TDSSnrsr.dat
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSosvd.dll
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\TDSSvvbi.log
c:\windows\system32\winlogon.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_TDSSSERV.SYS
\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.
2008-11-25 10:38 . 2008-11-25 10:38 <DIR> d
c:\documents and settings\All Users\Application Data\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Common Files\Symantec Shared
2008-11-25 10:37 . 2008-11-25 10:37 124,464 --a
c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-25 10:37 . 2008-11-25 10:37 60,808 --a
c:\windows\system32\S32EVNT1.DLL
2008-11-25 10:37 . 2008-11-25 10:37 10,635 --a
c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-25 10:37 . 2008-11-25 10:37 806 --a
c:\windows\system32\drivers\SYMEVENT.INF
2008-11-25 10:36 . 2008-11-25 10:36 <DIR> d
c:\windows\system32\drivers\NAV
2008-11-24 19:44 . 2008-11-24 19:44 165 --a
c:\documents and settings\Edwin T\nah_log.dat
2008-11-24 19:43 . 2008-11-28 15:09 2,274 --a
c:\windows\system32\TDSSsbhc.dll
2008-11-24 19:34 . 2008-11-24 19:34 80,384 --a
c:\documents and settings\Edwin T\nah_wnwq.exe
2008-11-20 15:58 . 2008-11-20 15:58 <DIR> d
c:\documents and settings\Edwin T\Application Data\Viewpoint
2008-11-18 17:09 . 2008-11-18 17:10 <DIR> d
c:\program files\Viewpoint
2008-11-18 17:09 . 2008-11-18 17:09 <DIR> d
c:\documents and settings\All Users\Application Data\acccore
2008-11-18 12:52 . 2008-11-18 12:52 <DIR> d
c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-06 18:43 . 2008-11-06 18:45 <DIR> d
c:\program files\SopCast
2008-11-05 21:43 . 2008-11-25 12:05 <DIR> d
c:\documents and settings\All Users\Application Data\Norton
2008-11-05 21:42 . 2008-11-05 21:42 <DIR> d
c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-05 21:04 . 2008-11-05 21:04 <DIR> d
c:\documents and settings\Edwin T\Incomplete
2008-11-05 21:03 . 2008-11-05 22:26 <DIR> d
c:\program files\LimeWire Turbo
2008-11-05 21:03 . 2008-11-05 21:12 <DIR> d
c:\documents and settings\Edwin T\Application Data\LimeWireTurbo
2008-11-04 16:32 . 2008-11-04 16:32 3,398 --a
c:\windows\system32\PerfStringBackup.TMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 07:31
d
w c:\documents and settings\Edwin T\Application Data\LimeWire
2008-11-25 18:39
d
w c:\documents and settings\Edwin T\Application Data\SlimBrowser
2008-11-19 01:10
d
w c:\program files\AIM6
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 03:41
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-06 06:19
d
w c:\program files\LimeWire
2008-11-01 19:09
d
w c:\program files\Opera
2008-10-24 20:26
d--h--r c:\documents and settings\Edwin T\Application Data\SecuROM
2008-10-24 19:34
d
w c:\documents and settings\Edwin T\Application Data\gnupg
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 04:29
d
w c:\program files\SlimBrowser
2008-09-19 21:38 319,488 ----a-w c:\windows\HideWin.exe
2008-09-10 01:39 16,851,968 ----a-w c:\windows\RTHDCPL.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"Aim6"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7618560]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-17 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-08 1410304]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-23 c:\windows\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-09 c:\windows\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5400]
--a
2003-05-26 19:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a
2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Edwin T\\Desktop\\Downloads\\WoW-BurningCrusade-Trial-enUS-Installer-downloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-11-08 30728]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596328]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-18 24652]
.
