Jump to content
Sign in to follow this  
ibmatt

Cannot remove hijack.regedit & hijack.folder options

Recommended Posts

MBAM shows these two infected registry keys and needs to reboot to complete fix/removal. After reboot and quick scan, these two items reappear. Also, when I start Mozilla, I get flooded with new viruses. Here are my latest logs:

Malwarebytes' Anti-Malware 1.34

Database version: 1765

Windows 5.1.2600 Service Pack 3

2/16/2009 8:13:16 AM

mbam-log-2009-02-16 (08-13-16).txt

Scan type: Quick Scan

Objects scanned: 76185

Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:15:03 AM, on 2/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\usbservice.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\clclean.0001

C:\WINDOWS\stsystra.exe

C:\Program Files\Autorun Eater\oldmcdonald.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Autorun Eater\billy.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\go34qyx.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\obf3rt6.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\ce5qsg6b.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\t0ewamp28.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\eoxz6dwsu.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\shb2ik.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\daw8nsancnkwo.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\sdw9qzd89oo.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\vb72qmrhbtxy.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\koh1bw.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\yvcz7rn90tix.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\cp71an5iniczf.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\jag62gn8mu.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\piitubx.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\lpripbi3xp.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\dlyj5g9ugj.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\gvt3uw.exe

C:\Documents and Settings\Matt\Application Data\U3\00001770C962C077\LaunchPad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.laplink.com/free

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: ::1 localhost

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [r1log953t] C:\DOCUME~1\Matt\LOCALS~1\Temp\ceetyc54gp6.exe

O4 - HKCU\..\Run: [ktmdd1ln97voh] C:\DOCUME~1\Matt\LOCALS~1\Temp\k8umaq2beq4.exe

O4 - HKCU\..\Run: [gjtvy7059du6awvond] C:\DOCUME~1\Matt\LOCALS~1\Temp\pym6iwq.exe

O4 - HKCU\..\Run: [q9mphm8kt4q8wzks] C:\DOCUME~1\Matt\LOCALS~1\Temp\j4qg81uwo.exe

O4 - HKCU\..\Run: [xa4nze8fpfjwrak2paw] C:\DOCUME~1\Matt\LOCALS~1\Temp\ckjc1d.exe

O4 - HKCU\..\Run: [vfkasoprdvdajn1nifstkjy1ddpo] C:\DOCUME~1\Matt\LOCALS~1\Temp\rbedkjn90.exe

O4 - HKCU\..\Run: [phwmkqppzf8nzviir5drr1xga2zwgez] C:\DOCUME~1\Matt\LOCALS~1\Temp\ck8tsua15qsy.exe

O4 - HKCU\..\Run: [wj12vsuz416pmomsnl5s532mnsu2lslkyu0t] C:\DOCUME~1\Matt\LOCALS~1\Temp\dudrjubc63632.exe

O4 - HKCU\..\Run: [aue53a9crl] C:\DOCUME~1\Matt\LOCALS~1\Temp\kc7fpg2dj80pl.exe

O4 - HKCU\..\Run: [mw9bddhvnlapoysdafiqg1iczb33u] C:\DOCUME~1\Matt\LOCALS~1\Temp\krl24d78.exe

O4 - HKCU\..\Run: [c1jlb6ihog215ivzfchi0sdcqygtz0aev3eoj6] C:\DOCUME~1\Matt\LOCALS~1\Temp\pks8lecx.exe

O4 - HKCU\..\Run: [o3pql21cled] C:\DOCUME~1\Matt\LOCALS~1\Temp\zztnoih6n1s.exe

O4 - HKCU\..\Run: [lvv1b4da92lrb3joiqh5wb6g68soz] C:\DOCUME~1\Matt\LOCALS~1\Temp\v11rkxlll.exe

O4 - HKCU\..\Run: [y4fy69kbup26m] C:\DOCUME~1\Matt\LOCALS~1\Temp\kjuxfjz.exe

O4 - HKCU\..\Run: [z40rrzpitrdr3wh43iqe265uexsr8wsjwh5wba] C:\DOCUME~1\Matt\LOCALS~1\Temp\dg1zslr9jyvm.exe

O4 - HKCU\..\Run: [g31no3sh5x91aik3] C:\DOCUME~1\Matt\LOCALS~1\Temp\s65txdynbj7.exe

O4 - HKCU\..\Run: [il3mzb7t5sho3yt2cus40k4s] C:\DOCUME~1\Matt\LOCALS~1\Temp\yqvxs9flxvp.exe

O4 - HKCU\..\Run: [k2ltfc0i3qouhmuz308e] C:\DOCUME~1\Matt\LOCALS~1\Temp\jos3ux3.exe

O4 - HKCU\..\Run: [ewgn2mer6s1pummyk0q9f4ycaywhdvogw9y5jti7] C:\DOCUME~1\Matt\LOCALS~1\Temp\ypt8fk.exe

O4 - HKCU\..\Run: [jisglo29phptfir0hrzl5zrm3n7z3istt30ok80y7zxg64] C:\DOCUME~1\Matt\LOCALS~1\Temp\qgo9yq84m.exe

O4 - HKCU\..\Run: [headz3t5jucok06] C:\DOCUME~1\Matt\LOCALS~1\Temp\twsjpjbgk58g.exe

O4 - HKCU\..\Run: [y6ps95a1iv04zr9lkxpgyokxnh3svhaaw7iyl4116v2] C:\DOCUME~1\Matt\LOCALS~1\Temp\u2l5jrp.exe

O4 - HKCU\..\Run: [r4st14t7r3bjyosu5yxyc569k8m6a1jgaavinp9zni10kj5ahw] C:\DOCUME~1\Matt\LOCALS~1\Temp\k8smev0j2r.exe

O4 - HKCU\..\Run: [dttq0ptm7x541utgmfz1l10] C:\DOCUME~1\Matt\LOCALS~1\Temp\ufkb82nfxlywf.exe

O4 - HKCU\..\Run: [zkemrtk5x9t4ph6tyx8l7xsm8tbjnyflrgsuaa] C:\DOCUME~1\Matt\LOCALS~1\Temp\doj5os787921.exe

O4 - HKCU\..\Run: [iaq5b8al9vaavz6mv412lnwnk8i8ecflpfmfocu5p46yt] C:\DOCUME~1\Matt\LOCALS~1\Temp\fzrlqko.exe

O4 - HKCU\..\Run: [p7z6hbu4gs0essngjgkn0pkdtvb1me85ygntgypf] C:\DOCUME~1\Matt\LOCALS~1\Temp\h11orryg.exe

O4 - HKCU\..\Run: [n2oteo9n0zql7towinz96jhldx] C:\DOCUME~1\Matt\LOCALS~1\Temp\zsdprxw47zx.exe

O4 - HKCU\..\Run: [ip9o1kh7vrd82su6] C:\DOCUME~1\Matt\LOCALS~1\Temp\jbte55oes.exe

O4 - HKCU\..\Run: [kia5lkwal8t0v1yf3ercg1] C:\DOCUME~1\Matt\LOCALS~1\Temp\b7hy4afob.exe

O4 - HKCU\..\Run: [wh6h4xog0poi9r1qb2g3iw2u3dttsa9b] C:\DOCUME~1\Matt\LOCALS~1\Temp\jlohuloeltlwb.exe

O4 - HKCU\..\Run: [yrh6h1u7zq8ht2ryegeegiuo5hyua0] C:\DOCUME~1\Matt\LOCALS~1\Temp\v82o4hxbcbca.exe

