crazymusic_lover19 Posted February 2, 2009 ID:52745 Share Posted February 2, 2009 Hello!Awesome work providing this kind of help. I really appreciate it and I Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:52995 Share Posted February 3, 2009 The logs show that you have not taken action. You need to tell MBAM to fix it.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
crazymusic_lover19 Posted February 3, 2009 Author ID:53007 Share Posted February 3, 2009 Here you go. Thank you.Malwarebytes' Anti-Malware 1.33Database version: 1718Windows 5.1.2600 Service Pack 32/3/2009 4:57:36 PMmbam-log-2009-02-03 (16-57-36).txtScan type: Quick ScanObjects scanned: 55865Time elapsed: 8 minute(s), 43 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e46bdcf0-99a4-4dab-8447-5f7856322a86} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{e46bdcf0-99a4-4dab-8447-5f7856322a86} (Trojan.BHO.H) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\ativvax.dll (Trojan.BHO.H) -> Delete on reboot.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:03:00, on 2/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\VMSnap3.EXEC:\WINDOWS\Domino.EXEC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\Program Files\DNA\btdna.exeC:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\FinePixViewer\QuickDCF2.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\fscagent.exeC:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: (no name) - {e46bdcf0-99a4-4dab-8447-5f7856322a86} - C:\WINDOWS\system32\ativvax.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logonO4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXEO4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXEO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -lO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Chua\Application Data\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"O4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219554141350O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Creative Service for CDROM Access (creative service for cdrom access) - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeO23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 9949 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:53063 Share Posted February 3, 2009 Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
crazymusic_lover19 Posted February 3, 2009 Author ID:53075 Share Posted February 3, 2009 I ran ComboFix. Also did another HJT Log. Here are the results. Thank you.ComboFix 09-02-02.04 - Chua 2009-02-03 19:49:17.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.587 [GMT 8:00]Running from: c:\documents and settings\Chua\Desktop\ComboFix.exeAV: avast! antivirus 4.8.1296 [VPS 090202-1] *On-access scanning disabled* (Updated) * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\cfcllwpx.inic:\windows\system32\ic:\windows\system32\tmp.regc:\windows\Tasks\vrhhxuqk.job.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_protect-------\Service_seneka((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 ))))))))))))))))))))))))))))))).2009-02-03 01:36 . 2008-04-14 02:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys2009-02-03 01:36 . 2008-04-14 02:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys2009-02-03 01:36 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll2009-02-03 01:35 . 2008-04-14 08:12 159,232 --a------ c:\windows\system32\ptpusd.dll2009-02-03 01:32 . 2009-02-03 01:36 <DIR> d-------- c:\documents and settings\Chua\Application Data\FUJIFILM2009-02-03 01:30 . 2009-02-03 01:30 <DIR> d-------- c:\program files\REGSHAVE2009-02-03 01:30 . 2009-02-03 01:35 <DIR> d-------- c:\program files\FinePixViewer2009-02-03 01:30 . 2009-02-03 01:30 <DIR> d-------- c:\documents and settings\Chua\Application Data\InstallShield2009-02-03 01:30 . 2003-09-03 16:45 274,432 --a------ c:\windows\system32\FFTIFF16.dll2009-02-03 01:30 . 2006-07-12 14:39 208,896 --a------ c:\windows\system32\FFRafShellEx.dll2009-02-03 01:30 . 2004-07-24 21:28 155,648 --a------ c:\windows\system32\FFRAFLIB.DLL2009-02-03 01:30 . 2001-11-25 19:11 81,924 --------- c:\windows\system32\drivers\VC4CB104.SYS2009-02-03 01:30 . 2002-02-06 00:33 69,632 --------- c:\windows\system32\FREGSHEX.DLL2009-02-03 01:30 . 2002-02-27 19:27 65,536 --------- c:\windows\system32\FINFCHECK.dll2009-02-03 01:30 . 2002-06-25 10:06 45,056 --------- c:\windows\system32\FINFCOPY.dll2009-02-03 01:30 . 2002-02-13 18:00 45,056 --------- c:\windows\system32\FCLKBTN.DLL2009-02-02 20:31 . 2009-02-02 20:31 <DIR> d-------- c:\program files\Trend Micro2009-02-02 01:43 . 2009-02-02 18:59 <DIR> d-------- c:\documents and settings\Chua\.housecall6.62009-02-01 22:52 . 2009-02-01 22:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-02-01 19:24 . 2009-02-01 19:24 <DIR> d-------- c:\windows\system32\XPSViewer2009-02-01 19:24 . 2009-02-01 19:24 <DIR> d-------- c:\program files\Reference Assemblies2009-02-01 19:24 . 2009-02-01 19:24 <DIR> d-------- c:\program files\MSBuild2009-02-01 19:23 . 2009-02-01 19:23 <DIR> d-------- C:\8957ead3fed9c454fe912009-02-01 19:23 . 2008-07-06 20:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll2009-02-01 19:23 . 2008-07-06 20:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll2009-02-01 19:23 . 2008-07-06 18:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe2009-02-01 19:23 . 2008-07-06 20:06 575,488 --------- c:\windows\system32\xpsshhdr.dll2009-02-01 19:23 . 2008-07-06 20:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll2009-02-01 19:23 . 2008-07-06 20:06 117,760 --------- c:\windows\system32\prntvpt.dll2009-02-01 19:23 . 2008-07-06 20:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll2009-02-01 19:18 . 2009-02-02 18:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-02-01 19:18 . 