Jump to content

channel12001

Members
 View Profile  See their activity

  • Posts

    8

  • Joined

  • Last visited

Reputation

0 Neutral
  1. channel12001
    OK, here's the new logs.... Java Log: JavaRa 1.13 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Sun May 03 19:55:17 2009 Found and removed: C:\Program Files\Java\j2re1.4.2_03 Found and removed: C:\Program Files\Java\jre1.5.0_06 Found and removed: C:\Windows\System32\jpicpl32.cpl Found and removed: Software\JavaSoft\Java2D\1.5.0_06 Found and removed: Software\JavaSoft\Java2D\1.5.0_08 Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510006 Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510008 Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510006 Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510008 Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510006 Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510008 Found and removed: SOFTWARE\Classes\JavaPlugin.150_06 Found and removed: SOFTWARE\Classes\JavaPlugin.150_08 Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0 Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_06 Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_08 Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5 Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_06 Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_08 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510006 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510008 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510006 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510008 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150060} Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150080} Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_06 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_08 Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA} Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01 Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB} Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\ Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\ Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_08\ ------------------------------------ Finished reporting. HiJack Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:04:14 PM, on 5/3/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\LVCOMSX.EXE F:\Spyware Doctor\pctsTray.exe F:\Spyware Doctor\pctsAuxs.exe F:\Spyware Doctor\pctsSvc.exe C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [iSTray] "F:\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160003870265 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - O17 - HKLM\System\CCS\Services\Tcpip\..\{750E5DFC-A6D4-4C2B-B693-46A695B956EE}: Domain = domain.invalid O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\pctsSvc.exe -- End of file - 5044 bytes
  2. channel12001
    Thanks for the help.... New Combo Log: ComboFix 09-05-02.4 - Owner 05/03/2009 15:39.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.184 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: c:\windows\system32\kiduruka.dll.tmp c:\windows\system32\miyahewe.exe c:\windows\system32\vagazodi.dll.tmp c:\windows\system32\vugivodi.dll.tmp c:\windows\system32\yupujufo.dll.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\kiduruka.dll.tmp c:\windows\system32\miyahewe.exe c:\windows\system32\vagazodi.dll.tmp c:\windows\system32\vugivodi.dll.tmp c:\windows\system32\yupujufo.dll.tmp . ((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 ))))))))))))))))))))))))))))))) . 2009-05-02 19:36 . 2009-03-06 14:44 283648 -c----w c:\windows\system32\dllcache\pdh.dll 2009-05-02 19:36 . 2005-07-26 04:39 60416 -c----w c:\windows\system32\dllcache\colbact.dll 2009-05-02 19:36 . 2009-02-09 10:20 399360 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-05-02 19:36 . 2009-02-06 17:14 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-05-02 19:36 . 2009-02-09 10:20 473088 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-05-02 19:36 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-05-02 19:36 . 2009-02-09 10:20 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-05-02 19:36 . 2009-02-09 10:20 616960 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-05-02 19:36 . 2009-02-09 10:20 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-05-02 19:35 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-04 13:45 . 2009-04-04 13:45 -------- d-----w c:\program files\EMUSB2.0 2009-04-04 13:45 . 