O4 - HKCU\..\Run: [b7fkvj552hksxe53dczeos] C:\DOCUME~1\Matt\LOCALS~1\Temp\sfeo8j9qvn.exe

O4 - HKCU\..\Run: [kkrhx7qtoczj66omjifcjb9o0rvii] C:\DOCUME~1\Matt\LOCALS~1\Temp\y9zv9v.exe

O4 - HKCU\..\Run: [wpio45nlv148781iw4njkeullq898fvcerj5rkwmawd5nc7eu] C:\DOCUME~1\Matt\LOCALS~1\Temp\g6neznead3.exe

O4 - HKCU\..\Run: [drns6fd46n0kysiwrqjjf6kmp] C:\DOCUME~1\Matt\LOCALS~1\Temp\uz1hbdg.exe

O4 - HKCU\..\Run: [ni3u9gq2wtd02q21jn8wrkl0ani4mu7] C:\DOCUME~1\Matt\LOCALS~1\Temp\tt7e6od2tw.exe

O4 - HKCU\..\Run: [tduq3io2upsh01swxtmisof8cl4si1twgxxs1537ar222z] C:\DOCUME~1\Matt\LOCALS~1\Temp\c268mx1ly.exe

O4 - HKCU\..\Run: [pmnf05mewks60o4rgzjymnusjwxitm5i3c] C:\DOCUME~1\Matt\LOCALS~1\Temp\isvmv5tz14.exe

O4 - HKCU\..\Run: [lomz52k4k8x3x8bwa886nbgzbn2uump] C:\DOCUME~1\Matt\LOCALS~1\Temp\gn6xl3njig51l.exe

O4 - HKCU\..\Run: [z5s6aexn862vnmdiaxurhqk79qlru73litktw8rydsu] C:\DOCUME~1\Matt\LOCALS~1\Temp\sldy8s.exe

O4 - HKCU\..\Run: [eztxl3bmmp6rvqux91gf8erwd2boelwqur2gw67hr79fh] C:\DOCUME~1\Matt\LOCALS~1\Temp\ufvuh2l.exe

O4 - HKCU\..\Run: [eklhadd2voghiqshp] C:\DOCUME~1\Matt\LOCALS~1\Temp\ijs8bg3xl.exe

O4 - HKCU\..\Run: [vq0hxvrgpgmi1] C:\DOCUME~1\Matt\LOCALS~1\Temp\sytnx3twp7fe.exe

O4 - HKCU\..\Run: [vhuiosyw7f9hkqy8udtv1i7ywgk76b26t8ozokel1] C:\DOCUME~1\Matt\LOCALS~1\Temp\rpbg4gc.exe

O4 - HKCU\..\Run: [ckkoul5y3l1zxztnmutyzh6h4swn] C:\DOCUME~1\Matt\LOCALS~1\Temp\of0dteau.exe

O4 - HKCU\..\Run: [yev7ebikf6fptq5ku6j1rq882ylrtgfsebaigiz96pdxea8n1] C:\DOCUME~1\Matt\LOCALS~1\Temp\h7vf9hqa.exe

O4 - HKCU\..\Run: [qe8i97ih35dke8qmxr5] C:\DOCUME~1\Matt\LOCALS~1\Temp\ceuqjg.exe

O4 - HKCU\..\Run: [eq5ryxwqbnr1eghnkzzahwbahuf78r7bngooqgjxhg84] C:\DOCUME~1\Matt\LOCALS~1\Temp\shb2ik.exe

O4 - HKCU\..\Run: [n9qfsrtiwh2uuo0dw] C:\DOCUME~1\Matt\LOCALS~1\Temp\ylhwiu6s.exe

O4 - HKCU\..\Run: [y9m1ueubiktevolnf] C:\DOCUME~1\Matt\LOCALS~1\Temp\c1v1u5tf.exe

O4 - HKCU\..\Run: [pvcu4yfxe3uv1drks17htb42p9gz5] C:\DOCUME~1\Matt\LOCALS~1\Temp\tsg7ba.exe

O4 - HKCU\..\Run: [yooio13vd1a] C:\DOCUME~1\Matt\LOCALS~1\Temp\t7uu77ano.exe

O4 - HKCU\..\Run: [wp1hwoldff0up18] C:\DOCUME~1\Matt\LOCALS~1\Temp\qe6bu9m.exe

O4 - HKCU\..\Run: [fm73ntlxgfhofhy8vwzhj8t2fv0h601r] C:\DOCUME~1\Matt\LOCALS~1\Temp\a1pwtkswuo.exe

O4 - HKCU\..\Run: [rnvi4oldaqnm8cbljtnxqhiyh4wfiiarrj0tl4kwiutfvis] C:\DOCUME~1\Matt\LOCALS~1\Temp\kfmkybysw.exe

O4 - HKCU\..\Run: [vzfgs830ca] C:\DOCUME~1\Matt\LOCALS~1\Temp\jikvb9q0d3l.exe

O4 - HKCU\..\Run: [xe33i42mqa8zpmmuz0ev43cv0xrfe7u4u5cog59vnz0sxm8] C:\DOCUME~1\Matt\LOCALS~1\Temp\a5qpha.exe

O4 - HKCU\..\Run: [le31s77rcs0by5gy8vii7gd] C:\DOCUME~1\Matt\LOCALS~1\Temp\baf3d5b3o4jgk.exe

O4 - HKCU\..\Run: [o9wqfgdd99uahtqr2phbl1o13kbe87zfsmc8ln] C:\DOCUME~1\Matt\LOCALS~1\Temp\qir4wuqr.exe

O4 - HKCU\..\Run: [uwwwzhjwodf7n21xf] C:\DOCUME~1\Matt\LOCALS~1\Temp\i57c4w3l.exe

O4 - HKCU\..\Run: [mxvikaat3l03hbcjhsp] C:\DOCUME~1\Matt\LOCALS~1\Temp\lqd64nbb4h.exe

O4 - HKCU\..\Run: [livmculy43g5genqijdn7] C:\DOCUME~1\Matt\LOCALS~1\Temp\u8adlyltv58.exe

O4 - HKCU\..\Run: [vcyuhrh5hpprs90mc84qoa09mmw6t0mjjetpa1m0mf] C:\DOCUME~1\Matt\LOCALS~1\Temp\y9aeivml.exe

O4 - HKCU\..\Run: [d3iv540ld2fcvwl] C:\DOCUME~1\Matt\LOCALS~1\Temp\erykfp5jmnc.exe

O4 - HKCU\..\Run: [m4tgd6usteacj72mcryr4n2bfex0hduvl6fefhmfbr8or] C:\DOCUME~1\Matt\LOCALS~1\Temp\zo2sjprscesis.exe

O4 - HKCU\..\Run: [jtyotrujbjjpt1zc2ifyru4vg5hamkojkwwlpjznwqs6v2] C:\DOCUME~1\Matt\LOCALS~1\Temp\ru4woaeat.exe

O4 - HKCU\..\Run: [do47d8eoy] C:\DOCUME~1\Matt\LOCALS~1\Temp\c8sfel403z67z.exe

O4 - HKCU\..\Run: [vum4kwqrrg8sfo5bhstqqcf1w8feua] C:\DOCUME~1\Matt\LOCALS~1\Temp\qzk55ti2jx0mi.exe

O4 - HKCU\..\Run: [v3usp5r7xluhd9z3kttp] C:\DOCUME~1\Matt\LOCALS~1\Temp\xyrqokm0ror.exe