Contents of the 'Scheduled Tasks' folder
2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-25 c:\windows\Tasks\At10.job
- c:\windows\system32\o845LW6B.exe []
2008-11-25 c:\windows\Tasks\At11.job
- c:\windows\system32\o845LW6B.exe []
2008-11-26 c:\windows\Tasks\At12.job
- c:\windows\system32\o845LW6B.exe []
2008-11-26 c:\windows\Tasks\At13.job
- c:\windows\system32\o845LW6B.exe []
2008-11-26 c:\windows\Tasks\At14.job
- c:\windows\system32\o845LW6B.exe []
2008-11-26 c:\windows\Tasks\At15.job
- c:\windows\system32\o845LW6B.exe []
2008-11-26 c:\windows\Tasks\At16.job
- c:\windows\system32\o845LW6B.exe []
2008-11-27 c:\windows\Tasks\At17.job
- c:\windows\system32\o845LW6B.exe []
2008-11-27 c:\windows\Tasks\At18.job
- c:\windows\system32\o845LW6B.exe []
2008-11-27 c:\windows\Tasks\At19.job
- c:\windows\system32\o845LW6B.exe []
2008-11-25 c:\windows\Tasks\At2.job
- c:\windows\system32\o845LW6B.exe []
2008-11-27 c:\windows\Tasks\At20.job
- c:\windows\system32\o845LW6B.exe []
2008-11-27 c:\windows\Tasks\At21.job
- c:\windows\system32\o845LW6B.exe []
2008-11-27 c:\windows\Tasks\At22.job
- c:\windows\system32\o845LW6B.exe []
2008-11-27 c:\windows\Tasks\At23.job
- c:\windows\system32\o845LW6B.exe []
2008-11-26 c:\windows\Tasks\At24.job
- c:\windows\system32\o845LW6B.exe []
2008-11-25 c:\windows\Tasks\At25.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At26.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At27.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At28.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At29.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At3.job
- c:\windows\system32\o845LW6B.exe []
2008-11-25 c:\windows\Tasks\At30.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At31.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At32.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At33.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At34.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At35.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-26 c:\windows\Tasks\At36.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-26 c:\windows\Tasks\At37.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-26 c:\windows\Tasks\At38.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-26 c:\windows\Tasks\At39.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At4.job
- c:\windows\system32\o845LW6B.exe []
2008-11-26 c:\windows\Tasks\At40.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-27 c:\windows\Tasks\At41.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-27 c:\windows\Tasks\At42.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-27 c:\windows\Tasks\At43.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-27 c:\windows\Tasks\At44.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-27 c:\windows\Tasks\At45.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-27 c:\windows\Tasks\At46.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-27 c:\windows\Tasks\At47.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-26 c:\windows\Tasks\At48.job
- c:\windows\system32\7a827Ytv.exe []
2008-11-25 c:\windows\Tasks\At5.job
- c:\windows\system32\o845LW6B.exe []
2008-11-25 c:\windows\Tasks\At6.job
- c:\windows\system32\o845LW6B.exe []
2008-11-25 c:\windows\Tasks\At7.job
- c:\windows\system32\o845LW6B.exe []
2008-11-25 c:\windows\Tasks\At8.job
- c:\windows\system32\o845LW6B.exe []
2008-11-25 c:\windows\Tasks\At9.job
- c:\windows\system32\o845LW6B.exe []
.
.
Supplementary Scan
.
FireFox -: Profile - c:\documents and settings\Edwin T\Application Data\Mozilla\Firefox\Profiles\2ng5ejc2.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
.
File Associations
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 16:08:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\WRLogonNTF.dll
- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\relog_ap.dll
.
Other Running Processes
.
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-11-28 16:15:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 00:13:46
ComboFix2.txt 2008-07-22 22:51:04
ComboFix3.txt 2007-12-21 09:11:24
ComboFix4.txt 2007-12-18 18:14:46
Pre-Run: 185,837,465,600 bytes free
Post-Run: 187,139,612,672 bytes free
287 --- E O F --- 2008-11-16 03:41:19
It seems like you have infected winlogon.exe in your system.
So this we do next.
Click Start and then search then search winlogon.exe and send every winlogon.exe to http://virusscan.jotti.org/ and try find NOT infected winlogon.exe.
Let me know result.
this is what came up...