2009-04-04 13:45 -------- d-----w c:\program files\eMPIA 2009-04-04 13:44 . 2004-12-13 06:44 4184960 ----a-w c:\windows\system32\libavcodec.dll 2009-04-04 13:44 . 2004-12-13 06:44 143360 ----a-w c:\windows\system32\MPEG2VideoDMO.dll 2009-04-04 13:44 . 2004-12-13 06:44 139264 ----a-w c:\windows\system32\MPEG2MuxFilter.dll 2009-04-04 13:44 . 2004-12-13 06:44 40960 ----a-w c:\windows\system32\MMACVT.DLL 2009-04-04 13:44 . 2004-12-13 06:44 40960 ----a-w c:\windows\system32\MMVM2D.DLL 2009-04-04 13:44 . 2004-12-13 06:44 53248 ----a-w c:\windows\system32\AUDIO_PREVIEW.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-03 19:38 . 2006-05-04 21:40 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-05-03 07:54 . 2008-08-11 13:12 -------- d-----w c:\program files\Microsoft Silverlight 2009-04-24 18:20 . 2008-11-10 18:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 19:32 . 2008-12-12 00:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2008-12-12 00:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-06 18:32 . 2007-12-19 21:58 -------- d-----w c:\program files\Napster 2009-04-04 13:45 . 2006-05-05 01:22 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-04 13:44 . 2006-05-05 01:22 -------- d-----w c:\program files\Common Files\InstallShield 2009-03-06 14:44 . 2001-08-30 10:30 283648 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:30 . 2006-05-06 20:27 81920 ------w c:\windows\system32\ieencode.dll 2009-02-20 08:30 . 2001-08-30 10:30 659456 ----a-w c:\windows\system32\wininet.dll 2009-02-09 10:20 . 2001-08-30 10:30 723456 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:20 . 2001-08-30 10:30 399360 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:20 . 2001-08-30 10:30 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 10:20 . 2001-08-30 10:30 616960 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:19 . 2001-08-30 10:30 1846272 ----a-w c:\windows\system32\win32k.sys 2009-02-06 17:24 . 2001-08-30 10:30 2180480 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 17:14 . 2001-08-30 10:30 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 16:54 . 2001-08-30 10:30 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 16:49 . 2001-08-17 13:48 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 20:08 . 2001-08-30 10:30 55808 ----a-w c:\windows\system32\secur32.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-02_14.10.04 ))))))))))))))))))))))))))))))))))))))))) . + 2007-01-29 08:58 . 2008-10-22 09:47 62976 c:\windows\system32\tzchange.exe - 2007-01-29 08:58 . 2008-07-14 11:09 62976 c:\windows\system32\tzchange.exe + 2006-05-06 20:23 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe + 2006-10-31 13:38 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll - 2006-10-31 13:38 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll + 2001-08-30 10:30 . 2009-02-20 08:30 39424 c:\windows\system32\pngfilt.dll - 2001-08-30 10:30 . 2008-08-20 05:38 39424 c:\windows\system32\pngfilt.dll - 2001-08-30 10:30 . 2009-03-08 11:33 51932 c:\windows\system32\perfc009.dat + 2001-08-30 10:30 . 2009-05-03 12:49 51932 c:\windows\system32\perfc009.dat + 2006-05-04 21:37 . 2008-06-12 14:16 91648 c:\windows\system32\mtxoci.dll - 2001-08-30 10:30 . 2006-03-01 19:42 66560 c:\windows\system32\mtxclu.dll + 2001-08-30 10:30 . 2008-06-12 14:16 66560 c:\windows\system32\mtxclu.dll + 2006-05-04 21:37 . 2008-06-12 14:16 58880 c:\windows\system32\msdtclog.dll - 2006-05-04 21:37 . 2004-08-04 04:56 58880 c:\windows\system32\msdtclog.dll + 2001-08-30 10:30 . 2009-02-20 08:30 16384 c:\windows\system32\jsproxy.dll - 2001-08-30 10:30 . 2008-08-20 05:38 16384 c:\windows\system32\jsproxy.dll + 2001-08-30 10:30 . 2009-02-20 08:30 96256 c:\windows\system32\inseng.dll - 2001-08-30 10:30 . 2008-08-20 05:38 96256 c:\windows\system32\inseng.dll - 2004-11-09 23:54 . 2008-10-15 11:10 93480 c:\windows\system32\FNTCACHE.DAT + 2004-11-09 23:54 . 2009-05-03 07:54 93480 c:\windows\system32\FNTCACHE.DAT + 2006-05-06 20:27 . 2009-02-20 08:30 55808 c:\windows\system32\extmgr.dll - 2006-05-06 20:27 . 2008-08-20 05:38 55808 c:\windows\system32\extmgr.dll + 2009-02-03 20:08 . 2009-02-03 20:08 55808 c:\windows\system32\dllcache\secur32.dll + 2001-08-30 10:30 . 2009-02-06 16:54 35328 c:\windows\system32\dllcache\sc.exe - 2006-05-10 05:23 . 2008-08-20 05:38 39424 c:\windows\system32\dllcache\pngfilt.dll + 2006-05-10 05:23 . 2009-02-20 08:30 39424 c:\windows\system32\dllcache\pngfilt.dll + 2008-06-12 14:16 . 