2009-02-01 19:18 <DIR> d-------- c:\documents and settings\Chua\Application Data\Malwarebytes2009-02-01 19:18 . 2009-02-01 19:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-02-01 19:18 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-02-01 19:18 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-02-01 17:46 . 2009-02-01 17:54 <DIR> d-------- c:\program files\RegistryFix72009-02-01 16:07 . 2009-02-01 16:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\IObit2009-02-01 15:57 . 2009-02-01 15:57 <DIR> d-------- c:\documents and settings\Administrator2009-02-01 13:12 . 2009-02-01 13:12 <DIR> d-------- c:\program files\IObit2009-02-01 13:03 . 2009-02-01 13:03 61 --a------ c:\windows\wininit.ini2009-01-31 23:05 . 1999-12-13 01:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE2009-01-31 23:05 . 1999-11-18 01:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE2009-01-31 22:59 . 2009-01-31 22:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Creative2009-01-31 21:37 . 2003-10-03 13:21 174,592 --a------ c:\windows\system32\framedyn.dll2009-01-31 20:05 . 2009-01-31 20:05 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP2009-01-31 20:04 . 2009-01-31 20:20 138,240 --a------ c:\windows\system32\drivers\ethdmirb.sys2009-01-31 19:58 . 2009-01-31 20:13 123,904 --a------ C:\urwkcn.exe2009-01-31 19:58 . 2008-04-14 08:11 96,256 --a------ c:\windows\system32\ativvax.dll2009-01-31 19:57 . 2009-01-31 19:59 123,904 --a------ C:\bofde.exe2009-01-31 19:57 . 2008-12-22 04:36 34 --a------ c:\documents and settings\Chua\readme.bat2009-01-31 19:57 . 2009-01-31 20:34 2 --a------ C:\9413671052009-01-31 18:52 . 2009-01-31 18:52 4,096 --a------ c:\windows\system32\drivers\symlcbrd.sys2009-01-25 19:39 . 2001-08-17 22:37 24,576 --a--c--- c:\windows\system32\dllcache\agcgauge.ax2009-01-25 13:57 . 2009-01-29 20:09 27 --a------ c:\windows\option.ini2009-01-25 13:49 . 2009-01-25 13:49 <DIR> d-------- c:\program files\e-Games2009-01-24 15:21 . 2009-01-24 15:21 <DIR> d-------- c:\program files\NOS2009-01-24 15:21 . 2009-01-24 15:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS2009-01-24 14:22 . 2009-01-24 14:22 <DIR> d-------- c:\program files\Alwil Software2009-01-24 13:52 . 2009-01-24 13:52 <DIR> d-------- c:\documents and settings\Chua\Application Data\IObit2009-01-24 13:37 . 2009-01-24 13:37 <DIR> d-------- c:\documents and settings\Chua\Application Data\vlc2009-01-24 01:32 . 2009-01-24 01:32 <DIR> d-------- c:\program files\Common Files\xing shared2009-01-24 01:31 . 2009-01-24 01:31 <DIR> d-------- c:\program files\Real2009-01-24 00:14 . 2009-01-24 00:17 <DIR> d-------- c:\windows\system32\unknown2009-01-23 14:09 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll2009-01-23 14:09 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll2009-01-23 14:09 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll2009-01-23 14:09 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll2009-01-23 14:09 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll2009-01-23 14:09 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll2009-01-23 14:09 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll2009-01-21 18:36 . 2009-02-02 17:01 410,984 --a------ c:\windows\system32\deploytk.dll2009-01-17 16:13 . 2009-01-17 16:13 <DIR> d-------- c:\documents and settings\Chua\Application Data\Audio Record Edit Toolbox Pro2009-01-12 21:13 . 2009-01-31 10:02 <DIR> d-------- c:\documents and settings\Chua\Application Data\mjusbsp2009-01-12 20:53 . 2008-04-14 02:45 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys2009-01-12 20:53 . 2008-04-14 02:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys2009-01-12 20:53 . 2008-04-14 02:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys2009-01-12 20:53 . 2008-04-14 02:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys2009-01-12 20:52 . 2008-04-14 02:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys2009-01-12 20:52 . 2008-04-14 02:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys2009-01-10 01:30 . 2009-01-10 01:30 <DIR> d-------- c:\program files\Audio Recorder for Free.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-03 11:52 --------- d-----w c:\program files\DNA2009-02-03 11:52 --------- d-----w c:\documents and settings\Chua\Application Data\DNA2009-02-02 17:32 --------- d--h--w c:\program files\InstallShield Installation Information2009-02-02 10:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-02-02 09:59 --------- d-----w c:\program files\Java2009-01-31 15:08 --------- d--h--w c:\program files\Creative Installation Information2009-01-31 15:01 --------- d-----w c:\program files\Creative2009-01-31 12:33 --------- d-----w c:\program files\Common Files\Symantec Shared2009-01-27 17:04 --------- d-----w c:\documents and settings\Chua\Application Data\GetRight2009-01-26 12:18 --------- d-----w c:\documents and settings\Chua\Application Data\LimeWire2009-01-26 10:16 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!2009-01-23 18:21 --------- d-----w c:\program files\Flock2009-01-23 17:45 --------- d-----w c:\documents and settings\Chua\Application Data\Flock2009-01-23 17:32 --------- d-----w c:\program files\Common Files\Real2009-01-23 17:26 --------- d-----w c:\program files\GRETECH2008-12-21 04:39 --------- d-----w c:\program files\Windows Live SkyDrive2008-12-21 04:39 --------- d-----w c:\program files\Microsoft2008-12-13 12:26 --------- d-----w c:\program files\ffdshow2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys2008-12-05 17:12 --------- d-----w c:\documents and settings\Chua\Application Data\BitTorrent2008-12-05 15:47 --------- d-----w c:\program files\BitTorrent2008-08-26 06:51 30,024 ----a-w c:\documents and settings\Chua\Application Data\GDIPFONTCACHEV1.DAT2008-09-04 09:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080825\index.dat2008-09-04 09:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e46bdcf0-99a4-4dab-8447-5f7856322a86}]2008-04-14 08:11 96256 --a------ c:\windows\system32\ativvax.