O4 - HKCU\..\Run: [c6401gggjx6wgjt46yuq9edmcqmcvvk3mqbytifxzmrocus5yv] C:\DOCUME~1\Matt\LOCALS~1\Temp\wf7wwivh.exe

O4 - HKCU\..\Run: [e6bvbu7bu25gmw55j] C:\DOCUME~1\Matt\LOCALS~1\Temp\z4g3hvy.exe

O4 - HKCU\..\Run: [ibm71wo7uc] C:\DOCUME~1\Matt\LOCALS~1\Temp\n6gmnmj5.exe

O4 - HKCU\..\Run: [gk28e10w6ja4zzee9] C:\DOCUME~1\Matt\LOCALS~1\Temp\gts4urb71.exe

O4 - HKCU\..\Run: [wum6uvgogequtbfhzai8pcczft3str4nl] C:\DOCUME~1\Matt\LOCALS~1\Temp\swb5xyx.exe

O4 - HKCU\..\Run: [doyzvv4zkcntg1evff830jw3] C:\DOCUME~1\Matt\LOCALS~1\Temp\nszpw3o.exe

O4 - HKCU\..\Run: [g0gdzu6yvk25gwmipvh2p8] C:\DOCUME~1\Matt\LOCALS~1\Temp\qc8t8zm.exe

O4 - HKCU\..\Run: [fky7bxf8u9nmo3es5yhfuwppedjame9z326] C:\DOCUME~1\Matt\LOCALS~1\Temp\vbpscvjnaj.exe

O4 - HKCU\..\Run: [qb9s40q8c4q8r8fe7z7lvhwcsbm0m9cnrloen71] C:\DOCUME~1\Matt\LOCALS~1\Temp\i1lfnofi.exe

O4 - HKCU\..\Run: [rruq5akrr8f3z307lnjc9hc] C:\DOCUME~1\Matt\LOCALS~1\Temp\yooy1nyi.exe

O4 - HKCU\..\Run: [qq4g6zkv4qinebpa3rtipbuatq66zocjfopn9pjc1ftnu] C:\DOCUME~1\Matt\LOCALS~1\Temp\f7sqpd2m.exe

O4 - HKCU\..\Run: [hqb5hl2pkzh603j75pj9zj2bet6pspb6zmpkj1x] C:\DOCUME~1\Matt\LOCALS~1\Temp\o754ujmw6ak.exe

O4 - HKCU\..\Run: [fc3014rcp5dgfh8kg42as] C:\DOCUME~1\Matt\LOCALS~1\Temp\hdhm15xfqyre.exe

O4 - HKCU\..\Run: [sw4h3jbjt6vmd0xg7b8k5] C:\DOCUME~1\Matt\LOCALS~1\Temp\o2t4ek.exe

O4 - HKCU\..\Run: [ljg7c3pyi87xjyw6qom2eawzpy6hfh48t] C:\DOCUME~1\Matt\LOCALS~1\Temp\g8v84vw9tt.exe

O4 - HKCU\..\Run: [c1asaoaq3l] C:\DOCUME~1\Matt\LOCALS~1\Temp\jiqspl.exe

O4 - HKCU\..\Run: [bhg8jh8k4h0qfaby05yj4s817fif9ksof2cfrmzl10kbys608] C:\DOCUME~1\Matt\LOCALS~1\Temp\co2aw7a.exe

O4 - HKCU\..\Run: [pqrsi3zexzfj6dur8wn6rmyofb] C:\DOCUME~1\Matt\LOCALS~1\Temp\fyxu2nr1enp.exe

O4 - HKCU\..\Run: [l7f3m1wwkpex3] C:\DOCUME~1\Matt\LOCALS~1\Temp\xu4e1b1sxy1.exe

O4 - HKCU\..\Run: [olhmlqbzgod22dgx3hic8stwa4] C:\DOCUME~1\Matt\LOCALS~1\Temp\calu5o.exe

O4 - HKCU\..\Run: [i7712uj4b8xw8xn2v2f6mfitt8q9] C:\DOCUME~1\Matt\LOCALS~1\Temp\ncldsyl.exe

O4 - HKCU\..\Run: [dmchitsj7u2y5r4ujvd3f5fb3zfg3vnkb45ceqws] C:\DOCUME~1\Matt\LOCALS~1\Temp\b47cuhybp.exe

O4 - HKCU\..\Run: [wu8i9l4sq178s3vr7ygolyrsscz6hl] C:\DOCUME~1\Matt\LOCALS~1\Temp\ids0j99nhnp.exe

O4 - HKCU\..\Run: [oflid2i1yrxwumq1e4dqi3h5i3] C:\DOCUME~1\Matt\LOCALS~1\Temp\l2178t9q7o.exe

O4 - HKCU\..\Run: [zacbt8u7o2quzgdkgy3th1lr0iqph1zpct7ry] C:\DOCUME~1\Matt\LOCALS~1\Temp\s1896ypb.exe

O4 - HKCU\..\Run: [auxpingqakljsmjz1tvshi6bop73mi] C:\DOCUME~1\Matt\LOCALS~1\Temp\snacwwu.exe

O4 - HKCU\..\Run: [lli7phx9vs0dku1hukpy5bb] C:\DOCUME~1\Matt\LOCALS~1\Temp\usjikcfsd.exe

O4 - HKCU\..\Run: [exl4c1zi7qc5gtnwbqjv22j8h6d3t] C:\DOCUME~1\Matt\LOCALS~1\Temp\to1e063yevr.exe

O4 - HKCU\..\Run: [gcc5knsnulcot5f4jnqi71i4jhcnr0m1m180z9g69ijof9r] C:\DOCUME~1\Matt\LOCALS~1\Temp\lu3i5au.exe

O4 - HKCU\..\Run: [pg3dqt9opbvdhkdzxx2odnqehsmm4lcy0asts] C:\DOCUME~1\Matt\LOCALS~1\Temp\dlyj5g9ugj.exe

O4 - HKCU\..\Run: [vtcande3kqw5qkrq] C:\DOCUME~1\Matt\LOCALS~1\Temp\haakicmp3p9t.exe

O4 - HKCU\..\Run: [h5u2pq3ry5q9jab555yifycoanw967] C:\DOCUME~1\Matt\LOCALS~1\Temp\lba2f9nhx.exe

O4 - HKCU\..\Run: [xaqjau3u9zvddcoccv] C:\DOCUME~1\Matt\LOCALS~1\Temp\o9hmkog1j1.exe

O4 - HKCU\..\Run: [wv7ywcg218ptcr] C:\DOCUME~1\Matt\LOCALS~1\Temp\rjcpq4.exe

O4 - HKCU\..\Run: [c9csceuf0aypc4w0wziz3gynjpwo4t] C:\DOCUME~1\Matt\LOCALS~1\Temp\ov0pa5lf2.exe

O4 - HKCU\..\Run: [sice0vhnzyl8pokwttkx09rslivo6e8svf0irhelnvlxxoh8] C:\DOCUME~1\Matt\LOCALS~1\Temp\raetp2qtv783.exe

O4 - HKCU\..\Run: [uw5cr0p7kmksjux] C:\DOCUME~1\Matt\LOCALS~1\Temp\u84wbhjdhjknn.exe

O4 - HKCU\..\Run: [c7gxhoxazgagqkn6sf5vg5gju8yx7i03] C:\DOCUME~1\Matt\LOCALS~1\Temp\jlzhk4m.exe

O4 - HKCU\..\Run: [y82wrqwy2lag4jpyjggkgm] C:\DOCUME~1\Matt\LOCALS~1\Temp\qkp23ggr6jwca.exe