2008-06-12 14:16 91648 c:\windows\system32\dllcache\mtxoci.dll + 2008-06-12 14:16 . 2008-06-12 14:16 66560 c:\windows\system32\dllcache\mtxclu.dll + 2008-06-12 14:16 . 2008-06-12 14:16 58880 c:\windows\system32\dllcache\msdtclog.dll - 2006-05-10 05:22 . 2008-08-20 05:38 16384 c:\windows\system32\dllcache\jsproxy.dll + 2006-05-10 05:22 . 2009-02-20 08:30 16384 c:\windows\system32\dllcache\jsproxy.dll + 2006-05-10 05:22 . 2009-02-20 08:30 96256 c:\windows\system32\dllcache\inseng.dll - 2006-05-10 05:22 . 2008-08-20 05:38 96256 c:\windows\system32\dllcache\inseng.dll + 2009-02-20 08:30 . 2009-02-20 08:30 81920 c:\windows\system32\dllcache\ieencode.dll + 2006-05-09 11:00 . 2009-02-19 09:58 18432 c:\windows\system32\dllcache\iedw.exe - 2006-05-09 11:00 . 2008-08-19 09:30 18432 c:\windows\system32\dllcache\iedw.exe + 2006-05-10 05:22 . 2009-02-20 08:30 55808 c:\windows\system32\dllcache\extmgr.dll - 2006-05-10 05:22 . 2008-08-20 05:38 55808 c:\windows\system32\dllcache\extmgr.dll - 2006-05-08 11:52 . 2008-10-15 11:02 40960 c:\windows\Installer\{90840409-6000-11D3-8CFE-0150048383C9}\xlvicon.exe + 2006-05-08 11:52 . 2009-05-03 07:48 40960 c:\windows\Installer\{90840409-6000-11D3-8CFE-0150048383C9}\xlvicon.exe - 2005-05-17 00:25 . 2008-08-19 09:20 351744 c:\windows\system32\xpsp3res.dll + 2005-05-17 00:25 . 2009-02-19 09:47 351744 c:\windows\system32\xpsp3res.dll + 2004-09-22 22:46 . 2008-06-18 09:03 938496 c:\windows\system32\WMNetmgr.dll + 2006-05-05 00:45 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll - 2006-05-05 00:45 . 2004-08-04 04:56 351232 c:\windows\system32\winhttp.dll + 2006-05-04 21:37 . 2009-02-06 16:39 227840 c:\windows\system32\wbem\wmiprvse.exe + 2006-05-04 21:37 . 2009-02-09 10:20 453120 c:\windows\system32\wbem\wmiprvsd.dll + 2006-05-04 21:37 . 2009-02-09 10:20 473088 c:\windows\system32\wbem\fastprox.dll + 2001-08-30 10:30 . 2009-02-20 08:30 616448 c:\windows\system32\urlmon.dll + 2001-08-30 10:30 . 2008-10-03 10:15 247326 c:\windows\system32\strmdll.dll + 2001-08-30 10:30 . 2009-02-20 08:30 474112 c:\windows\system32\shlwapi.dll - 2001-08-30 10:30 . 2008-08-20 05:38 474112 c:\windows\system32\shlwapi.dll - 2001-08-30 10:30 . 2007-04-25 14:21 144896 c:\windows\system32\schannel.dll + 2001-08-30 10:30 . 2008-12-05 07:12 144896 c:\windows\system32\schannel.dll - 2001-08-30 10:30 . 2009-03-08 11:33 338258 c:\windows\system32\perfh009.dat + 2001-08-30 10:30 . 2009-05-03 12:49 338258 c:\windows\system32\perfh009.dat + 2001-08-30 10:30 . 2009-02-20 08:30 532480 c:\windows\system32\mstime.dll - 2001-08-30 10:30 . 2008-08-20 05:38 532480 c:\windows\system32\mstime.dll + 2001-08-30 10:30 . 2009-02-20 08:30 146432 c:\windows\system32\msrating.dll - 2001-08-30 10:30 . 2008-08-20 05:38 146432 c:\windows\system32\msrating.dll - 2001-08-30 10:30 . 2008-08-20 05:38 449024 c:\windows\system32\mshtmled.dll + 2001-08-30 10:30 . 2009-02-20 08:30 449024 c:\windows\system32\mshtmled.dll + 2006-05-04 21:37 . 2008-06-12 14:16 161792 c:\windows\system32\msdtcuiu.dll + 2006-05-04 21:37 . 2008-06-12 14:16 956928 c:\windows\system32\msdtctm.dll + 2006-05-04 21:37 . 2008-06-12 14:16 428032 c:\windows\system32\msdtcprx.dll - 2004-09-22 22:45 . 2006-10-19 02:03 100864 c:\windows\system32\logagent.exe + 2004-09-22 22:45 . 2008-06-18 05:09 100864 c:\windows\system32\logagent.exe + 2001-08-30 10:30 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll - 2001-08-30 10:30 . 2008-08-20 05:38 251392 c:\windows\system32\iepeers.dll + 2001-08-30 10:30 . 2009-02-20 08:30 251392 c:\windows\system32\iepeers.dll + 2001-08-30 10:30 . 2008-10-23 13:01 283648 c:\windows\system32\gdi32.dll - 2001-08-30 10:30 . 2008-08-20 05:38 205312 c:\windows\system32\dxtrans.dll + 2001-08-30 10:30 . 2009-02-20 08:30 205312 c:\windows\system32\dxtrans.dll - 2001-08-30 10:30 . 2008-08-20 05:38 357888 c:\windows\system32\dxtmsft.dll + 2001-08-30 10:30 . 2009-02-20 08:30 357888 c:\windows\system32\dxtmsft.dll + 2001-08-30 10:30 . 2008-12-11 11:57 333184 c:\windows\system32\drivers\srv.sys + 2004-09-22 22:46 . 2008-06-18 09:03 938496 c:\windows\system32\dllcache\WMNetmgr.dll + 2006-05-10 05:23 . 2009-02-20 08:30 659456 c:\windows\system32\dllcache\wininet.dll - 2006-05-10 05:23 . 2008-08-20 05:38 659456 c:\windows\system32\dllcache\wininet.dll + 2008-12-16 12:47 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll + 2006-05-10 05:23 . 2009-02-20 08:30 616448 c:\windows\system32\dllcache\urlmon.dll + 2006-08-21 14:52 . 