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-08 4363504]"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]"cdloader"="c:\documents and settings\Chua\Application Data\mjusbsp\cdloader2.exe" [2008-12-18 50520]"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-28 700416][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]"Domino"="c:\windows\Domino.EXE" [2006-06-28 49152]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]"ClubBox"="c:\windows\system32\clubbox.exe" [2008-12-30 1626112]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-24 185872]"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-02 136600]"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]"nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe]c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-10-09 610365]ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-02-03 303104][HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="c:\\Program Files\\LimeWire\\LimeWire.exe"="c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="c:\\Program Files\\DNA\\btdna.exe"="c:\\Program Files\\BitTorrent\\bittorrent.exe"="c:\\WINDOWS\\system32\\FSCAgent.exe"="c:\\WINDOWS\\system32\\ClubBox.exe"="c:\\WINDOWS\\system32\\grdmgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Documents and Settings\\Chua\\Application Data\\mjusbsp\\magicJack.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"2251:UDP"= 2251:UDP:Windows Media Format SDK (firefox.exe)"2250:UDP"= 2250:UDP:Windows Media Format SDK (firefox.exe)"2253:UDP"= 2253:UDP:Windows Media Format SDK (firefox.exe)"2356:UDP"= 2356:UDP:Windows Media Format SDK (firefox.exe)"2357:UDP"= 2357:UDP:Windows Media Format SDK (firefox.exe)"2359:UDP"= 2359:UDP:Windows Media Format SDK (firefox.exe)R0 mglpewgn;mglpewgn;c:\windows\system32\drivers\mglpewgn.sys [2002-08-29 23424]R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-31 111184]R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-08-24 13696]R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-31 20560]R3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [2008-08-24 54272]R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2008-08-24 428160]S1 ethdmirb;ethdmirb;c:\windows\system32\drivers\ethdmirb.sys [2009-01-31 138240]S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-24 33752][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d590e80d-e091-11dd-a686-00606e000062}]\Shell\AutoRun\command - E:\autorun.exe\Shell\phone\command - E:\autorun.exe.Contents of the 'Scheduled Tasks' folder2009-02-02 c:\windows\Tasks\avast! Antivirus.job- c:\progra~1\ALWILS~1\Avast4\ashAvast.exe [2008-11-27 01:13]..------- Supplementary Scan -------.uStart Page = about:blankIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlIE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlIE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlIE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlIE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmTrusted Zone: clubbox.co.kr\wwwDPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cabDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabFF - ProfilePath - c:\documents and settings\Chua\Application Data\Mozilla\Firefox\Profiles\fz8wr221.default\FF - prefs.js: browser.startup.homepage - about:blankFF - component: c:\documents and settings\Chua\Application Data\Mozilla\Firefox\Profiles\fz8wr221.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dllFF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dllFF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll---- FIREFOX POLICIES ---- FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.12);user_pref(general.useragent.extra.zencast, .**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-03 19:52:36Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.c:\program files\Alwil Software\Avast4\aswUpdSv.exec:\program files\Alwil Software\Avast4\ashServ.exec:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exec:\windows\system32\CTSVCCDA.EXEc:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exec:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXEc:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exec:\windows\system32\nvsvc32.exec:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exec:\windows\system32\rundll32.exec:\program files\Alwil Software\Avast4\ashMaiSv.exec:\program files\Alwil Software\Avast4\ashWebSv.exec:\windows\system32\FSCAgent.exec:\program files\Yahoo!\Messenger\Ymsgr_tray.exe.**************************************************************************.Completion time: 2009-02-03 19:58:39 - machine was rebootedComboFix-quarantined-files.txt 2009-02-03 11:58:36Pre-Run: 84,618,498,048 bytes freePost-Run: 84,802,998,272 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn275 --- E O F --- 2009-01-21 00:45:48Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:06:03, on 2/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\VMSnap3.EXEC:\WINDOWS\Domino.EXEC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\DNA\btdna.exeC:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exeC:\Program Files\FinePixViewer\QuickDCF2.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: (no name) - {e46bdcf0-99a4-4dab-8447-5f7856322a86} - C:\WINDOWS\system32\ativvax.