KaiW Posted March 8, 2009 ID:62861 Share Posted March 8, 2009 Have run multiple scans, can now at least use computer in normal mode but it is very slow to load up and the Active Desktop Recovery background pops up.Here is the MB log of the last scan done:Malwarebytes' Anti-Malware 1.34Database version: 1827Windows 5.1.2600 Service Pack 33/8/2009 5:33:16 PMmbam-log-2009-03-08 (17-33-16).txtScan type: Quick ScanObjects scanned: 75327Time elapsed: 5 minute(s), 41 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 0Files Infected: 11Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0863b92-2962-4ec9-93f2-0eb095c01a26} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{d0863b92-2962-4ec9-93f2-0eb095c01a26} (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dopidajiha (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\UACalskawti.dll (Rootkit.TDSS) -> Delete on reboot.C:\WINDOWS\system32\UACbgdmabde.dll (Rootkit.TDSS) -> Delete on reboot.C:\WINDOWS\system32\UACqdmlkawq.dll (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\UACrxwkrete.dll (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\drivers\UACfrkdxncw.sys (Rootkit.TDSS) -> Delete on reboot.C:\Documents and Settings\Chris\Local Settings\Temp\UACf57d.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\UAC3e9a.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\UAC4282.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\UAC79fd.tmp (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\UACbrsyyuun.dat (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\UACvxdoyrjb.log (Trojan.Agent) -> Delete on reboot.Here is the HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:38:48 PM, on 3/8/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\stsystra.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Trend Micro\Internet Security 12\pccguide.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\AIM6\aim6.exeC:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exeC:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.BINC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\System32\alg.exeC:\Program Files\AIM6\aolsoftware.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dllO2 - BHO: (no name) - {d0863b92-2962-4ec9-93f2-0eb095c01a26} - C:\WINDOWS\system32\dotuluje.dll (file missing)O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [dopidajiha] Rundll32.exe "C:\WINDOWS\system32\wakiyuyo.dll",sO4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7 -reboot 1O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBLO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKCU\..\Run: [u1be60kfuf2daet7w0yq8xixev35uel6zt8ucdzl1] C:\DOCUME~1\Chris\LOCALS~1\Temp\wnww6s9u7.exeO4 - HKCU\..\Run: [ucdy07qnsig00l57p1l3b9n5bgycmof] C:\DOCUME~1\Chris\LOCALS~1\Temp\lkgns77045rp.exeO4 - HKCU\..