2008-10-03 10:15 247326 c:\windows\system32\dllcache\strmdll.dll + 2006-04-21 06:12 . 2008-12-11 11:57 333184 c:\windows\system32\dllcache\srv.sys - 2006-05-10 05:23 . 2008-08-20 05:38 474112 c:\windows\system32\dllcache\shlwapi.dll + 2006-05-10 05:23 . 2009-02-20 08:30 474112 c:\windows\system32\dllcache\shlwapi.dll - 2007-04-25 14:21 . 2007-04-25 14:21 144896 c:\windows\system32\dllcache\schannel.dll + 2007-04-25 14:21 . 2008-12-05 07:12 144896 c:\windows\system32\dllcache\schannel.dll + 2006-05-10 05:23 . 2009-02-20 08:30 532480 c:\windows\system32\dllcache\mstime.dll - 2006-05-10 05:23 . 2008-08-20 05:38 532480 c:\windows\system32\dllcache\mstime.dll + 2006-05-10 05:23 . 2009-02-20 08:30 146432 c:\windows\system32\dllcache\msrating.dll - 2006-05-10 05:23 . 2008-08-20 05:38 146432 c:\windows\system32\dllcache\msrating.dll + 2006-05-10 05:23 . 2009-02-20 08:30 449024 c:\windows\system32\dllcache\mshtmled.dll - 2006-05-10 05:23 . 2008-08-20 05:38 449024 c:\windows\system32\dllcache\mshtmled.dll + 2008-06-12 14:16 . 2008-06-12 14:16 161792 c:\windows\system32\dllcache\msdtcuiu.dll + 2008-06-12 14:16 . 2008-06-12 14:16 956928 c:\windows\system32\dllcache\msdtctm.dll + 2008-06-12 14:16 . 2008-06-12 14:16 428032 c:\windows\system32\dllcache\msdtcprx.dll + 2006-08-17 12:28 . 2009-02-09 10:20 723456 c:\windows\system32\dllcache\lsasrv.dll - 2004-09-22 22:45 . 2006-10-19 02:03 100864 c:\windows\system32\dllcache\logagent.exe + 2004-09-22 22:45 . 2008-06-18 05:09 100864 c:\windows\system32\dllcache\logagent.exe + 2006-07-05 10:55 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\kernel32.dll + 2006-05-10 05:22 . 2009-02-20 08:30 251392 c:\windows\system32\dllcache\iepeers.dll - 2006-05-10 05:22 . 2008-08-20 05:38 251392 c:\windows\system32\dllcache\iepeers.dll + 2007-03-08 15:36 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll - 2006-05-10 05:22 . 2008-08-20 05:38 205312 c:\windows\system32\dllcache\dxtrans.dll + 2006-05-10 05:22 . 2009-02-20 08:30 205312 c:\windows\system32\dllcache\dxtrans.dll + 2006-05-10 05:22 . 2009-02-20 08:30 357888 c:\windows\system32\dllcache\dxtmsft.dll - 2006-05-10 05:22 . 2008-08-20 05:38 357888 c:\windows\system32\dllcache\dxtmsft.dll + 2006-05-10 05:22 . 2009-02-20 08:30 151040 c:\windows\system32\dllcache\cdfview.dll - 2006-05-10 05:22 . 2008-08-20 05:38 151040 c:\windows\system32\dllcache\cdfview.dll - 2001-08-30 10:30 . 2008-08-20 05:38 151040 c:\windows\system32\cdfview.dll + 2001-08-30 10:30 . 2009-02-20 08:30 151040 c:\windows\system32\cdfview.dll - 2006-05-08 11:52 . 2008-10-15 11:02 135168 c:\windows\Installer\{90840409-6000-11D3-8CFE-0150048383C9}\misc.exe + 2006-05-08 11:52 . 2009-05-03 07:48 135168 c:\windows\Installer\{90840409-6000-11D3-8CFE-0150048383C9}\misc.exe + 2004-09-22 22:46 . 2008-06-18 09:03 2458112 c:\windows\system32\WMVCore.dll - 2001-08-30 10:30 . 2007-10-26 03:36 8454656 c:\windows\system32\shell32.dll + 2001-08-30 10:30 . 2008-07-03 13:16 8454656 c:\windows\system32\shell32.dll + 2001-08-30 10:30 . 2009-03-02 23:52 1495552 c:\windows\system32\shdocvw.dll - 2001-08-30 10:30 . 2008-05-07 05:18 1287680 c:\windows\system32\quartz.dll + 2001-08-30 10:30 . 2008-12-20 22:43 1287680 c:\windows\system32\quartz.dll + 2001-08-30 10:30 . 2009-02-20 08:30 3059712 c:\windows\system32\mshtml.dll + 2004-09-22 22:46 . 2008-06-18 09:03 2458112 c:\windows\system32\dllcache\WMVCore.dll + 2007-03-08 13:47 . 2009-02-09 10:19 1846272 c:\windows\system32\dllcache\win32k.sys + 2006-07-13 13:33 . 2008-07-03 13:16 8454656 c:\windows\system32\dllcache\shell32.dll - 2006-07-13 13:33 . 2007-10-26 03:36 8454656 c:\windows\system32\dllcache\shell32.dll + 2006-05-29 15:30 . 2009-03-02 23:52 1495552 c:\windows\system32\dllcache\shdocvw.dll - 2007-10-29 22:43 . 2008-05-07 05:18 1287680 c:\windows\system32\dllcache\quartz.dll + 2007-10-29 22:43 . 2008-12-20 22:43 1287680 c:\windows\system32\dllcache\quartz.dll + 2006-12-19 14:17 . 2009-02-06 17:24 2180480 c:\windows\system32\dllcache\ntoskrnl.exe + 2006-12-19 12:55 . 2009-02-06 16:49 2015744 c:\windows\system32\dllcache\ntkrpamp.exe - 2006-12-19 12:55 . 2008-08-14 09:22 2015744 c:\windows\system32\dllcache\ntkrpamp.exe - 2006-12-19 12:55 . 2008-08-14 09:22 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe + 2006-12-19 12:55 . 2009-02-06 16:49 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe + 2006-12-19 14:15 . 2009-02-06 17:22 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe - 2006-12-19 14:15 . 