BitDefender Found Application.WLHack.A
G DATA Found Application.WLHack.A
Sophos Antivirus Found Troj/WLhack-F
the other scans such as kaspersky nod etc found nothing but these 3 found that.
also on teh bottom of the page it says...
Last file scanned at least one scanner reported something about: Download_SD6.0.0.362h-sdregnow-sdsetup.exe (MD5: c5785070561e59176325be5a9e57ca6b, size: 128344 bytes), detected by:
ArcaVir Trojan.Fraudtool.Spynomore.Od
CPsecure Downloader.W32.Keylogger.a
thats about it.
the rest have an X next to them.
PS: I went to uninstall my NOD32 and it says file needs to be installed inorder to uninstall it. I go to add remove its not there i used mic install clean up its not there but I go into windows explorer and serach for it its there. How can I remove this b/c it keeps loading when i restart but it says cant connect to kernel.
You can try this to uninstall nod32 but if you don't know what you are doing don't do it.
Open Notepad and copy & paste Quoteboxs content to notepad:
Save As CFScript.
The drag & drop CFScript to ComboFix.exe like in sample picture.
Restart computer if needed and send combofix.txt content and fresh Hijackthis log.
Scan saved at 7:14:29 PM, on 12/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204188025250
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8945 bytes
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1367 [GMT -8:00]
Running from: c:\documents and settings\Edwin T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edwin T\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.
2008-11-30 20:01 . 2008-11-30 20:01 244 --ah
C:\sqmnoopt18.sqm
2008-11-30 20:01 . 2008-11-30 20:01 232 --ah
C:\sqmdata18.sqm
2008-11-30 15:04 . 2008-11-30 15:04 <DIR> d
c:\program files\Common Files\xing shared
2008-11-29 20:39 . 2008-11-29 20:39 43,520 --a
c:\windows\system32\CmdLineExt03.dll
2008-11-25 10:38 . 2008-11-25 10:38 <DIR> d
c:\documents and settings\All Users\Application Data\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Common Files\Symantec Shared
2008-11-25 10:37 . 2008-11-25 10:37 124,464 --a
c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-25 10:37 . 2008-11-25 10:37 60,808 --a
c:\windows\system32\S32EVNT1.DLL
2008-11-25 10:37 . 2008-11-25 10:37 10,635 --a
c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-25 10:37 . 2008-11-25 10:37 806 --a
c:\windows\system32\drivers\SYMEVENT.INF
2008-11-25 10:36 . 2008-11-25 10:36 <DIR> d
c:\windows\system32\drivers\NAV
2008-11-24 19:44 . 2008-11-24 19:44 165 --a
c:\documents and settings\Edwin T\nah_log.dat
2008-11-24 19:43 . 2008-11-28 15:09 2,274 --a
c:\windows\system32\TDSSsbhc.dll
2008-11-24 19:34 . 2008-11-24 19:34 80,384 --a
c:\documents and settings\Edwin T\nah_wnwq.exe
2008-11-20 15:58 . 2008-11-20 15:58 <DIR> d
c:\documents and settings\Edwin T\Application Data\Viewpoint
2008-11-18 17:09 . 2008-11-18 17:10 <DIR> d
c:\program files\Viewpoint
2008-11-18 17:09 . 2008-11-18 17:09 <DIR> d
c:\documents and settings\All Users\Application Data\acccore
2008-11-18 12:52 . 2008-11-18 12:52 <DIR> d
c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-06 18:43 . 2008-11-06 18:45 <DIR> d
c:\program files\SopCast
2008-11-05 21:43 . 2008-11-25 12:05 <DIR> d
c:\documents and settings\All Users\Application Data\Norton
2008-11-05 21:42 . 2008-11-05 21:42 <DIR> d
c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-05 21:04 . 2008-11-05 21:04 <DIR> d
c:\documents and settings\Edwin T\Incomplete
2008-11-05 21:03 . 2008-11-05 22:26 <DIR> d
c:\program files\LimeWire Turbo
2008-11-05 21:03 . 2008-11-05 21:12 <DIR> d
c:\documents and settings\Edwin T\Application Data\LimeWireTurbo
2008-11-04 16:32 . 2008-11-04 16:32 3,398 --a
c:\windows\system32\PerfStringBackup.TMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 19:28
d
w c:\documents and settings\Edwin T\Application Data\SlimBrowser
2008-12-01 19:17
d
w c:\documents and settings\Edwin T\Application Data\LimeWire
2008-11-30 23:04
d
w c:\program files\Common Files\Real
2008-11-19 01:10
d
w c:\program files\AIM6
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 03:41
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-06 06:19
d
w c:\program files\LimeWire
2008-11-01 19:09
d
w c:\program files\Opera
2008-10-24 20:26
d--h--r c:\documents and settings\Edwin T\Application Data\SecuROM
2008-10-24 19:34
d
w c:\documents and settings\Edwin T\Application Data\gnupg
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 04:29
d
w c:\program files\SlimBrowser
2008-09-19 21:38 319,488 ----a-w c:\windows\HideWin.exe
2008-09-10 01:39 16,851,968 ----a-w c:\windows\RTHDCPL.EXE
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-11-28_16.12.03.79"]snapshot@2008-11-28_16.12.03.79[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-28 22:32:48 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-12-01 19:18:41 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-04-18 00:16:42 278,528 ----a-w c:\windows\system32\pncrt.dll