\Run: [p87rjbtq0d7] C:\DOCUME~1\Chris\LOCALS~1\Temp\bgnjy8zoixj2.exeO4 - HKCU\..\Run: [l5ph74g2m1yt22854cvy4e2n1y7xy0hytvapxjz] C:\DOCUME~1\Chris\LOCALS~1\Temp\xs36ro00.exeO4 - HKCU\..\Run: [x9oim6r64hvl39p0160rop44rf204bvk6o2bl] C:\DOCUME~1\Chris\LOCALS~1\Temp\upf239ma.exeO4 - HKCU\..\Run: [tg502d3ve8] C:\DOCUME~1\Chris\LOCALS~1\Temp\qru5g9l655.exeO4 - HKCU\..\Run: [kae8etl4wamtzyuucynwm1s8u] C:\DOCUME~1\Chris\LOCALS~1\Temp\wb1qsiw57.exeO4 - HKCU\..\Run: [dzsc73xhu5ex6ffgr7tz3wo] C:\DOCUME~1\Chris\LOCALS~1\Temp\msaiornb0.exeO4 - HKCU\..\Run: [hq0y9heihx19] C:\DOCUME~1\Chris\LOCALS~1\Temp\p0j9fhu3.exeO4 - HKCU\..\Run: [u3afeoc14w9vg4kbk9gks9fnugyke4ezpnxy5af4cmma7ylk8b] C:\DOCUME~1\Chris\LOCALS~1\Temp\q5u47ysg.exeO4 - HKCU\..\Run: [k3b2u4eek4vn43bpvfobstzmvsigydm] C:\DOCUME~1\Chris\LOCALS~1\Temp\ftxzc437a.exeO4 - HKCU\..\Run: [u5nh2az6e5wpge8duhxqvew6xw5awwq7rpja5srz0d8ss] C:\DOCUME~1\Chris\LOCALS~1\Temp\u5kd7uy.exeO4 - HKCU\..\Run: [jua2sok3bynozd] C:\DOCUME~1\Chris\LOCALS~1\Temp\jb7f2rla8.exeO4 - HKCU\..\Run: [onbnndwmxdmbdaqcg62m] C:\DOCUME~1\Chris\LOCALS~1\Temp\b7vziwc1r.exeO4 - HKCU\..\Run: [hmi2d56j554xfn] C:\DOCUME~1\Chris\LOCALS~1\Temp\sfnp9j0pz.exeO4 - HKCU\..\Run: [fewa7k6n2avhtl3a8l5di6eettsw52s9uva3uc8rg] C:\DOCUME~1\Chris\LOCALS~1\Temp\woferantyaap6.exeO4 - HKCU\..\Run: [w28av0mgxep78gz3chntv8zw8vh] C:\DOCUME~1\Chris\LOCALS~1\Temp\x9a2efuxi14.exeO4 - HKCU\..\Run: [upvwhlqjn] C:\DOCUME~1\Chris\LOCALS~1\Temp\eneacoana2g1.exeO4 - HKCU\..\Run: [mjk5n65fkdj157qdriu13oru4nq] C:\DOCUME~1\Chris\LOCALS~1\Temp\owgf1g.exeO4 - HKCU\..\Run: [hzrf415uufjv2e9b0uenqumjh7wqlx5oxr818w] C:\DOCUME~1\Chris\LOCALS~1\Temp\tv0vj7.exeO4 - HKCU\..\Run: [wla9vv7huk05j90td4v] C:\DOCUME~1\Chris\LOCALS~1\Temp\um5taoh.exeO4 - HKCU\..\Run: [wuxj72hxdpgejwkvqsjur15g7izcn] C:\DOCUME~1\Chris\LOCALS~1\Temp\ur0rmh54m0.exeO4 - HKCU\..\Run: [koi53tts1xr9lkte1jzwprgqo1el3kq14ikbebl5yvkopiec] C:\DOCUME~1\Chris\LOCALS~1\Temp\gtslba0wlflt.exeO4 - HKCU\..\Run: [yajb56y32fp13toxd4mch8kgw3q8knxm94] C:\DOCUME~1\Chris\LOCALS~1\Temp\fwsi6rm5u.exeO4 - HKCU\..\Run: [lrryujy49n23mhie0umtngvdgsppfryshiu8fzow] C:\DOCUME~1\Chris\LOCALS~1\Temp\mlmg058.exeO4 - HKCU\..\Run: [tx0dpy5h1idxg224hebhky0gag6pqs4dqbapj0w96h2d] C:\DOCUME~1\Chris\LOCALS~1\Temp\m1lahrnmtk.exeO4 - HKCU\..\Run: [vum4kwqrrg8sfo5bhstqqcf1w8feua] C:\DOCUME~1\Chris\LOCALS~1\Temp\qzk55ti2jx0mi.exeO4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exeO4 - Startup: PowerReg Scheduler V3.exeO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\yutepuwa.dll esxtdz.dll c:\windows\system32\wojidiko.dll sqrmdi.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Google Update Service (gupdate1c89dd83fc77b56) (gupdate1c89dd83fc77b56) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 16207 bytes Link to post Share on other sites More sharing options...