O4 - HKCU\..\Run: [nqb3i5cktfrx7] C:\DOCUME~1\Matt\LOCALS~1\Temp\bydltr6hz.exe

O4 - HKCU\..\Run: [s9d0evvjx9qcts9x1egykmbgz287badspd41fczi91170qw] C:\DOCUME~1\Matt\LOCALS~1\Temp\tz3pid2m.exe

O4 - HKCU\..\Run: [vyk89cilt3dqh177of2u47dpp2fasexkld45hexzr9zm08ysdh] C:\DOCUME~1\Matt\LOCALS~1\Temp\ayaakp.exe

O4 - HKCU\..\Run: [b8699tzdtaw] C:\DOCUME~1\Matt\LOCALS~1\Temp\aktua6kvhkvm0.exe

O4 - HKCU\..\Run: [dt2lcg3v8hh2evj64kgzskjuwehpqk64npfnftcr0cl] C:\DOCUME~1\Matt\LOCALS~1\Temp\auoegm1ca.exe

O4 - HKCU\..\Run: [fwdifp78r9mqapbohta30zf2lih4sepno63o5rgqw30wnxx8q1] C:\DOCUME~1\Matt\LOCALS~1\Temp\zp2jy3m.exe

O4 - HKCU\..\Run: [chfn0z3cpyfzg51z] C:\DOCUME~1\Matt\LOCALS~1\Temp\ykg5g3q1r257s.exe

O4 - HKCU\..\Run: [psw0c3jf4b5528cxay6os] C:\DOCUME~1\Matt\LOCALS~1\Temp\zu437k.exe

O4 - HKCU\..\Run: [b5syv8r4qq1m2z558pgfc2eijsofyvjo] C:\DOCUME~1\Matt\LOCALS~1\Temp\c4znd0ral2.exe

O4 - HKCU\..\Run: [pagl8qme2eo2clvq77mu0gm0542plonz] C:\DOCUME~1\Matt\LOCALS~1\Temp\ft8uyud5q.exe

O4 - HKCU\..\Run: [ezbpb6c1oabh7hcgs496ppvi] C:\DOCUME~1\Matt\LOCALS~1\Temp\m7c2w3tcif.exe

O4 - HKCU\..\Run: [pnrbe10guwimafbave3yte1qpt] C:\DOCUME~1\Matt\LOCALS~1\Temp\knuglvm93x.exe

O4 - HKCU\..\Run: [kmdn11ksx4ha9trd0qd] C:\DOCUME~1\Matt\LOCALS~1\Temp\aa9s7r5xxmqvs.exe

O4 - HKCU\..\Run: [qgbyy7lnvi56ze281h550tf66q1g6uc4vv] C:\DOCUME~1\Matt\LOCALS~1\Temp\si4tqxkl.exe

O4 - HKCU\..\Run: [ijap75lac9uccjwr725jg154pvb7b8s] C:\DOCUME~1\Matt\LOCALS~1\Temp\bgvur0.exe

O4 - HKCU\..\Run: [cspjrn7625nauevqrj6ymhm6] C:\DOCUME~1\Matt\LOCALS~1\Temp\pzvders.exe

O4 - HKCU\..\Run: [t5lx8qlc2500spi25] C:\DOCUME~1\Matt\LOCALS~1\Temp\ab9g9hutigyw.exe

O4 - HKCU\..\Run: [yzsj59qaso63lxlb] C:\DOCUME~1\Matt\LOCALS~1\Temp\peshtoxi5c.exe

O4 - HKCU\..\Run: [y1f5paua8bmhxsmc0rlhro9f63f4bzf96l] C:\DOCUME~1\Matt\LOCALS~1\Temp\w8gim2mvv.exe

O4 - HKCU\..\Run: [tdo4glh147m7dibju4uk] C:\DOCUME~1\Matt\LOCALS~1\Temp\o96mboi0.exe

O4 - HKCU\..\Run: [smzn3y1k9ogm61z62vzz1ug46f4l] C:\DOCUME~1\Matt\LOCALS~1\Temp\hwzliat2h.exe

O4 - HKCU\..\Run: [r8ltp7pgeo1d0vn0cmrev0guvb2fol] C:\DOCUME~1\Matt\LOCALS~1\Temp\dh1cn0xblky9.exe

O4 - HKCU\..\Run: [gzzffsvvf85a5ecka6rixyyi6hr0nrashdw] C:\DOCUME~1\Matt\LOCALS~1\Temp\ryftwi4.exe

O4 - HKCU\..\Run: [mibsyk2uxws38d55uubthz7w6c8togcj4m] C:\DOCUME~1\Matt\LOCALS~1\Temp\ys3bpw.exe

O4 - HKCU\..\Run: [e4vy7bbqbf0kuhmbkvdh9q5jgmk0a2by6avr15vm0r2whfm9] C:\DOCUME~1\Matt\LOCALS~1\Temp\cy5wcazgcb.exe

O4 - HKCU\..\Run: [u16f9xl7udfl6j8fa0xz2j] C:\DOCUME~1\Matt\LOCALS~1\Temp\qkv2dxiqk51.exe

O4 - HKCU\..\Run: [uatrramjej5lbx] C:\DOCUME~1\Matt\LOCALS~1\Temp\ibq3w3.exe

O4 - HKCU\..\Run: [zsveuttn0s01qnfm4y1lpi8wtnhghufoffz] C:\DOCUME~1\Matt\LOCALS~1\Temp\qpem3en4ko.exe

O4 - HKCU\..\Run: [z1m2rf1wo] C:\DOCUME~1\Matt\LOCALS~1\Temp\hsns4k6vsi6.exe

O4 - HKCU\..\Run: [glvfdamae96t91c8gkhccoyfq9bo6qrgbagod1jm69ln] C:\DOCUME~1\Matt\LOCALS~1\Temp\akib1nmbc60.exe

O4 - HKCU\..\Run: [glqqz1n0lexbuynwuh3841ephetyp] C:\DOCUME~1\Matt\LOCALS~1\Temp\sqrzzqnde.exe

O4 - HKCU\..\Run: [m6va4vchx] C:\DOCUME~1\Matt\LOCALS~1\Temp\v5y2l5zx0c.exe

O4 - HKCU\..\Run: [im5m4fiah97rei2ks1fkeahwd7jzh3axngp0w2x9] C:\DOCUME~1\Matt\LOCALS~1\Temp\rqh4e63j6ch4.exe

O4 - HKCU\..\Run: [bpgmixppg2r6gcx2ozacbic3r2phneu7fl3hdi] C:\DOCUME~1\Matt\LOCALS~1\Temp\llo9g0lb.exe

O4 - HKCU\..\Run: [ujna0uyma21o7pm4zjukiy1ul9zx208yx9q] C:\DOCUME~1\Matt\LOCALS~1\Temp\w97rmdkx.exe

O4 - HKCU\..\Run: [ddfxqxri9cw56qsidido7n0klg2o3koojvk6obc7] C:\DOCUME~1\Matt\LOCALS~1\Temp\qbr8ob.exe

O4 - HKCU\..\Run: [ocklm9z7gamhow72h68lq44qrvne7] C:\DOCUME~1\Matt\LOCALS~1\Temp\p65u6skec6fa.exe

O4 - HKCU\..\Run: [na5lugqa208snf46ovgktlu8os6nkssz7fq5h] C:\DOCUME~1\Matt\LOCALS~1\Temp\tm2zimq1irpb.exe