+ 2008-11-30 23:03:04 278,528 ----a-w c:\windows\system32\pncrt.dll
- 2008-04-18 00:16:44 6,656 ----a-w c:\windows\system32\pndx5016.dll
+ 2008-11-30 23:03:13 6,656 ----a-w c:\windows\system32\pndx5016.dll
- 2008-04-18 00:16:44 5,632 ----a-w c:\windows\system32\pndx5032.dll
+ 2008-11-30 23:03:14 5,632 ----a-w c:\windows\system32\pndx5032.dll
- 2008-04-18 00:16:58 185,944 ----a-w c:\windows\system32\rmoc3260.dll
+ 2008-11-30 23:04:03 185,920 ----a-w c:\windows\system32\rmoc3260.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Aim6"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7618560]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-30 185872]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-23 c:\windows\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-09 c:\windows\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5400]
--a
2003-05-26 19:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a
2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Edwin T\\Desktop\\Downloads\\WoW-BurningCrusade-Trial-enUS-Installer-downloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-11-08 30728]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596328]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-18 24652]
.
Contents of the 'Scheduled Tasks' folder
2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-01 c:\windows\Tasks\At10.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At11.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At12.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At13.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At14.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At15.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At16.job
- c:\windows\system32\o845LW6B.exe []
2008-12-02 c:\windows\Tasks\At17.job
- c:\windows\system32\o845LW6B.exe []
2008-12-02 c:\windows\Tasks\At18.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At19.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At2.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At20.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At21.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At22.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At23.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At24.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At25.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At26.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At27.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At28.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At29.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At3.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At30.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At31.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At32.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At33.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At34.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At35.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At36.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At37.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At38.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At39.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At4.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At40.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-02 c:\windows\Tasks\At41.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-02 c:\windows\Tasks\At42.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At43.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At44.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At45.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At46.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At47.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At48.job
- c:\windows\system32\7a827Ytv.exe []
2008-12-01 c:\windows\Tasks\At5.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At6.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At7.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At8.job
- c:\windows\system32\o845LW6B.exe []
2008-12-01 c:\windows\Tasks\At9.job
- c:\windows\system32\o845LW6B.exe []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 18:11:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\WRLogonNTF.dll
- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\relog_ap.dll
.
Other Running Processes
.
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-12-01 18:18:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 02:17:12
ComboFix2.txt 2008-11-29 00:15:12
ComboFix3.txt 2008-07-22 22:51:04
ComboFix4.txt 2007-12-21 09:11:24
ComboFix5.txt 2008-12-02 01:52:39
Pre-Run: 185,407,864,832 bytes free
Post-Run: 186,113,294,336 bytes free
268 --- E O F --- 2008-11-16 03:41:19
Run this CFScript
Open Notepad and copy & paste Quoteboxs content to notepad:
Save As CFScript.