2008-08-14 09:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe + 2006-05-19 15:08 . 2009-02-20 08:30 3059712 c:\windows\system32\dllcache\mshtml.dll - 2006-05-10 05:22 . 2008-08-20 05:38 1054208 c:\windows\system32\dllcache\danim.dll + 2006-05-10 05:22 . 2009-02-20 08:30 1054208 c:\windows\system32\dllcache\danim.dll - 2006-05-10 05:22 . 2008-08-20 05:38 1023488 c:\windows\system32\dllcache\browseui.dll + 2006-05-10 05:22 . 2009-02-20 08:30 1023488 c:\windows\system32\dllcache\browseui.dll - 2001-08-30 10:30 . 2008-08-20 05:38 1054208 c:\windows\system32\danim.dll + 2001-08-30 10:30 . 2009-02-20 08:30 1054208 c:\windows\system32\danim.dll - 2001-08-30 10:30 . 2008-08-20 05:38 1023488 c:\windows\system32\browseui.dll + 2001-08-30 10:30 . 2009-02-20 08:30 1023488 c:\windows\system32\browseui.dll + 2005-03-02 00:59 . 2009-02-06 17:24 2180480 c:\windows\Driver Cache\i386\ntoskrnl.exe + 2005-03-02 00:34 . 2009-02-06 16:49 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe - 2005-03-02 00:34 . 2008-08-14 09:22 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe + 2005-03-02 00:34 . 2009-02-06 16:49 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe - 2005-03-02 00:34 . 2008-08-14 09:22 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe + 2005-03-02 00:57 . 2009-02-06 17:22 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe - 2005-03-02 00:57 . 2008-08-14 09:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe + 2004-09-22 22:46 . 2008-11-11 22:34 10838016 c:\windows\system32\wmp.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-09 282624] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "ISTray"="f:\spyware doctor\pctsTray.exe" [2008-08-25 1168264] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "f:\\VLC\\vlc.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "f:\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows Media Components\\Encoder\\wmenc.exe"= S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] S2 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe [2008-06-13 356920] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uDefault_Search_URL = hxxp://ie.search.msn.com mStart Page = hxxp://www.google.com IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m9vmz3p6.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJPI150_08.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPOJI610.dll FF - plugin: f:\google\Picasa3\npPicasa3.dll FF - plugin: f:\mozilla firefox\plugins\np-mswmp.dll FF - plugin: f:\mozilla firefox\plugins\npstrlnk.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-03 15:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2000478354-1592454029-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6B33CEF-1D54-40FE-BBA7-C04880689D1F}\iexplore] @DACL=(02 0000) "Type"=dword:00000003 "Count"=dword:00000034 "Time"=hex:d8,07,0c,00,02,00,09,00,10,00,07,00,35,00,de,02 . Completion time: 2009-05-03 15:45 ComboFix-quarantined-files.txt 2009-05-03 19:45 ComboFix2.txt 2009-05-02 14:13 Pre-Run: 60,958,273,536 bytes free Post-Run: 60,953,214,976 bytes free 304 --- E O F --- 2009-05-03 07:48 New HiJack Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:30:00 PM, on 5/3/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\LVCOMSX.EXE F:\Spyware Doctor\pctsTray.exe C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\HPZipm12.exe F:\Spyware Doctor\pctsAuxs.exe F:\Spyware Doctor\pctsSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O1 - Hosts: ::1 localhost O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [iSTray] "F:\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160003870265 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - O17 - HKLM\System\CCS\Services\Tcpip\..\{750E5DFC-A6D4-4C2B-B693-46A695B956EE}: Domain = domain.invalid O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\pctsSvc.exe -- End of file - 4504 bytes
  3. channel12001