O4 - HKCU\..\Run: [cq9jfnpp9b81awvirlynrux] C:\DOCUME~1\Matt\LOCALS~1\Temp\dobtf1pnb.exe

O4 - HKCU\..\Run: [jl46h17dma7bq5a9bg0l7h8r2p8q28ay] C:\DOCUME~1\Matt\LOCALS~1\Temp\caygd9.exe

O4 - HKCU\..\Run: [pmhmqa5csdvnpjxt55lw90w8an7a20rwojnr8x] C:\DOCUME~1\Matt\LOCALS~1\Temp\vco2zsc5yy.exe

O4 - HKCU\..\Run: [szzjo936s7j] C:\DOCUME~1\Matt\LOCALS~1\Temp\i0xaaizicsamx.exe

O4 - HKCU\..\Run: [yht0ufoijgp2hol04qogg] C:\DOCUME~1\Matt\LOCALS~1\Temp\lkdyydq.exe

O4 - HKCU\..\Run: [aq5lg37pju82cpt5xyuze7r3v10rfi1elt2u2nl8p687mbf6t] C:\DOCUME~1\Matt\LOCALS~1\Temp\vyrm34.exe

O4 - HKCU\..\Run: [aw0eojmv73tgvf2g16sngzzpn7tehmffdhqcsc9fh8a] C:\DOCUME~1\Matt\LOCALS~1\Temp\cxy7mzqiph1c.exe

O4 - HKCU\..\Run: [hvz5l4qzu86vo047wjautl28l9vt] C:\DOCUME~1\Matt\LOCALS~1\Temp\u3jh3qydz.exe

O4 - HKCU\..\Run: [fscbpjx25qc1mginlk25wssdjq6qelgguyryaoki] C:\DOCUME~1\Matt\LOCALS~1\Temp\r50sy4hhm.exe

O4 - HKCU\..\Run: [cwfc37nvn3p6v6vh45gn6yg2j2e7ey7hhr] C:\DOCUME~1\Matt\LOCALS~1\Temp\ct2vuvoo8.exe

O4 - HKCU\..\Run: [z95f09uly5yu7] C:\DOCUME~1\Matt\LOCALS~1\Temp\uz4zzgwfkhjw1.exe

O4 - HKCU\..\Run: [p1d3iq9w2rcd6xvd8t59aodr5igxybbbeqdkznw9udm2j7j] C:\DOCUME~1\Matt\LOCALS~1\Temp\tui4yg0ijnb.exe

O4 - HKCU\..\Run: [ewxr5iw5xiqaxoc2fh7lkp2xwym8ttv] C:\DOCUME~1\Matt\LOCALS~1\Temp\xeimvd1a.exe

O4 - HKCU\..\Run: [ccivtk98updz0gu383g1l8ld5gok2fwiduuwq552xz] C:\DOCUME~1\Matt\LOCALS~1\Temp\edp7xp.exe

O4 - HKCU\..\Run: [v6zww7xv6l967ntjhq5r] C:\DOCUME~1\Matt\LOCALS~1\Temp\zjrb2a3uoi.exe

O4 - HKCU\..\Run: [ss0n2ax2fwdxw4s335bzrs2va5xpnuzl5wnvuhwsj1ofys] C:\DOCUME~1\Matt\LOCALS~1\Temp\lmacmhpj.exe

O4 - HKCU\..\Run: [rjqe9t2cv] C:\DOCUME~1\Matt\LOCALS~1\Temp\rgvjnt4dji90.exe

O4 - HKCU\..\Run: [md1mk8jt5o07085fox0tvhfj] C:\DOCUME~1\Matt\LOCALS~1\Temp\tv6caoz8uuk3.exe

O4 - HKCU\..\Run: [s57d4luqwbtli0gtm5cmt9uvoo74y7ilpmxga4hpmv] C:\DOCUME~1\Matt\LOCALS~1\Temp\cjitrg99o.exe

O4 - HKCU\..\Run: [cmkady4vc8k54caak2kfplvi6ikeotyp47ql] C:\DOCUME~1\Matt\LOCALS~1\Temp\n2icxqb2r1.exe

O4 - HKCU\..\Run: [zgv05agqg6kog1bq2nhermb1rxjxtj3a4tpag0] C:\DOCUME~1\Matt\LOCALS~1\Temp\ht3ivc6w.exe

O4 - HKCU\..\Run: [ogd2y20gkdgkcyfcxtwk2pzwbjrkgu9u196mon74i5b6xl8x] C:\DOCUME~1\Matt\LOCALS~1\Temp\dj54xdfwy.exe

O4 - HKCU\..\Run: [k1ivm76zrcnz70f2674zrgqznxb8ie1tuosh] C:\DOCUME~1\Matt\LOCALS~1\Temp\wb06ugeci.exe

O4 - HKCU\..\Run: [wpxj70rpw7tacie944dwok038xslf8xhkpw5aikb9yl251885] C:\DOCUME~1\Matt\LOCALS~1\Temp\aqh41wr.exe

O4 - HKCU\..\Run: [u9z9q8ag5s1yrjv99mh6z6vu9mrpmd7f46qoqn5] C:\DOCUME~1\Matt\LOCALS~1\Temp\h42tz5qg.exe

O4 - HKCU\..\Run: [eknx6fkvb4vlvqwzb2un] C:\DOCUME~1\Matt\LOCALS~1\Temp\ckz0a6y5.exe

O4 - HKCU\..\Run: [qpe79pch7bcon4j6ek] C:\DOCUME~1\Matt\LOCALS~1\Temp\rni1dd.exe

O4 - HKCU\..\Run: [cark6568w7g6i968yqp] C:\DOCUME~1\Matt\LOCALS~1\Temp\bwowgwg8.exe

O4 - HKCU\..\Run: [ua3v2m48vc6tz9evtixr4pcniobwltt7fd3odug] C:\DOCUME~1\Matt\LOCALS~1\Temp\qnf7luaqok3.exe

O4 - HKCU\..\Run: [cvqo7svmmjxs0xiiywi41ycb68nepenv3qozxu08qltg] C:\DOCUME~1\Matt\LOCALS~1\Temp\egttx1t0.exe

O4 - HKCU\..\Run: [caji341x8cn65j6fd6mx6tfyeth] C:\DOCUME~1\Matt\LOCALS~1\Temp\hv7xcyfvwe8.exe

O4 - HKCU\..\Run: [t7k6yvwy6nasiubaxy2xfe89gxi4d7517l] C:\DOCUME~1\Matt\LOCALS~1\Temp\o49lkq9oofxds.exe

O4 - HKCU\..\Run: [u1n129mugzqhuktc9] C:\DOCUME~1\Matt\LOCALS~1\Temp\hw44hcpn83rob.exe

O4 - HKCU\..\Run: [jxmznj37mdq3peoblmfvma17uku60b7evr6] C:\DOCUME~1\Matt\LOCALS~1\Temp\yduq9ik.exe

O4 - HKCU\..\Run: [x3mv92meudhkn28p] C:\DOCUME~1\Matt\LOCALS~1\Temp\cc8vlcq.exe

O4 - HKCU\..\Run: [exfotjapybejab73opffcfllz9rszfx6zgrha400qez9fd0xh] C:\DOCUME~1\Matt\LOCALS~1\Temp\upfwk0h.exe

O4 - HKCU\..\Run: [lk0gt4h7inba2jmdbh6e894rl7] C:\DOCUME~1\Matt\LOCALS~1\Temp\g13dyr3iq.exe