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logonO4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXEO4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXEO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -lO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Chua\Application Data\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"O4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219554141350O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Creative Service for CDROM Access (creative service for cdrom access) - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeO23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 10213 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:53078 Share Posted February 3, 2009 Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVAWhen we're done you can go back and install the latest version but for now please do not install any.Then run this tool to help cleanup any left over JavaYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it back when you replyThen look for the following Java folders and if found delete them.C:\Program Files\JavaC:\Program Files\Common Files\JavaC:\Documents and Settings\All Users\Application Data\JavaC:\Documents and Settings\All Users\Application Data\Sun\JavaC:\Documents and Settings\username\Application Data\JavaC:\Documents and Settings\username\Application Data\Sun\JavaThen run this again.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
crazymusic_lover19 Posted February 3, 2009 Author ID:53086 Share Posted February 3, 2009 Here are the logfiles of JavaRa, MBAM and HJT. Thanks.JavaRa 1.12 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Mon Feb 02 17:58:49 2009Found and removed: C:\Program Files\Java\jre1.6.0_04Found and removed: C:\Program Files\Java\jre1.6.0_07Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610004Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610004Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610004Found and removed: SOFTWARE\Classes\JavaPlugin.160_04Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_04Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_04Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610004Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610004Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610004Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160040}Found and removed: Software\Classes\JavaPlugin.160_04Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_04Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_04\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_04\bin\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_07\bin\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_04.b12\------------------------------------Finished reporting.JavaRa 1.12 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Mon Feb 02 17:59:42 2009JavaRa 1.12 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Mon Feb 02 18:00:19 2009------------------------------------Finished reporting.JavaRa 1.13 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Tue Feb 03 20:44:29 2009------------------------------------Finished reporting.Malwarebytes' Anti-Malware 1.33Database version: 1718Windows 5.1.2600 Service Pack 32/3/2009 20:56:13mbam-log-2009-02-03 (20-56-13).txtScan type: Quick ScanObjects scanned: 55025Time elapsed: 5 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e46bdcf0-99a4-4dab-8447-5f7856322a86} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{e46bdcf0-99a4-4dab-8447-5f7856322a86} (Trojan.BHO.H) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\ativvax.dll (Trojan.BHO.H) -> Delete on reboot.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 09:01:42 PM, on 2/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\VMSnap3.EXEC:\WINDOWS\Domino.EXEC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\DNA\btdna.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\FinePixViewer\QuickDCF2.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\fscagent.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: (no name) - {e46bdcf0-99a4-4dab-8447-5f7856322a86} - C:\WINDOWS\system32\ativvax.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logonO4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXEO4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXEO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -lO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Chua\Application Data\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"O4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219554141350O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Creative Service for CDROM Access (creative service for cdrom access) - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeO23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 9624 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53239 Share Posted February 4, 2009 Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.Requires access to a working computer with a CD/DVD burner to create a bootable CD.Avira AntiVir Rescue System - downloadAvira AntiVir Rescue SystemAvira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to: repair a damaged system, rescue data, scan the system for virus infections.Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. Link to post Share on other sites More sharing options...
crazymusic_lover19 Posted February 4, 2009 Author ID:53393 Share Posted February 4, 2009 Hey. I read about the Avira AntiVir Rescue System on the net. Here Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53415 Share Posted February 4, 2009 That was the OLD Avira tool, all command line. This one is newer and has Windows type interface and no way I'm aware of to save a log.Have it clean, move, fix anything found. Link to post Share on other sites More sharing options...