    OK, here is Combo Log: ComboFix 09-05-02.4 - Owner 05/02/2009 9:59.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.248 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\progra~1\COMMON~1\{DCC24~1 c:\windows\emMON.exe c:\windows\system32\awuwutij.ini c:\windows\system32\ezehumul.ini c:\windows\system32\honisuhi.dll c:\windows\system32\japuzefi.dll c:\windows\system32\jovaleja.dll c:\windows\system32\otajejuk.ini c:\windows\system32\pihuhiru.dll c:\windows\system32\seyohale.exe c:\windows\system32\taskkill.exe F:\WinRAR.exe . ((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 ))))))))))))))))))))))))))))))) . 2009-04-04 13:45 . 2009-04-04 13:45 -------- d-----w c:\program files\EMUSB2.0 2009-04-04 13:45 . 2009-04-04 13:45 -------- d-----w c:\program files\eMPIA 2009-04-04 13:44 . 2004-12-13 06:44 4184960 ----a-w c:\windows\system32\libavcodec.dll 2009-04-04 13:44 . 2004-12-13 06:44 143360 ----a-w c:\windows\system32\MPEG2VideoDMO.dll 2009-04-04 13:44 . 2004-12-13 06:44 139264 ----a-w c:\windows\system32\MPEG2MuxFilter.dll 2009-04-04 13:44 . 2004-12-13 06:44 40960 ----a-w c:\windows\system32\MMACVT.DLL 2009-04-04 13:44 . 2004-12-13 06:44 40960 ----a-w c:\windows\system32\MMVM2D.DLL 2009-04-04 13:44 . 2004-12-13 06:44 53248 ----a-w c:\windows\system32\AUDIO_PREVIEW.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 13:57 . 2006-05-04 21:40 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-04-30 10:52 . 2009-01-30 10:52 60416 --sha-w c:\windows\system32\miyahewe.exe 2009-04-24 18:20 . 2008-11-10 18:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 19:32 . 2008-12-12 00:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2008-12-12 00:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-06 18:32 . 2007-12-19 21:58 -------- d-----w c:\program files\Napster 2009-04-04 13:45 . 2006-05-05 01:22 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-04 13:44 . 2006-05-05 01:22 -------- d-----w c:\program files\Common Files\InstallShield 2009-01-30 10:49 . 2009-01-30 10:49 67072 --sha-w c:\windows\system32\kiduruka.dll.tmp 2009-01-30 10:49 . 2009-01-30 10:49 67072 --sha-w c:\windows\system32\vagazodi.dll.tmp 2008-09-09 00:59 . 2008-09-09 00:59 64619 --sha-w c:\windows\system32\vugivodi.dll.tmp 2009-01-30 10:49 . 2009-01-30 10:49 67072 --sha-w c:\windows\system32\yupujufo.dll.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-09 282624] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "ISTray"="f:\spyware doctor\pctsTray.exe" [2008-08-25 1168264] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "f:\\VLC\\vlc.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "f:\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows Media Components\\Encoder\\wmenc.exe"= S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] S2 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe [2008-06-13 356920] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uDefault_Search_URL = hxxp://ie.search.msn.com mStart Page = hxxp://www.google.com IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m9vmz3p6.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJPI150_08.dll FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPOJI610.dll FF - plugin: f:\google\Picasa3\npPicasa3.dll FF - plugin: f:\mozilla firefox\plugins\np-mswmp.dll FF - plugin: f:\mozilla firefox\plugins\npstrlnk.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-02 10:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2000478354-1592454029-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6B33CEF-1D54-40FE-BBA7-C04880689D1F}\iexplore] @DACL=(02 0000) "Type"=dword:00000003 "Count"=dword:00000034 "Time"=hex:d8,07,0c,00,02,00,09,00,10,00,07,00,35,00,de,02 . Completion time: 2009-05-02 10:13 ComboFix-quarantined-files.txt 2009-05-02 14:13 Pre-Run: 61,555,912,704 bytes free Post-Run: 61,545,230,336 bytes free 128 --- E O F --- 2008-11-13 03:12 And here is HiJack Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:31:35 PM, on 5/2/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\LVCOMSX.EXE F:\Spyware Doctor\pctsTray.exe F:\Spyware Doctor\pctsAuxs.exe F:\Spyware Doctor\pctsSvc.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O1 - Hosts: ::1 localhost O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [iSTray] "F:\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160003870265 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - O17 - HKLM\System\CCS\Services\Tcpip\..\{750E5DFC-A6D4-4C2B-B693-46A695B956EE}: Domain = domain.invalid O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\pctsSvc.exe -- End of file - 4593 bytes
  4. channel12001