O4 - HKCU\..\Run: [tr9kwlvk3cyv7p] C:\DOCUME~1\Matt\LOCALS~1\Temp\xeo35u.exe

O4 - HKCU\..\Run: [ca3dpmcpegds6c209vnshhcnpg32myareokgcu0b7igr2p6] C:\DOCUME~1\Matt\LOCALS~1\Temp\pavnlz.exe

O4 - HKCU\..\Run: [dqmhzgut8knenyk0fopswrcvfgjdyo78z9thnwa] C:\DOCUME~1\Matt\LOCALS~1\Temp\lcl971rx6g.exe

O4 - HKCU\..\Run: [db1faia5tra0] C:\DOCUME~1\Matt\LOCALS~1\Temp\h2nv9jjxcgm.exe

O4 - HKCU\..\Run: [ft3elqpht5injbgehui9] C:\DOCUME~1\Matt\LOCALS~1\Temp\kmdi4fhehsl.exe

O4 - HKCU\..\Run: [eanmtld4ukyitgbtmxfcamql2f4re44u32pnwxsb5j8] C:\DOCUME~1\Matt\LOCALS~1\Temp\zf1zi63zl4zcj.exe

O4 - HKCU\..\Run: [cmofe3vz479j1qd1mr5v57nglzfud37ou2nafqv6] C:\DOCUME~1\Matt\LOCALS~1\Temp\go34qyx.exe

O4 - HKCU\..\Run: [vbcmdm7o09ckehen6mfhu03corlo9j1ceyzsseemcw0406uyv] C:\DOCUME~1\Matt\LOCALS~1\Temp\obf3rt6.exe

O4 - HKCU\..\Run: [vurdsfwyvqga] C:\DOCUME~1\Matt\LOCALS~1\Temp\ce5qsg6b.exe

O4 - HKCU\..\Run: [ynujhl9nbhrwecmazl7gjpxm9oy6lkq143akzlfrpk8tjaj] C:\DOCUME~1\Matt\LOCALS~1\Temp\rv57mp4.exe

O4 - HKCU\..\Run: [ifwynnwh4tpon5kgqqoaz9vjg5j0s7ih4zx9cy2l8lv3vn] C:\DOCUME~1\Matt\LOCALS~1\Temp\t0ewamp28.exe

O4 - HKCU\..\Run: [gva3k07drq77] C:\DOCUME~1\Matt\LOCALS~1\Temp\ta9gz26215lmy.exe

O4 - HKCU\..\Run: [dhzio4pacz] C:\DOCUME~1\Matt\LOCALS~1\Temp\i3xxdts.exe

O4 - HKCU\..\Run: [c0gz1b3rm6jtdexasu299fj8ghrhskd8m02engyw] C:\DOCUME~1\Matt\LOCALS~1\Temp\eoxz6dwsu.exe

O4 - HKCU\..\Run: [yhs7b40392ouym2mvjk8eulvw] C:\DOCUME~1\Matt\LOCALS~1\Temp\efim5sp.exe

O4 - HKCU\..\Run: [jvxg23rszft6qryu8wyafgd6vd6dfstsl8qgtohkzde] C:\DOCUME~1\Matt\LOCALS~1\Temp\daw8nsancnkwo.exe

O4 - HKCU\..\Run: [iexidy5vagf] C:\DOCUME~1\Matt\LOCALS~1\Temp\sdw9qzd89oo.exe

O4 - HKCU\..\Run: [znv1slqq149qne0pwenn208x534l4up] C:\DOCUME~1\Matt\LOCALS~1\Temp\vb72qmrhbtxy.exe

O4 - HKCU\..\Run: [dakfixqcjsl] C:\DOCUME~1\Matt\LOCALS~1\Temp\yvcz7rn90tix.exe

O4 - HKCU\..\Run: [etl8qmytvrujx8wh29bffmk8myhlowm82k] C:\DOCUME~1\Matt\LOCALS~1\Temp\koh1bw.exe

O4 - HKCU\..\Run: [n658h5yxp1cakfwhmze2s5m5ksx3h8u7] C:\DOCUME~1\Matt\LOCALS~1\Temp\cp71an5iniczf.exe

O4 - HKCU\..\Run: [kf7n0s30r2hbdfa92yk3fv7lrgqiuoxa8dd5r0r5j7smq] C:\DOCUME~1\Matt\LOCALS~1\Temp\jag62gn8mu.exe

O4 - HKCU\..\Run: [oz2b0vooo02y54oy6b9xbc23kihmrbhqe756cqc] C:\DOCUME~1\Matt\LOCALS~1\Temp\b1sqlm2wcioo2.exe

O4 - HKCU\..\Run: [lc0gx4hux1cfmvg5ai5tfkysomtgb2mbl] C:\DOCUME~1\Matt\LOCALS~1\Temp\piitubx.exe

O4 - HKCU\..\Run: [xadgfyj3pi9crbs1o5bajdqwv7b8nmbls0qy] C:\DOCUME~1\Matt\LOCALS~1\Temp\eqkx6g5rhdaf.exe

O4 - HKCU\..\Run: [j68hb0vftsmx5] C:\DOCUME~1\Matt\LOCALS~1\Temp\lpripbi3xp.exe

O4 - HKCU\..\Run: [b9psbsyod1fbzireviuae3oqfb7bocx9m24jup78rdvp2qkxu] C:\DOCUME~1\Matt\LOCALS~1\Temp\gvt3uw.exe

O4 - HKCU\..\Run: [fdz9n56bkvu1] C:\DOCUME~1\Matt\LOCALS~1\Temp\ziml1i1.exe

O4 - HKCU\..\Run: [ifvs7e0bvuke7h2jpqo8wnjq6bk1qlg] C:\DOCUME~1\Matt\LOCALS~1\Temp\kb786q.exe

O4 - HKCU\..\Run: [qfjdps8rv4ii] C:\DOCUME~1\Matt\LOCALS~1\Temp\b7bhutdpgvj.exe

O4 - HKCU\..\Run: [jf89v4x3n65anifxq3ooyjdk7orcj637jzk9nvrkt0ajh] C:\DOCUME~1\Matt\LOCALS~1\Temp\s4ce6anptk.exe

O4 - HKCU\..\Run: [xe5mq4a5qubonlw065uh2qq0f9p6qxx5azz3t] C:\DOCUME~1\Matt\LOCALS~1\Temp\l1q0vu8jd.exe

O4 - HKCU\..\Run: [n1awwxjpeq6tpbybkkfo6h0q805] C:\DOCUME~1\Matt\LOCALS~1\Temp\zkqji4acgq.exe

O4 - HKCU\..\Run: [bej3i7lwyj43nuk] C:\DOCUME~1\Matt\LOCALS~1\Temp\kw4muuc.exe

O4 - HKCU\..\Run: [e5mxicghy7stiqfhc9bv26s1okz9nxybv8pgmhmi] C:\DOCUME~1\Matt\LOCALS~1\Temp\jri8cbx8ukbsc.exe

O4 - HKCU\..\Run: [drol671jzk1bhu1r0x4rh] C:\DOCUME~1\Matt\LOCALS~1\Temp\b4wcly0.exe

O4 - HKCU\..\Run: [pml48eixq6ehm2q3axf8uxw1i] C:\DOCUME~1\Matt\LOCALS~1\Temp\tmmgak.exe

O4 - HKCU\..\Run: [h4kifa0rxjo] C:\DOCUME~1\Matt\LOCALS~1\Temp\wbvnvxiarx9z6.exe

O4 - HKCU\..\Run: [gxxfb5jr1e6wo9vtwgj2iejw4dzskbea6lviyd] C:\DOCUME~1\Matt\LOCALS~1\Temp\s1x9xf.exe