crazymusic_lover19 Posted February 4, 2009 Author ID:53464 Share Posted February 4, 2009 I think the AntiVir got it and others, as well. I ran MBAM Quick Scan right after AntiVir was done and MBAM showed there were no more infected files. Anyway, here is the logfile of AntiVir that I wrote down. Thank you so very much.AntiVir/Linux Version 2.1.12-113Copyright © 2008 by Avira GmbH.All Rights Reserved.VDF Version: 1.1.1.222 Created 03 Feb 2009AntiVir License: 149995 for AntiVir Rescue Systemchecking the master boot record of drive 128error (25): cannot read recordchecking the master boot record of driver 129error (2): cannot read recordauto excluding /sys/ from scans (is a special fs)auto exluding /proc from scans (is a special fs)checking drive/path (list): /mnt//mnt/sda1/bofde.exe ALERT: [TR/Drop.stj.78] /mnt/sda1/bofde.exe <<< Is a Trojan horse TR/Prop.stj.78 not removable. file renamed./mnt/sda1/urwkcn.exe ALERT: [TR/Drop.stj.78] /mnt/sda1/urwkcn.exe <<< Is the Trojan horse TR/Drop.stj.78 not removable. file renamed./mnt/sda1/Documents and Settings/Chua/.housecall.16.6/Quarantine/11.tmp.bac_a0156 ALERT: [TR/Dropper.Gen] /mnt/sda1/Documents and Settings/Chua/.housecall.16.6/Quarantine/11.tmp.bac_a0156 <<< Is the Trojan horse TR/Dropper.Gen not removable. file renamed./mnt/sda1/Document and Setttings/Chua/Desktop/ComboFix.Exe ALERT: [TR/Dropper.Gen] /mnt/sda1/Document and Setttings/Chua/Desktop/ComboFix.Exe --> 32788K22FWJFW\Prep.com <<< Is the Trojan horse TR/Dropper.Gen/mnt/sda1/Document and Setttings/Chua/Desktop/ComboFix.Exe ALERT: [APPL/PSExec.E] /mnt/sda1/Document and Setttings/Chua/Desktop/ComboFix.Exe --> 32788.R22FWJFW\psexec.cfexe <<< Contains detection pattern of the application APPL/PsExec.E file renamed./mnt/sda1/System Volume Information/_restore{1457a33x-f2b7-430D-AA17-63DCADC2878A}RP3/A0001612.exe ALERT: [TR/Fakealert.FM] /mnt/sda1/System Volume Information/_restore{1457a33x-f2b7-430D-AA17-63DCADC2878A}RP3/A0001612.exe <<< Is the Trojan horse TR/Fakealert.FM not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA47-63DCADC2878A}.RP3/A0001624.exe ALERT: [TR/Trash.Gen] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA47-63DCADC2878A}.RP3/A0001624.exe <<< Is the Trojan horse TR/Trash.Gen not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA47-63DCADC2878A}.RP3/A0001625.exe ALERT: [TR/Trash.Gen] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA47-63DCADC2878A}.RP3/A0001625.exe <<< Is the Trojan horse TR/Trash.Gen not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002016.exe ALERT: [sPR/Tool.Reboot.F] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002016.exe <<< Contains detection pattern of the SPR/Tool.Reboot.F program not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0001957.exe ALERT: [sPR/Tool.Reboot.F] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0001957.exe <<< Contains detection pattern of the SPR/Tool.Reboot.F program not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0001958.exe ALERT: [sPR/Tool.Reboot.A] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0001958.exe <<< Contains detection pattern of the SPR/Tool.Reboot.A program not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0001983.exe ALERT: [sPR/Tool.Reboot.F] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0001983.exe <<< Contains detection pattern of the SPR/Tool.Reboot.F program not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0001984.exe ALERT: [sPR/Tool.Reboot.A] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0001984.exe <<< Contains detection pattern of the SPR/Tool.Reboot.A program not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002002.exe ALERT: [sPR/Tool.Reboot.F] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002002.exe --> SmitFraudFix/Reboot.exe <<< Contains detection pattern of the SPR/Tool.Reboot.F program/mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002002.exe ALERT: [sPR/Tool.Reboot.A] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002002.exe --> SmitFraudFix/Reboot.exe <<< Contains detection pattern of the SPR/Tool.Hardoff.A program file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002017.exe ALERT: [sPR/Tool.Reboot.A] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002017.exe <<< Contains detection pattern of the SPR/Tool.Hardoff.A program not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002093.com ALERT: [TR/Dropper.Gen] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002093.com <<< Is the Trojan horse TR/Dropper.Gen not removable. file renamed./mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002135.exe ALERT: [APPL/PSExec.E] /mnt/sda1/System Volume Information/_restore{1457A33C-F2B7-430D-AA17-63DCADC2878A}/RP7/A0002135.EXE <<< contains detection pattern of the appliction APPL/PSExec.E not removable. file renamed./mnt/sda1/WINDOWS/PSEXESVC.EXE ALERT: [APPL/PSExec.E] /mnt/sda1/WINDOWS/PSEXESV.EXE <<< Contains detection pattern of the application APPL/PSExec.E not removable. file renamed./mnt/sda1/WINDOWS/system32/ativvax.dll ALERT: [TR/BHO.Gen] /mnt/sda1/WINDOWS/system32/ativvax.dll <<< Is the Trojan horse TR/BHO.Gen not removable. file renamed./mnt/sda1/WINDOWS/system32/drivers/ethdmirb.exe ALERT: [TR/Rootkit.Gen] /mnt/sda1/WINDOWS/system32/drivers/ethdmirb.exe <<< Is the Trojan horse TR/Rootkit.Gen not removable. file renamed./mnt/sda1/WINDOWS/system32/drivers/mglpewgn.sys ALERT: [TR/Rootkit.Gen] /mnt/sda1/WINDOWS/system32/drivers/mglpewgn.sys <<< Is the Trojan horse TR/Rootkit.Gen not removable. file renamed.-----------------scan results-----------------directories: 6243scanned files: 279600alerts: 22suspicious: 0repaired: 0renamed: 20quarantined: 0scan time: 00.33.57 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5, 2009 Root Admin ID:53657 Share Posted February 5, 2009 Please update MBAM and run another Quick Scan and post back that log.Then delete your current copy of Combofix and download a new copy and run that. Remove this folder C:\QooBox\LastRun first before running it.Then post back the new Combofix log and MBAM log. Link to post Share on other sites More sharing options...