KaiW Posted March 8, 2009 Author ID:62866 Share Posted March 8, 2009 Couldn't find the edit button, don't want to be accused of topic bumping, but I did a new scan and the results changed slightly. Wanted to post the newest logs:MB:Malwarebytes' Anti-Malware 1.34Database version: 1827Windows 5.1.2600 Service Pack 33/8/2009 5:53:26 PMmbam-log-2009-03-08 (17-53-26).txtScan type: Quick ScanObjects scanned: 75072Time elapsed: 7 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0863b92-2962-4ec9-93f2-0eb095c01a26} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{d0863b92-2962-4ec9-93f2-0eb095c01a26} (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dopidajiha (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:55:10 PM, on 3/8/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\stsystra.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Trend Micro\Internet Security 12\pccguide.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\AIM6\aim6.exeC:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.BINC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\System32\alg.exeC:\Program Files\AIM6\aolsoftware.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dllO2 - BHO: (no name) - {d0863b92-2962-4ec9-93f2-0eb095c01a26} - C:\WINDOWS\system32\dotuluje.dll (file missing)O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [dopidajiha] Rundll32.exe "C:\WINDOWS\system32\wakiyuyo.dll",sO4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7 -reboot 1O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBLO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKCU\..\Run: [u1be60kfuf2daet7w0yq8xixev35uel6zt8ucdzl1] C:\DOCUME~1\Chris\LOCALS~1\Temp\wnww6s9u7.exeO4 - HKCU\..\Run: [ucdy07qnsig00l57p1l3b9n5bgycmof] C:\DOCUME~1\Chris\LOCALS~1\Temp\lkgns77045rp.exeO4 - HKCU\..\Run: [p87rjbtq0d7] C:\DOCUME~1\Chris\LOCALS~1\Temp\bgnjy8zoixj2.exeO4 - HKCU\..\Run: [l5ph74g2m1yt22854cvy4e2n1y7xy0hytvapxjz] C:\DOCUME~1\Chris\LOCALS~1\Temp\xs36ro00.exeO4 - HKCU\..\Run: [x9oim6r64hvl39p0160rop44rf204bvk6o2bl] C:\DOCUME~1\Chris\LOCALS~1\Temp\upf239ma.exeO4 - HKCU\..\Run: [tg502d3ve8] C:\DOCUME~1\Chris\LOCALS~1\Temp\qru5g9l655.exeO4 - HKCU\..\Run: [kae8etl4wamtzyuucynwm1s8u] C:\DOCUME~1\Chris\LOCALS~1\Temp\wb1qsiw57.exeO4 - HKCU\..\Run: [dzsc73xhu5ex6ffgr7tz3wo] C:\DOCUME~1\Chris\LOCALS~1\Temp\msaiornb0.exeO4 - HKCU\..\Run: [hq0y9heihx19] C:\DOCUME~1\Chris\LOCALS~1\Temp\p0j9fhu3.exeO4 - HKCU\..\Run: [u3afeoc14w9vg4kbk9gks9fnugyke4ezpnxy5af4cmma7ylk8b] C:\DOCUME~1\Chris\LOCALS~1\Temp\q5u47ysg.exeO4 - HKCU\..\Run: [k3b2u4eek4vn43bpvfobstzmvsigydm] C:\DOCUME~1\Chris\LOCALS~1\Temp\ftxzc437a.exeO4 - HKCU\..\Run: [u5nh2az6e5wpge8duhxqvew6xw5awwq7rpja5srz0d8ss] C:\DOCUME~1\Chris\LOCALS~1\Temp\u5kd7uy.exeO4 - HKCU\..\Run: [jua2sok3bynozd] C:\DOCUME~1\Chris\LOCALS~1\Temp\jb7f2rla8.exeO4 - HKCU\..\Run: [onbnndwmxdmbdaqcg62m] C:\DOCUME~1\Chris\LOCALS~1\Temp\b7vziwc1r.exeO4 - HKCU\..\Run: [hmi2d56j554xfn] C:\DOCUME~1\Chris\LOCALS~1\Temp\sfnp9j0pz.exeO4 - HKCU\..\Run: [fewa7k6n2avhtl3a8l5di6eettsw52s9uva3uc8rg] C:\DOCUME~1\Chris\LOCALS~1\Temp\woferantyaap6.exeO4 - HKCU\..\Run: [w28av0mgxep78gz3chntv8zw8vh] C:\DOCUME~1\Chris\LOCALS~1\Temp\x9a2efuxi14.exeO4 - HKCU\..\Run: [upvwhlqjn] C:\DOCUME~1\Chris\LOCALS~1\Temp\eneacoana2g1.exeO4 - HKCU\..\Run: [mjk5n65fkdj157qdriu13oru4nq] C:\DOCUME~1\Chris\LOCALS~1\Temp\owgf1g.exeO4 - HKCU\..\Run: [hzrf415uufjv2e9b0uenqumjh7wqlx5oxr818w] C:\DOCUME~1\Chris\LOCALS~1\Temp\tv0vj7.exeO4 - HKCU\..\Run: [wla9vv7huk05j90td4v] C:\DOCUME~1\Chris\LOCALS~1\Temp\um5taoh.exeO4 - HKCU\..\Run: [wuxj72hxdpgejwkvqsjur15g7izcn] C:\DOCUME~1\Chris\LOCALS~1\Temp\ur0rmh54m0.exeO4 - HKCU\..\Run: [koi53tts1xr9lkte1jzwprgqo1el3kq14ikbebl5yvkopiec] C:\DOCUME~1\Chris\LOCALS~1\Temp\gtslba0wlflt.exeO4 - HKCU\..