The drag & drop CFScript to ComboFix.exe like in sample picture.
Restart computer if needed and send combofix.txt content and fresh Hijackthis log.
Go to c:\windows\system32\winlogon.exe and send winlogon.exe to http://virusscan.jotti.org/ .
Let me know result.
and my computer always crashes to the blue screen saying "DRV LESS QRL something osmething" i dont rem but its along those lines in CAPS and _ btw each word. How can i fix this?
Scan taken on 02 Dec 2008 22:53:53 (GMT) A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
but at the bottom of the site i got this...
Last file scanned at least one scanner reported something about: MageBomb.rar (MD5: 007a5c0b3b20647e1cdc5c5b85aec449, size: 2103570 bytes), detected by:
Scanner Malware name A-Squared Trojan.Crypt!IK AntiVir TR/Crypt.TPM.Gen ArcaVir X Avast Win32:Trojan-gen {Other} AVG Antivirus Dropper.ErPack.E BitDefender Backdoor.Prosti.EG ClamAV X CPsecure BackDoor.W32.Agent.bd Dr.Web Trojan.Packed.650 F-Prot Antivirus X F-Secure Anti-Virus Packed.Win32.Black.a G DATA X Ikarus Trojan.Crypt.TPM Kaspersky Anti-Virus Packed.Win32.Black.a NOD32 X Norman Virus Control X Panda Antivirus Trj/Downloader.MDW Sophos Antivirus Mal/Behav-285 VirusBuster X VBA32 X
Scan saved at 2:51:46 PM, on 12/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204188025250
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8948 bytes
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1556 [GMT -8:00]
Running from: c:\documents and settings\Edwin T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edwin T\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\7a827Ytv.exe
c:\windows\system32\o845LW6B.exe
c:\windows\system32\TDSSsbhc.dll
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\TDSSsbhc.dll
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.
2008-11-30 20:01 . 2008-11-30 20:01 244 --ah
C:\sqmnoopt18.sqm
2008-11-30 20:01 . 2008-11-30 20:01 232 --ah
C:\sqmdata18.sqm
2008-11-30 15:04 . 2008-11-30 15:04 <DIR> d
c:\program files\Common Files\xing shared
2008-11-29 20:39 . 2008-11-29 20:39 43,520 --a
c:\windows\system32\CmdLineExt03.dll
2008-11-25 10:38 . 2008-11-25 10:38 <DIR> d
c:\documents and settings\All Users\Application Data\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Common Files\Symantec Shared
2008-11-25 10:37 . 2008-11-25 10:37 124,464 --a
c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-25 10:37 . 2008-11-25 10:37 60,808 --a
c:\windows\system32\S32EVNT1.DLL
2008-11-25 10:37 . 2008-11-25 10:37 10,635 --a
c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-25 10:37 . 2008-11-25 10:37 806 --a
c:\windows\system32\drivers\SYMEVENT.INF
2008-11-25 10:36 . 2008-11-25 10:36 <DIR> d
c:\windows\system32\drivers\NAV
2008-11-24 19:44 . 2008-11-24 19:44 165 --a
c:\documents and settings\Edwin T\nah_log.dat
2008-11-24 19:34 . 2008-11-24 19:34 80,384 --a
c:\documents and settings\Edwin T\nah_wnwq.exe
2008-11-20 15:58 . 2008-11-20 15:58 <DIR> d
c:\documents and settings\Edwin T\Application Data\Viewpoint
2008-11-18 17:09 . 2008-11-18 17:10 <DIR> d
c:\program files\Viewpoint
2008-11-18 17:09 . 2008-11-18 17:09 <DIR> d
c:\documents and settings\All Users\Application Data\acccore
2008-11-18 12:52 . 2008-11-18 12:52 <DIR> d
c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-06 18:43 . 2008-11-06 18:45 <DIR> d
c:\program files\SopCast
2008-11-05 21:43 . 2008-11-25 12:05 <DIR> d
c:\documents and settings\All Users\Application Data\Norton
2008-11-05 21:42 . 2008-11-05 21:42 <DIR> d
c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-05 21:04 . 2008-11-05 21:04 <DIR> d
c:\documents and settings\Edwin T\Incomplete
2008-11-05 21:03 . 2008-11-05 22:26 <DIR> d
c:\program files\LimeWire Turbo
2008-11-05 21:03 . 2008-11-05 21:12 <DIR> d
c:\documents and settings\Edwin T\Application Data\LimeWireTurbo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 06:34
d
w c:\documents and settings\Edwin T\Application Data\SlimBrowser
2008-12-01 19:17
d
w c:\documents and settings\Edwin T\Application Data\LimeWire
2008-11-30 23:04
d
w c:\program files\Common Files\Real
2008-11-19 01:10
d
w c:\program files\AIM6
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 03:41