crazymusic_lover19 Posted February 5, 2009 Author ID:53704 Share Posted February 5, 2009 Here are the MBAM and ComboFix logfiles. Thank you.Malwarebytes' Anti-Malware 1.33Database version: 1730Windows 5.1.2600 Service Pack 32/5/2009 6:55:09 PMmbam-log-2009-02-05 (18-55-09).txtScan type: Quick ScanObjects scanned: 55634Time elapsed: 4 minute(s), 51 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)ComboFix 09-02-04.04 - Chua 2009-02-05 18:58:58.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.573 [GMT 8:00]Running from: c:\documents and settings\Chua\Desktop\ComboFix.exeAV: avast! antivirus 4.8.1296 [VPS 090204-0] *On-access scanning disabled* (Updated) * Created a new restore point.((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 ))))))))))))))))))))))))))))))).2009-02-03 20:34 . 2009-02-03 20:34 0 --a------ c:\windows\system32\RENF.tmp2009-02-03 20:34 . 2009-02-03 20:34 0 --a------ c:\windows\system32\RENE.tmp2009-02-03 20:34 . 2009-02-03 20:34 0 --a------ c:\windows\system32\REND.tmp2009-02-03 01:36 . 2008-04-14 02:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys2009-02-03 01:36 . 2008-04-14 02:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys2009-02-03 01:36 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll2009-02-03 01:35 . 2008-04-14 08:12 159,232 --a------ c:\windows\system32\ptpusd.dll2009-02-03 01:32 . 2009-02-03 01:36 <DIR> d-------- c:\documents and settings\Chua\Application Data\FUJIFILM2009-02-03 01:30 . 2009-02-03 01:30 <DIR> d-------- c:\program files\REGSHAVE2009-02-03 01:30 . 2009-02-03 20:19 <DIR> d-------- c:\program files\FinePixViewer2009-02-03 01:30 . 2009-02-03 01:30 <DIR> d-------- c:\documents and settings\Chua\Application Data\InstallShield2009-02-03 01:30 . 2003-09-03 16:45 274,432 --a------ c:\windows\system32\FFTIFF16.dll2009-02-03 01:30 . 2006-07-12 14:39 208,896 --a------ c:\windows\system32\FFRafShellEx.dll2009-02-03 01:30 . 2004-07-24 21:28 155,648 --a------ c:\windows\system32\FFRAFLIB.DLL2009-02-03 01:30 . 2001-11-25 19:11 81,924 --------- c:\windows\system32\drivers\VC4CB104.SYS2009-02-03 01:30 . 2002-02-06 00:33 69,632 --------- c:\windows\system32\FREGSHEX.DLL2009-02-03 01:30 . 2002-02-27 19:27 65,536 --------- c:\windows\system32\FINFCHECK.dll2009-02-03 01:30 . 2002-06-25 10:06 45,056 --------- c:\windows\system32\FINFCOPY.dll2009-02-03 01:30 . 2002-02-13 18:00 45,056 --------- c:\windows\system32\FCLKBTN.DLL2009-02-02 20:31 . 2009-02-02 20:31 <DIR> d-------- c:\program files\Trend Micro2009-02-02 01:43 . 2009-02-05 02:29 <DIR> d-------- c:\documents and settings\Chua\.housecall6.62009-02-01 22:52 . 2009-02-01 22:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-02-01 19:24 . 2009-02-01 19:24 <DIR> d-------- c:\windows\system32\XPSViewer2009-02-01 19:24 . 2009-02-01 19:24 <DIR> d-------- c:\program files\Reference Assemblies2009-02-01 19:24 . 2009-02-01 19:24 <DIR> d-------- c:\program files\MSBuild2009-02-01 19:23 . 2009-02-01 19:23 <DIR> d-------- C:\8957ead3fed9c454fe912009-02-01 19:23 . 2008-07-06 20:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll2009-02-01 19:23 . 2008-07-06 20:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll2009-02-01 19:23 . 2008-07-06 18:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe2009-02-01 19:23 . 2008-07-06 20:06 575,488 --------- c:\windows\system32\xpsshhdr.dll2009-02-01 19:23 . 2008-07-06 20:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll2009-02-01 19:23 . 2008-07-06 20:06 117,760 --------- c:\windows\system32\prntvpt.dll2009-02-01 19:23 . 2008-07-06 20:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll2009-02-01 19:18 . 2009-02-02 18:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-02-01 19:18 . 2009-02-01 19:18 <DIR> d-------- c:\documents and settings\Chua\Application Data\Malwarebytes2009-02-01 19:18 . 2009-02-01 19:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-02-01 19:18 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-02-01 19:18 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-02-01 17:46 . 2009-02-01 17:54 <DIR> d-------- c:\program files\RegistryFix72009-02-01 16:07 . 2009-02-01 16:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\IObit2009-02-01 15:57 . 2009-02-01 15:57 <DIR> d-------- c:\documents and settings\Administrator2009-02-01 13:03 . 2009-02-01 13:03 61 --a------ c:\windows\wininit.ini2009-01-31 23:05 . 1999-12-13 01:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE2009-01-31 23:05 . 1999-11-18 01:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE2009-01-31 22:59 . 2009-01-31 22:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Creative2009-01-31 21:37 . 2003-10-03 13:21 174,592 --a------ c:\windows\system32\framedyn.dll2009-01-31 20:05 . 2009-01-31 20:05 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP2009-01-31 19:57 . 2008-12-22 04:36 34 --a------ c:\documents and settings\Chua\readme.bat2009-01-31 19:57 . 2009-01-31 20:34 2 --a------ C:\9413671052009-01-31 18:52 . 2009-01-31 18:52 4,096 --a------ c:\windows\system32\drivers\symlcbrd.sys2009-01-25 19:39 . 2001-08-17 22:37 24,576 --a--c--- c:\windows\system32\dllcache\agcgauge.ax2009-01-25 13:57 . 2009-01-29 20:09 27 --a------ c:\windows\option.ini2009-01-25 13:49 . 2009-01-25 13:49 <DIR> d-------- c:\program files\e-Games2009-01-24 15:21 . 2009-01-24 15:21 <DIR> d-------- c:\program files\NOS2009-01-24 15:21 . 2009-01-24 15:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS2009-01-24 14:22 . 2009-01-24 14:22 <DIR> d-------- c:\program files\Alwil Software2009-01-24 13:52 . 2009-01-24 13:52 <DIR> d-------- c:\documents and settings\Chua\Application Data\IObit2009-01-24 13:37 . 2009-01-24 13:37 <DIR> d-------- c:\documents and settings\Chua\Application Data\vlc2009-01-24 01:32 . 2009-01-24 01:32 <DIR> d-------- c:\program files\Common Files\xing shared2009-01-24 01:31 . 2009-01-24 01:31 <DIR> d-------- c:\program files\Real2009-01-24 00:14 . 