\Run: [yajb56y32fp13toxd4mch8kgw3q8knxm94] C:\DOCUME~1\Chris\LOCALS~1\Temp\fwsi6rm5u.exeO4 - HKCU\..\Run: [lrryujy49n23mhie0umtngvdgsppfryshiu8fzow] C:\DOCUME~1\Chris\LOCALS~1\Temp\mlmg058.exeO4 - HKCU\..\Run: [tx0dpy5h1idxg224hebhky0gag6pqs4dqbapj0w96h2d] C:\DOCUME~1\Chris\LOCALS~1\Temp\m1lahrnmtk.exeO4 - HKCU\..\Run: [vum4kwqrrg8sfo5bhstqqcf1w8feua] C:\DOCUME~1\Chris\LOCALS~1\Temp\qzk55ti2jx0mi.exeO4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exeO4 - Startup: PowerReg Scheduler V3.exeO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\yutepuwa.dll esxtdz.dll c:\windows\system32\wojidiko.dll sqrmdi.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Google Update Service (gupdate1c89dd83fc77b56) (gupdate1c89dd83fc77b56) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 16091 bytes Link to post Share on other sites More sharing options...
Tigger93 Posted March 8, 2009 ID:62894 Share Posted March 8, 2009 Hi. Download ComboFix from one of the locations below, and save it to your Desktop. Link 1Link 2 Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.When finished, it shall produce a log for you. Post that log and a HijackThis log in your next replyNote: Do not mouseclick Combofix's window while its running. That may cause it to stall Link to post Share on other sites More sharing options...
KaiW Posted March 9, 2009 Author ID:62902 Share Posted March 9, 2009 Ok before I press any buttons...I had installed ComboFix last night but did not run it. On double-clicking it, there was a green loading bar, then it did nothing. I removed it from my desktop, downloaded a new version on my clean laptop, saved it to a jumpdrive and brought it to the infected laptop. I again double-clicked, got the loading bar, but then an "Error - Win32 Only" box came up. There is one sentence in 8 different languages "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP." The laptop runs XP so I am not sure why it would pop that up. There is an OK button, but I haven't pressed it.As I was preparing to reply about the above, a second window popped up and the computer beeped. "Warning!! ComboFix has detected the following real time scanner to be active: trend Micro PCcillin Internet Security....."Should I go ahead and disable? Link to post Share on other sites More sharing options...
KaiW Posted March 9, 2009 Author ID:62904 Share Posted March 9, 2009 Additionally, have a PC Cillin Real Time Scan that detected a virus, spyware application or other internet threat, and performed the action specified. Infected file is in the TEMP folder, named bQ6a67EL.exe, virus name: TROJ_CLICKER.BAY (hard to tell if there is a space or underscore). Scan action: Quarantined. A second virus name TROJ_DLOADER.VKU also found and quarantined. Link to post Share on other sites More sharing options...
Tigger93 Posted March 9, 2009 ID:62905 Share Posted March 9, 2009 Who asked you to run Combofix before I posted asking you to run it?Yes, you should disable TrendMicro before running Combofix. Link to post Share on other sites More sharing options...
KaiW Posted March 9, 2009 Author ID:62913 Share Posted March 9, 2009 No one asked me, it was one of the possible fixes I found when searching the internet (specifically Major Geeks - where I posted for help and have not received any response, so by the way thank you very much for helping).Have disabled PC Cillin and run ComboFix, but it has been sitting at the Preparing Log Report screen for about 10 minutes. Is this normal? Link to post Share on other sites More sharing options...
KaiW Posted March 9, 2009 Author ID:62915 Share Posted March 9, 2009 Still preparing log report - going on about 25 minutes now. Link to post Share on other sites More sharing options...