O4 - HKCU\..\Run: [d9tjmengqhgoajk0ut0q801ai2009ao9z50] C:\DOCUME~1\Matt\LOCALS~1\Temp\o3nvjy77ta.exe

O4 - HKCU\..\Run: [hhdp5zc9jotbc2mqmkqccc2n0lcm2l2p02yt] C:\DOCUME~1\Matt\LOCALS~1\Temp\riuf5d0rf3u.exe

O4 - HKCU\..\Run: [wmg80b22db9] C:\DOCUME~1\Matt\LOCALS~1\Temp\rdif8e.exe

O4 - HKCU\..\Run: [v1jd00uta8v5nlji18yjl0] C:\DOCUME~1\Matt\LOCALS~1\Temp\cbflalcv14.exe

O4 - HKCU\..\Run: [ly54vzmzt9024xoxmf1qd28gqdq0jg8d4lzyr2um6j204] C:\DOCUME~1\Matt\LOCALS~1\Temp\uc5pz7r0k.exe

O4 - HKCU\..\Run: [p8tqvoh2utjix5p6sfs0wo5t2kmt4je5qerc68] C:\DOCUME~1\Matt\LOCALS~1\Temp\b2eehyv4jtc1t.exe

O4 - HKCU\..\Run: [t2ipoo8o8izwkipibullppvwhuzxzoes6c6] C:\DOCUME~1\Matt\LOCALS~1\Temp\kknqhgtyidh4t.exe

O4 - HKCU\..\Run: [sog0vak0mo0o660y8s7zt] C:\DOCUME~1\Matt\LOCALS~1\Temp\zwsi21.exe

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://ips.poi.de/ips-opdata/operator/6918...ects/jordan.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F3936BBD-8B70-4491-ACBC-973F264D798B}: NameServer = 68.87.76.178,68.87.76.130

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: cjnnpy.dll cdvjis.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: Usb Service 2.0 - UToo - C:\WINDOWS\usbservice.exe

--

End of file - 32440 bytes

Any help would be much appreciated.

Thanks,

Matt

Share this post


Link to post
Share on other sites

Hello! and welcome to the Malwarebytes forums.

I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

==================================================================

Step 1:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review along with a new HijackThis log.

Share this post


Link to post
Share on other sites

Rodav,

Thank you for taking the time to look over the logs. This is a great forum and I appreciate the work you and your colleagues are doing. I ran ComboFix as instructed and have posted the log below. A couple of notes:

1.) Hijack.regedit & Hijack.FolderOptions have seemed to be removed.

2.) However, when I open Mozilla, my av immediately notifies me of the Trojan Injector.AR virus. After a short time, the internet will lose connection. I also get an error message stating that UTool has encountered an error and needs to shut down.

I'm not sure this info is of any help, but I'd thought I'd share.

Here are the logs as requested:

ComboFix 09-02-15.01 - Matt 2009-02-16 17:19:33.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1569 [GMT -8:00]

Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)

FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\d.exe

c:\documents and settings\Matt\Application Data\EurekaLog

c:\windows\IE4 Error Log.txt

c:\windows\system32\EMnVwyxx.ini

c:\windows\system32\EMnVwyxx.ini2

c:\windows\system32\eoedwwoa.ini

c:\windows\system32\GgQrttwa.ini

c:\windows\system32\GgQrttwa.ini2

c:\windows\system32\gkutproc.ini

c:\windows\system32\gQttDJjl.ini

c:\windows\system32\gQttDJjl.ini2

c:\windows\system32\lsprst7.dll

c:\windows\system32\ssprs.dll

c:\windows\system32\vycewwfr.ini

c:\windows\xccwinsys.ini

F:\Autorun.inf

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))

.

2009-02-16 10:40 . 2009-02-16 10:40 36,352 --a------ C:\mjd.exe

2009-02-16 10:39 . 2009-02-16 10:39 81,931 --a------ c:\windows\system32\1E.tmp

2009-02-16 10:39 . 2009-02-16 10:39 88 --a------ c:\windows\system32\1C.tmp

2009-02-16 10:39 . 2009-02-16 10:39 1 --a------ c:\windows\system32\1D.tmp

2009-02-16 07:49 . 2009-02-16 07:59 <DIR> d-------- c:\windows\system32\inf

2009-02-15 16:11 . 2009-02-16 10:25 <DIR> d-------- c:\program files\Autorun Eater

2009-02-15 10:52 . 2009-02-15 10:52 <DIR> d-------- c:\documents and settings\Addi\Application Data\Malwarebytes

2009-02-15 10:40 . 2009-02-15 10:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-02-15 09:44 . 2009-02-15 09:44 155,136 -rahs---- c:\windows\usbservice.exe

2009-02-15 09:44 . 2009-02-15 09:44 2 --a------ C:\1880373321

2009-02-15 09:43 . 2009-02-15 09:43 61,440 --a------ C:\cwxwwgtl.exe

2009-01-19 19:32 . 2009-01-19 19:32 <DIR> d-------- c:\documents and settings\Addi\Application Data\BitZipper

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-17 01:26 --------- d-----w c:\documents and settings\Matt\Application Data\WTablet

2009-02-16 17:52 --------- d-----w c:\documents and settings\Matt\Application Data\U3

2009-02-16 16:59 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-16 16:59 --------- d-----w c:\program files\Office-Bibliothek

2009-02-16 16:58 --------- d-----w c:\program files\InTune

2009-02-16 00:56 7,680 --sha-w c:\program files\Thumbs.db

2009-02-15 17:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-15 05:22 --------- d-----w c:\documents and settings\Addi\Application Data\WTablet

2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-07 16:40 0 ----a-w c:\windows\system32\drivers\logiflt.iad

2009-02-07 16:39 0 ----a-w c:\windows\system32\drivers\lvuvc.hs

2009-02-07 16:39 --------- d-----w c:\program files\Common Files\Logitech

2009-02-07 16:38 --------- d-----w c:\documents and settings\Addi\Application Data\Skype

2009-02-05 16:07 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-02 20:19 --------- d-----w c:\program files\Flickr Uploadr

2009-01-28 16:34 --------- d-----w c:\documents and settings\Addi\Application Data\Canon

2009-01-03 05:34 --------- d-----w c:\program files\Soulseek

2008-12-30 02:07 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet

2008-12-27 23:36 --------- d-----w c:\program files\Java

2008-12-21 18:32 --------- d-----w c:\program files\MediaCoder

2008-06-30 01:42 0 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT

2007-12-10 01:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT

2007-09-19 00:42 4 ----a-w c:\documents and settings\Matt\Application Data\wklnhst.dat

2006-11-03 16:25 0 ----a-w c:\documents and settings\Addi\Application Data\wklnhst.dat

2007-06-05 23:09 88 --sha-r c:\windows\system32\69BF5D7693.sys

2007-06-05 23:10 2,984 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-21 18:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat

.