2009-01-24 00:17 <DIR> d-------- c:\windows\system32\unknown2009-01-23 14:09 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll2009-01-23 14:09 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll2009-01-23 14:09 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll2009-01-23 14:09 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll2009-01-23 14:09 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll2009-01-23 14:09 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll2009-01-23 14:09 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll2009-01-21 18:36 . 2009-02-02 17:01 410,984 --a------ c:\windows\system32\deploytk.dll2009-01-17 16:13 . 2009-01-17 16:13 <DIR> d-------- c:\documents and settings\Chua\Application Data\Audio Record Edit Toolbox Pro2009-01-12 21:13 . 2009-01-31 10:02 <DIR> d-------- c:\documents and settings\Chua\Application Data\mjusbsp2009-01-12 20:53 . 2008-04-14 02:45 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys2009-01-12 20:53 . 2008-04-14 02:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys2009-01-12 20:53 . 2008-04-14 02:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys2009-01-12 20:53 . 2008-04-14 02:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys2009-01-12 20:52 . 2008-04-14 02:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys2009-01-12 20:52 . 2008-04-14 02:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys2009-01-10 01:30 . 2009-01-10 01:30 <DIR> d-------- c:\program files\Audio Recorder for Free.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-05 11:00 --------- d-----w c:\documents and settings\Chua\Application Data\DNA2009-02-05 10:10 --------- d-----w c:\program files\DNA2009-02-03 14:00 --------- d-----w c:\documents and settings\Chua\Application Data\BitTorrent2009-02-02 17:32 --------- d--h--w c:\program files\InstallShield Installation Information2009-02-02 10:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-01-31 15:08 --------- d--h--w c:\program files\Creative Installation Information2009-01-31 15:01 --------- d-----w c:\program files\Creative2009-01-31 12:33 --------- d-----w c:\program files\Common Files\Symantec Shared2009-01-27 17:04 --------- d-----w c:\documents and settings\Chua\Application Data\GetRight2009-01-27 17:03 1,508 ----a-w c:\windows\system32\ealregsnapshot1.reg2009-01-26 12:18 --------- d-----w c:\documents and settings\Chua\Application Data\LimeWire2009-01-26 10:16 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!2009-01-23 18:21 --------- d-----w c:\program files\Flock2009-01-23 17:45 --------- d-----w c:\documents and settings\Chua\Application Data\Flock2009-01-23 17:32 --------- d-----w c:\program files\Common Files\Real2009-01-23 17:26 --------- d-----w c:\program files\GRETECH2008-12-30 05:40 1,626,112 ----a-r c:\windows\system32\clubbox.exe2008-12-21 04:39 --------- d-----w c:\program files\Windows Live SkyDrive2008-12-21 04:39 --------- d-----w c:\program files\Microsoft2008-12-13 12:26 --------- d-----w c:\program files\ffdshow2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys2008-12-05 15:47 --------- d-----w c:\program files\BitTorrent2008-12-02 14:37 49,480 ----a-w c:\windows\system32\sirenacm.dll2008-11-13 12:45 15,104 ----a-r c:\windows\system32\nowmemdf.sys2008-11-13 12:36 155,648 ----a-r c:\windows\system32\downengine.dll2008-08-26 06:51 30,024 ----a-w c:\documents and settings\Chua\Application Data\GDIPFONTCACHEV1.DAT2008-09-04 09:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080825\index.dat2008-09-04 09:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-08 4363504]"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]"cdloader"="c:\documents and settings\Chua\Application Data\mjusbsp\cdloader2.exe" [2008-12-18 50520]"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-28 700416][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]"Domino"="c:\windows\Domino.EXE" [2006-06-28 49152]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]"ClubBox"="c:\windows\system32\clubbox.exe" [2008-12-30 1626112]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-24 185872]"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]"nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe]c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-10-09 610365]ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-02-03 303104][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="c:\\Program Files\\LimeWire\\LimeWire.exe"="c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="c:\\Program Files\\DNA\\btdna.exe"="c:\\Program Files\\BitTorrent\\bittorrent.exe"="c:\\WINDOWS\\system32\\FSCAgent.exe"="c:\\WINDOWS\\system32\\ClubBox.exe"="c:\\WINDOWS\\system32\\grdmgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Documents and Settings\\Chua\\Application Data\\mjusbsp\\magicJack.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"2251:UDP"= 2251:UDP:Windows Media Format SDK (firefox.exe)"2250:UDP"= 2250:UDP:Windows Media Format SDK (firefox.exe)"2253:UDP"= 2253:UDP:Windows Media Format SDK (firefox.exe)"2356:UDP"= 2356:UDP:Windows Media Format SDK (firefox.exe)"2357:UDP"= 2357:UDP:Windows Media Format SDK (firefox.exe)"2359:UDP"= 2359:UDP:Windows Media Format SDK (firefox.exe)R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-31 111184]R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-08-24 13696]R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-31 20560]R3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [2008-08-24 54272]R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2008-08-24 428160]S0 mglpewgn;mglpewgn;c:\windows\system32\drivers\mglpewgn.sys --> c:\windows\system32\drivers\mglpewgn.sys [?]S1 ethdmirb;ethdmirb;c:\windows\system32\drivers\ethdmirb.sys --> c:\windows\system32\drivers\ethdmirb.sys [?]S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-24 33752][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d590e80d-e091-11dd-a686-00606e000062}]\Shell\AutoRun\command - E:\autorun.exe\Shell\phone\command - E:\autorun.exe.Contents of the 'Scheduled Tasks' folder2009-02-04 c:\windows\Tasks\avast! Antivirus.job- c:\progra~1\ALWILS~1\Avast4\ashAvast.exe [2008-11-27 01:13].- - - - ORPHANS REMOVED - - - -BHO-{e46bdcf0-99a4-4dab-8447-5f7856322a86} - c:\windows\system32\ativvax.dll.