KaiW Posted March 9, 2009 Author ID:62916 Share Posted March 9, 2009 OK DONE! Took over 50 minutes, but here's the log:ComboFix 09-03-06.02 - Chris 2009-03-08 20:53:04.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.398 [GMT -4:00]Running from: c:\documents and settings\Chris\Desktop\ComboFix.exeAV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\IE4 Error Log.txtc:\windows\system32\AutoRun.infc:\windows\system32\esxtdz.dllc:\windows\system32\init32.exec:\windows\system32\reveneko.dllc:\windows\system32\test.tttc:\windows\system32\uniq.tllc:\windows\system32\win32hlp.cnfc:\windows\system32\yutepuwa.dllInfected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_TDSSSERV-------\Service_TDSSserv-------\Service_uacd.sys((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 ))))))))))))))))))))))))))))))).2009-03-08 20:03 . 2009-03-08 20:49 <DIR> d-------- C:\32788R22FWJFW2009-03-07 18:06 . 2009-03-08 20:59 96,366 --a------ c:\windows\system32\drivers\478ecc1b.sys2009-03-07 18:06 . 2009-03-07 18:06 2 --a------ C:\79202382009-03-07 18:05 . 2009-03-07 18:05 28,672 --a------ C:\ucpdcu.exe2009-03-07 02:13 . 2009-03-07 02:12 31,744 --a------ c:\windows\system32\BkwVG0ii.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-09 00:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-03-09 00:58 --------- d-----w c:\documents and settings\Chris\Application Data\OpenOffice.org22009-03-08 21:26 --------- d-----w c:\program files\Spyware Doctor2009-03-08 00:10 --------- d-----w c:\program files\Malwarebytes' Anti-Malware2009-03-07 06:29 --------- d-----w c:\program files\Google2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys2009-02-03 04:24 --------- d-----w c:\documents and settings\Chris\Application Data\Move Networks2009-01-15 04:37 --------- d-----w c:\documents and settings\Chris\Application Data\Viewpoint2009-01-15 03:32 --------- d-----w c:\documents and settings\Chris\Application Data\TextPad2006-11-10 02:07 88 --sh--r c:\windows\system32\CC97B21816.sys2006-11-10 02:07 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 307200]"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728]"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-02 169984]"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 c:\windows\stsystra.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]c:\documents and settings\Chris\Start Menu\Programs\Startup\Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-09 113664]OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]PowerReg Scheduler V3.exe [2007-09-01 225280]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-09 25214]Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-02 24576]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\America Online 9.0\\waol.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\AIM6\\aim6.exe"="c:\\Program Files\\Google\\Google Talk\\googletalk.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-01 356920]R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-08-30 205328]R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889]R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792]R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-08-30 36368]R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-18 24652]S0 twlqeoe;twlqeoe;c:\windows\system32\drivers\lotwyza.sys --> c:\windows\system32\drivers\lotwyza.sys [?]S2 gupdate1c89dd83fc77b56;Google Update Service (gupdate1c89dd83fc77b56);c:\program files\Google\Update\GoogleUpdate.exe [2008-07-11 133104]S2 icdbxzip;Remote Access IP ARP Helper;c:\windows\System32\svchost.exe -k netsvcs [2005-08-16 14336]--- Other Services/Drivers In Memory ---*Deregistered* - mchinjdrv[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHPService REG_MULTI_SZ HPSLPSVCHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsicdbxzip[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10062954-c44f-11db-a379-00038a000015}]\Shell\AutoRun\command - F:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]\Shell\AutoRun\command - E:\setup.exe.Contents of the 'Scheduled Tasks' folder2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]2009-03-07 c:\windows\Tasks\At1.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At10.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At11.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At12.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At13.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At14.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At15.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At16.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At17.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At18.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-08 c:\windows\Tasks\At19.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At2.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-08 c:\windows\Tasks\At20.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-09 c:\windows\Tasks\At21.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-09 c:\windows\Tasks\At22.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At23.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At24.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At25.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At26.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At27.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At28.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At29.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At3.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At30.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At31.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At32.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At33.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At34.