    Scans run in normal mode as requested..... MB Log Malwarebytes' Anti-Malware 1.36 Database version: 2061 Windows 5.1.2600 Service Pack 2 5/1/2009 1:24:52 PM mbam-log-2009-05-01 (13-24-52).txt Scan type: Quick Scan Objects scanned: 71524 Time elapsed: 8 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HiJack Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:16:20 PM, on 5/1/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\LVCOMSX.EXE F:\Spyware Doctor\pctsTray.exe F:\Spyware Doctor\pctsAuxs.exe F:\Spyware Doctor\pctsSvc.exe C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O1 - Hosts: ::1 localhost O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [iSTray] "F:\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKUS\S-1-5-19\..\Run: [rogepawero] Rundll32.exe "C:\WINDOWS\system32\rezizafo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [rogepawero] Rundll32.exe "C:\WINDOWS\system32\rezizafo.dll",s (User 'NETWORK SERVICE') O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160003870265 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - O17 - HKLM\System\CCS\Services\Tcpip\..\{750E5DFC-A6D4-4C2B-B693-46A695B956EE}: Domain = domain.invalid O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\pctsSvc.exe -- End of file - 4445 bytes
  5. channel12001
    I ran a Malware scan after my Spyware Doctor kept blocking a threat. MB listed 25 infections and they were all this Vundo.H. I removed them but when I restarted I kept getting "bad image" errors saying to check my install disk...I have posted a HiJack log and MB log, both run in safemode. Does anything look fishy here?? Thank you very much in advance for the help.... MB Log Malwarebytes' Anti-Malware 1.36 Database version: 2061 Windows 5.1.2600 Service Pack 2 4/30/2009 3:11:02 PM mbam-log-2009-04-30 (15-11-02).txt Scan type: Quick Scan Objects scanned: 71171 Time elapsed: 5 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HiJack Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:11:42 PM, on 4/30/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe F:\Spyware Doctor\pctsAuxs.exe F:\Spyware Doctor\pctsSvc.exe C:\WINDOWS\Explorer.EXE F:\Spyware Doctor\pctsTray.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O1 - Hosts: ::1 localhost O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [iSTray] "F:\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKUS\S-1-5-20\..\Run: [rogepawero] Rundll32.exe "C:\WINDOWS\system32\rezizafo.dll",s (User 'NETWORK SERVICE') O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160003870265 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - O17 - HKLM\System\CCS\Services\Tcpip\..\{750E5DFC-A6D4-4C2B-B693-46A695B956EE}: Domain = domain.invalid O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\pctsSvc.exe -- End of file - 3775 bytes
  6. channel12001
    Thanks for the help, here are the new logs to confirm: Malwarebytes' Anti-Malware 1.31 Database version: 1491 Windows 5.1.2600 Service Pack 2 12/12/2008 8:06:23 AM mbam-log-2008-12-12 (08-06-23).txt Scan type: Quick Scan Objects scanned: 45152 Time elapsed: 3 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) And Hijack This log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:07:22 AM, on 12/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\pctspk.exe F:\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\HPZipm12.exe F:\Spyware Doctor\pctsAuxs.exe F:\Spyware Doctor\pctsSvc.exe C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\fxssvc.exe F:\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [iSTray] "F:\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKUS\S-1-5-19\..\Run: [rogepawero] Rundll32.exe "C:\WINDOWS\system32\rezizafo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [rogepawero] Rundll32.exe "C:\WINDOWS\system32\rezizafo.dll",s (User 'NETWORK SERVICE') O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160003870265 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - O17 - HKLM\System\CCS\Services\Tcpip\..\{750E5DFC-A6D4-4C2B-B693-46A695B956EE}: Domain = domain.invalid O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\pctsSvc.exe -- End of file - 4393 bytes
  7. channel12001
    So, I uninstalled and re-installed Malwarebytes. It seemed to get rid of the runtime errors. It is also updated to the newest version and newest definitions. I ran a scan and below is the new log. The program stated that it removed everything after a restart. Malwarebytes' Anti-Malware 1.31 Database version: 1491 Windows 5.1.2600 Service Pack 2 12/11/2008 7:54:15 PM mbam-log-2008-12-11 (19-54-15).txt Scan type: Quick Scan Objects scanned: 45349 Time elapsed: 3 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 5 Registry Keys Infected: 6 Registry Values Infected: 5 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\tumazuba.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\yabohoyu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\rezizafo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\kopurege.