------- Supplementary Scan -------.uStart Page = about:blankIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlIE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlIE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlIE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlIE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmTrusted Zone: clubbox.co.kr\wwwDPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cabDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabFF - ProfilePath - c:\documents and settings\Chua\Application Data\Mozilla\Firefox\Profiles\fz8wr221.default\FF - prefs.js: browser.startup.homepage - about:blankFF - component: c:\documents and settings\Chua\Application Data\Mozilla\Firefox\Profiles\fz8wr221.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dllFF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dllFF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll---- FIREFOX POLICIES ---- FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.12);user_pref(general.useragent.extra.zencast, .**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-05 19:01:36Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2009-02-05 19:03:49ComboFix-quarantined-files.txt 2009-02-05 11:03:18Pre-Run: 85,289,725,952 bytes freePost-Run: 85,299,875,840 bytes free233 --- E O F --- 2009-01-21 00:45:48 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5, 2009 Root Admin ID:53708 Share Posted February 5, 2009 Download but do not yet run ComboFixIf you have a previous version of Combofix.exe, delete it and download a fresh copy.Download it to your DESKTOP - it MUST run from the Desktopdownload.bleepingcomputer.com/sUBs/ComboFix.exesubs.geekstogo.com/ComboFix.exeUsing your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank linesKILLALL::Driver::mglpewgnethdmirbFile::c:\windows\system32\drivers\ethdmirb.sysc:\windows\system32\drivers\mglpewgn.sysc:\windows\system32\RENF.tmpc:\windows\system32\RENE.tmpc:\windows\system32\REND.tmpc:\windows\system32\FFTIFF16.dllc:\windows\system32\FFRafShellEx.dllc:\windows\system32\FFRAFLIB.DLLc:\windows\system32\FREGSHEX.DLLc:\windows\wininit.inic:\windows\system32\ealregsnapshot1.regFolder::c:\windows\E80F62FF5D3C4A1984099721F2928206.TMPC:\8957ead3fed9c454fe9Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Disconnect from the Internet. Disable your Antivirus software. If it has Script Blocking features, please disable these as well. A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed. When the scan completes Notepad will open with with your results log open. Do a File, Exit.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.When that is done please do one more round of MBAM updates and Quick Scan and a new HJT log.Also, let me know how the computer is running now and if there are still any signs of an infection. Link to post Share on other sites More sharing options...
crazymusic_lover19 Posted February 5, 2009 Author ID:53711 Share Posted February 5, 2009 MBAM and HJT logfiles are as follows.Malwarebytes' Anti-Malware 1.33Database version: 1730Windows 5.1.2600 Service Pack 32/5/2009 8:03:07 PMmbam-log-2009-02-05 (20-03-07).txtScan type: Quick ScanObjects scanned: 55101Time elapsed: 4 minute(s), 25 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:03:19 PM, on 2/5/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\VMSnap3.EXEC:\WINDOWS\Domino.EXEC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\DNA\btdna.exeC:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exeC:\Program Files\FinePixViewer\QuickDCF2.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\WINDOWS\SYSTEM32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logonO4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXEO4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXEO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -lO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Chua\Application Data\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"O4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219554141350O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Creative Service for CDROM Access (creative service for cdrom access) - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeO23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 9422 bytesThe computer is running great. It's as fast as it once was. Booting doesn't take much time and no error messages are popping up. Everything is back to normal and I'm really happy to say that there are no signs of infection anymore. Thank you very much for all the help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5, 2009 Root Admin ID:53845 Share Posted February 5, 2009 That's good news. Let me leave you with these bits of information.Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and AcrobatSince you have P2P software you're running, ie. BitTorrent DNAFile sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology. However, P2P applications introduce security risks that may put your information or your computer in jeopardy. Risks of File-Sharing TechnologyDownload and Update Java RuntimeThe most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.Uncheck the Toolbar button (unless you want the toolbar)Reboot your computerOtherwise as far as Malware is concerned all looks good now.I'll close your post soon so that other don't post into it and leave you with this information and suggestions.So how did I get infected in the first place?At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Install SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comNote 1: If you are running Windows XP SP2, you should upgrade to SP3.Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.The security suite can then be reinstalled afterwards.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org Link to post Share on other sites More sharing options...
crazymusic_lover19 Posted February 6, 2009 Author ID:54048 Share Posted February 6, 2009 Alright. Everything is duly noted. Once again, thank you very much for walking me through this entire thing. I really appreciate the wonderful help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 6, 2009 Root Admin ID:54220 Share Posted February 6, 2009 You're quite welcome. Take care and stay safe out there. Link to post Share on other sites More sharing options...
Recommended Posts