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-06 06:19
d
w c:\program files\LimeWire
2008-11-01 19:09
d
w c:\program files\Opera
2008-10-24 20:26
d--h--r c:\documents and settings\Edwin T\Application Data\SecuROM
2008-10-24 19:34
d
w c:\documents and settings\Edwin T\Application Data\gnupg
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 04:29
d
w c:\program files\SlimBrowser
2008-09-19 21:38 319,488 ----a-w c:\windows\HideWin.exe
2008-09-10 01:39 16,851,968 ----a-w c:\windows\RTHDCPL.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Aim6"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7618560]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-30 185872]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-23 c:\windows\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-09 c:\windows\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5400]
--a
2003-05-26 19:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a
2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Edwin T\\Desktop\\Downloads\\WoW-BurningCrusade-Trial-enUS-Installer-downloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-11-08 30728]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596328]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-18 24652]
.
Contents of the 'Scheduled Tasks' folder
2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 13:03:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\WRLogonNTF.dll
- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\relog_ap.dll
.
Other Running Processes
.
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-12-02 13:10:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 21:09:01
ComboFix2.txt 2008-12-02 02:18:42
ComboFix3.txt 2008-11-29 00:15:12
ComboFix4.txt 2008-07-22 22:51:04
ComboFix5.txt 2008-12-02 20:45:29
Pre-Run: 186,014,662,656 bytes free
Post-Run: 186,048,577,536 bytes free
258 --- E O F --- 2008-11-16 03:41:19
Search for 2 latest .DMP files and attach them in your next post.
I think its coming from pop ups. I was just chillin on teh comp when it happened and my firewall shut off again but i got it to go back up really quick but compture has gone slow on me.
btw: I forgot to mention somehow my comp stopped reading 2 of my drives today during this process and since about 2 days ago this weird noise keeps coming, i believe its coming from my HD. Picture nails scratching a screen door, that noise every 3 seconds non stop.
and it crashed to the blue screen again for the 3rd time today. does it about 4-5 times everyday. I did a search i just typed ".dmp" right? only 1 file came up.
i got the blue screen AGAIN jsut now the error is...
DRIVER_IRQL_NOT_LESS_OR_EQUAL
thats the screen I get.
and also when this whole virus thing happens or the blue screen whatevre site i haev a log in on that keeps me logged in or rem my username gets removed. not ALL just each one, one by one each time it crashes.
the program does NOT exist on my computer. its been like this for about 8 months now. i reinstlaled and uninstalled it, i did it thru add remove programs ive done it using micr. install clean up etc. how can i remove this thing its annoyinggggggg
btw since i installed this NONE of my websites save my user name or log in name. Can this be b/c of the ESET or its something else?
Please upload or attach newest .dmp file in your next post.
this is the one i could get.
Reboot your computer after the scan!
Please send these log files in your next post.
Database version: 935
Windows 5.1.2600 Service Pack 2
8:19:43 AM 12/9/2008
mbam-log-12-9-2008 (08-19-43).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 283918
Time elapsed: 5 hour(s), 3 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Scan saved at 11:19:27 AM, on 12/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\iolo\System Mechanic\SysMech.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\twext.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\twext.exe (User 'Default user')
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204188025250
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: mt49hub - mt49hub.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 7880 bytes