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\folopaga.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6b33cef-1d54-40fe-bba7-c04880689d1f} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a6b33cef-1d54-40fe-bba7-c04880689d1f} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6b33cef-1d54-40fe-bba7-c04880689d1f} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dcc24aac (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmdff17930 (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rogepawero (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kopurege.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kopurege.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kopurege.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\folopaga.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\folopaga.dll -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\tumazuba.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\abuzamut.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. c:\WINDOWS\system32\folopaga.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\rezizafo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\yabohoyu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\kopurege.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\fagometo.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bunosuja.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dafanole.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nokiyelu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wosepobe.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sekelumo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\resowuki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
  8. channel12001
    Please help....I have posted logs below as instructed, I have been trying to get rid of this for weeks. I am no longer able to open Malwarebytes Anti-malware, it is giving me runtime errors...here is the last log from Malwarebytes that I was able to run before these runtime errors: Malwarebytes' Anti-Malware 1.30 Database version: 1380 Windows 5.1.2600 Service Pack 2 12/10/2008 12:34:35 PM mbam-log-2008-12-10 (12-34-35).txt Scan type: Quick Scan Objects scanned: 43618 Time elapsed: 7 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmdff17930 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rogepawero (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Panda Active Scan Log: ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-12-11 16:02:54 PROTECTIONS: 0 MALWARE: 1 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00377806 Trj/Downloader.MVS Virus/Trojan No 1 Yes No C:\WINDOWS\system32\setup9x.exe ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location L ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description L ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== Hijack Logs: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:04:55 PM, on 12/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\LVCOMSX.EXE F:\Spyware Doctor\pctsAuxs.exe F:\Spyware Doctor\pctsSvc.exe F:\Spyware Doctor\pctsTray.exe C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe F:\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O2 - BHO: (no name) - {a6b33cef-1d54-40fe-bba7-c04880689d1f} - C:\WINDOWS\system32\yabohoyu.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [iSTray] "F:\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [CPMdff17930] Rundll32.exe "c:\windows\system32\folopaga.dll",a O4 - HKLM\..\Run: [dcc24aac] rundll32.exe "C:\WINDOWS\system32\tumazuba.dll",b O4 - HKLM\..\Run: [rogepawero] Rundll32.exe "C:\WINDOWS\system32\rezizafo.dll",s O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKUS\S-1-5-19\..\Run: [rogepawero] Rundll32.exe "C:\WINDOWS\system32\rezizafo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [rogepawero] Rundll32.exe "C:\WINDOWS\system32\rezizafo.dll",s (User 'NETWORK SERVICE') O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160003870265 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{750E5DFC-A6D4-4C2B-B693-46A695B956EE}: Domain = domain.invalid O20 - AppInit_DLLs: c:\windows\system32\folopaga.dll,C:\WINDOWS\system32\kopurege.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\folopaga.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\folopaga.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\pctsSvc.exe -- End of file - 5282 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.