------- Sigcheck -------

2004-08-10 02:00 31232 68ee84ce5b7f1fd507c812cc62cfbc27 c:\windows\$NtServicePackUninstall$\svchost.exe

2008-04-13 16:12 31744 ff193b6736b821522c86241dda5969e0 c:\windows\ServicePackFiles\i386\svchost.exe

2008-04-13 16:12 31232 4e4a5199d3f6ca95f954f034cd5aed9c c:\windows\system32\svchost.exe

2008-04-13 16:12 1051136 4446b58648cd8e9ca69ddc84d9bc18ce c:\windows\explorer.exe

2007-06-13 03:26 1050112 13ed767b1d0f76f4d5f52d0300c17bcf c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

2007-06-13 02:23 1050112 3fb0d85901d361da542e204020e4e5d6 c:\windows\$NtServicePackUninstall$\explorer.exe

2004-08-10 02:00 1049088 8a8308b0a0d9334c4d9457dfc9ba5c01 c:\windows\$NtUninstallKB938828$\explorer.exe

2008-04-13 16:12 1050624 5ed6b2b98bd7c36b1da972e2b3fc7958 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-10 02:00 32768 5b53991952566405cddc7a23f6664aef c:\windows\$NtServicePackUninstall$\ctfmon.exe

2008-04-13 16:12 32256 e8cdb1e6a3ceedf2b9f20ff4a27600fb c:\windows\ServicePackFiles\i386\ctfmon.exe

2008-04-13 16:12 32256 2197738c2437fae17c6ca8352086c992 c:\windows\system32\ctfmon.exe

2005-06-10 16:17 74752 233d05ab11761d3e28cd5a4882453c06 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2005-06-10 15:53 74752 242b82fca421aa841df613116543149f c:\windows\$NtServicePackUninstall$\spoolsv.exe

2008-04-13 16:12 74752 b26cc17d626de221a45141b066012e6e c:\windows\ServicePackFiles\i386\spoolsv.exe

2008-04-13 16:12 74752 a538217ac740f37cefbf3aae5442aa49 c:\windows\system32\spoolsv.exe

2004-08-10 02:00 41472 e5bff1c1eb3ef6168d401eef4baa7b89 c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-13 16:12 43008 a24db7489f4d989c5abf9d572c00c185 c:\windows\ServicePackFiles\i386\userinit.exe

2008-04-13 16:12 43008 c2d79e82b239482627d2cce56be2522f c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 196681]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1712640]

"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 172032]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 65536]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 241664]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-22 843842]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 77824]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]

"MBMon"="CTMBHA.DLL" [2006-06-28 c:\windows\system32\CTMBHA.DLL]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=cjnnpy.dll cdvjis.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk

backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office-Bibliothek-Direktsuche.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office-Bibliothek-Direktsuche.lnk

backup=c:\windows\pss\Office-Bibliothek-Direktsuche.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk

backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Backup Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk

backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\701438e6

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM73270b7a

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

--a------ 2006-03-21 17:30 1212416 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]

--------- 2004-12-02 18:23 122880 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

--a------ 2006-07-16 18:29 406016 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

--a------ 2006-05-03 03:12 118784 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

--a------ 2007-02-19 13:39 2895872 c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2005-09-29 11:01 84480 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

--a------ 2006-07-07 15:15 600896 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-02-16 16:15 102400 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2007-12-11 12:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]

--a------ 2008-08-14 16:11 565008 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

--a------ 2008-08-14 16:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 16:12 1712640 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]

--a------ 2006-03-21 13:19 90112 c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-31 22:13 405504 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

-ra------ 2003-09-30 00:14 176128 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

--------- 2000-05-11 00:00 110592 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]

--------- 2006-02-16 08:20 1138688 c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-06-11 17:16 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]

--a------ 2006-11-03 22:55 360448 c:\windows\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

"c:\\Program Files\\Cisco Systems\\VPN Client\\vpnclient.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-11-20 1373480]

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-02-18 205328]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-22 311369]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-04-25 606272]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-02-18 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-04-25 282695]

S1 1b028b28;1b028b28;c:\windows\system32\drivers\1b028b28.sys --> c:\windows\system32\drivers\1b028b28.sys [?]

S2 Usb Service 2.0;Usb Service 2.0;c:\windows\usbservice.exe [2009-02-15 155136]

S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2005-09-21 4736]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2005-09-21 8960]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72a0a99a-7d9d-11db-83eb-001676d4eb91}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72a0a99b-7d9d-11db-83eb-001676d4eb91}]

\Shell\AutoRun\command - G:\setupSNK.exe

.

Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)

ShellExecuteHooks-{C2E6F3CA-928B-4B18-9C71-D33FFDDCD5E1} - (no file)

MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.laplink.com/free

uInternet Settings,ProxyOverride = *.local

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

Trusted Zone: aol.com\free

TCP: {F3936BBD-8B70-4491-ACBC-973F264D798B} = 68.87.76.178,68.87.76.130

DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://ips.poi.de/ips-opdata/operator/69189345/objects/jordan.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab

FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\jdb34c09.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-16 17:27:03

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:89,1d,30,93,a4,78,75,8b,ec,45,b1,ef,e8,6d,52,bd,56,3f,c2,8d,bb,

f4,7f,85,25,4e,37,c3,8e,07,8c,8d,c7,c5,d1,24,6f,ef,85,69,3e,e4,d0,38,3b,5b,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:89,1d,30,93,a4,78,75,8b,ec,45,b1,ef,e8,6d,52,bd,56,3f,c2,8d,bb,

f4,7f,85,25,4e,37,c3,8e,07,8c,8d,c7,c5,d1,24,6f,ef,85,69,3e,e4,d0,38,3b,5b,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe

c:\windows\system32\WTablet\Pen_TabletUser.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\docume~1\Matt\LOCALS~1\temp\clclean.0001

c:\progra~1\TRENDM~1\INTERN~1\pccguide.exe

.

**************************************************************************

.

Completion time: 2009-02-16 17:33:32 - machine was rebooted [Matt]

ComboFix-quarantined-files.txt 2009-02-17 01:33:28

Pre-Run: 170,141,294,592 bytes free

Post-Run: 170,480,459,776 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7

296 --- E O F --- 2009-02-12 05:01:41

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:28:55 PM, on 2/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\usbservice.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\DOCUME~1\Matt\LOCALS~1\Temp\clclean.0001

C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.laplink.com/free

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://ips.poi.de/ips-opdata/operator/6918...ects/jordan.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F3936BBD-8B70-4491-ACBC-973F264D798B}: NameServer = 68.87.76.178,68.87.76.130

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: cjnnpy.dll cdvjis.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: Usb Service 2.0 - UToo - C:\WINDOWS\usbservice.exe

--

End of file - 8715 bytes

Share this post


Link to post
Share on other sites

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.

The infection is delivered by W32/Rbot-BLF

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...

IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have an IRC backdoor, the worst kind.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
  • Please read this for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063

Please let me know what you decide.

Share this post


Link to post
Share on other sites

Thanks, Rodav.

I appreciate your feedback. This computer is basically used for home home use and I have been disconnected from the internet ever since we got the virus. I've changed all passwords for shopping/banking/email etc. as a precaution and have not visited theses sites since the virus attack. I would like to disinfect if at all possible prior to re-format & re-install.

Thanks for your time. I'll await the next steps.

Matt

Share this post


Link to post
Share on other sites

Hi Matt,

On doing further research it looks like you are infected with Virut, some of the info given matches these:

http://www.threatexpert.com/report.aspx?md...b02ca486eed4ea4

http://www.threatexpert.com/report.aspx?md...dc0a5ac02094aaa

http://virscan.org/report/25d377dcc6ace93f...6c5c22bb6a.html

Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (software) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

I don't feel there is any point in trying to clean this machine. Sorry to be the bearer of bad news, but that's how I see it.

If you have any questions let me know.

Share this post


Link to post
Share on other sites

Yeah, sorry guy. Make sure to always keep UP TO DATE Antivirus running on your system.

So how did I get infected in the first place?

Here are some free programs that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.