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At35.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At36.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At37.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At38.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At39.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At4.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At40.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At41.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At42.job- c:\windows\system32\BAl51CKA.exe []2009-03-08 c:\windows\Tasks\At43.job- c:\windows\system32\BAl51CKA.exe []2009-03-08 c:\windows\Tasks\At44.job- c:\windows\system32\BAl51CKA.exe []2009-03-09 c:\windows\Tasks\At45.job- c:\windows\system32\BAl51CKA.exe []2009-03-09 c:\windows\Tasks\At46.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At47.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At48.job- c:\windows\system32\BAl51CKA.exe []2009-03-07 c:\windows\Tasks\At49.job- c:\windows\system32\cophday.dll []2009-03-07 c:\windows\Tasks\At5.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At6.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At7.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At8.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-07 c:\windows\Tasks\At9.job- c:\windows\system32\BkwVG0ii.exe [2009-03-07 02:12]2009-03-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-29 19:09]2009-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2919991478-152956865-3165286940-1006.job- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-29 19:09].- - - - ORPHANS REMOVED - - - -URLSearchHooks-HookURL - (no file)URLSearchHooks-Rank - (no file)BHO-{d0863b92-2962-4ec9-93f2-0eb095c01a26} - c:\windows\system32\dotuluje.dllHKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exeHKLM-Run-dopidajiha - c:\windows\system32\wakiyuyo.dll.------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102uInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglkFF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=FF - component: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dllFF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dllFF - plugin: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dllFF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dllFF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-08 20:58:53Windows 5.1.2600 Service Pack 3 NTFSdetected NTDLL code modification:ZwClosescanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\478ecc1b]"ImagePath"="\SystemRoot\System32\drivers\478ecc1b.sys".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(908)c:\windows\System32\BCMLogon.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\WLTRYSVC.EXEc:\windows\system32\BCMWLTRY.EXEc:\windows\system32\igfxsrvc.exec:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exec:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exec:\program files\OpenOffice.org 2.2\program\soffice.exec:\program files\OpenOffice.org 2.2\program\soffice.binc:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Dell\QuickSet\NicConfigSvc.exec:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exec:\program files\Spyware Doctor\pctsSvc.exec:\windows\ehome\mcrdsvc.exec:\program files\iPod\bin\iPodService.exec:\windows\system32\dllhost.exec:\windows\system32\wscntfy.exec:\windows\ehome\ehmsas.exec:\program files\AIM6\aolsoftware.exec:\program files\HP\Digital Imaging\bin\hpqste08.exe.**************************************************************************.Completion time: 2009-03-08 21:42:33 - machine was rebootedComboFix-quarantined-files.txt 2009-03-09 01:42:28Pre-Run: 16,672,182,272 bytes freePost-Run: 16,797,614,080 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect356 --- E O F --- 2009-02-25 11:12:45 Link to post Share on other sites More sharing options...
Tigger93 Posted March 9, 2009 ID:62917 Share Posted March 9, 2009 You should never run Combofix as you were going to without the guidance of an expert. Its one of those tools that can cause a lot of damage to your computer if you don't know what your doing.1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::c:\windows\system32\drivers\478ecc1b.sysC:\ucpdcu.exec:\windows\system32\BkwVG0ii.exec:\windows\system32\CC97B21816.sysc:\windows\system32\drivers\lotwyza.sysFolder::C:\32788R22FWJFWC:\7920238Driver::twlqeoeicdbxzipRegistry::[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\478ecc1b]AtJob::3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log. Link to post Share on other sites More sharing options...
KaiW Posted March 9, 2009 Author ID:62928 Share Posted March 9, 2009 Latest logs...ComboFix 09-03-06.02 - Chris 2009-03-08 22:28:43.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.149 [GMT -4:00]Running from: c:\documents and settings\Chris\Desktop\ComboFix.exeCommand switches used :: F:\CFScript.txtAV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* * Created a new restore pointFILE ::C:\ucpdcu.exec:\windows\system32\BkwVG0ii.exec:\windows\system32\CC97B21816.sysc:\windows\system32\drivers\478ecc1b.sysc:\windows\system32\drivers\lotwyza.sys.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\32788R22FWJFWc:\7920238\C:\ucpdcu.exec:\windows\sysguard.exec:\windows\system32\BAl51CKA.exec:\windows\system32\BAl51CKA.exe.a_ac:\windows\system32\BkwVG0ii.exec:\windows\system32\CC97B21816.sysc:\windows\system32\DCn27EMC.dllc:\windows\system32\drivers\478ecc1b.sysc:\windows\system32\iehelper.dllc:\windows\Tasks\At1.jobc:\windows\Tasks\At10.jobc:\windows\Tasks\At11.jobc:\windows\Tasks\At12.jobc:\windows\Tasks\At13.jobc:\windows\Tasks\At14.jobc:\windows\Tasks\At15.jobc:\windows\Tasks\At16.jobc:\windows\Tasks\At17.jobc:\windows\Tasks\At18.jobc:\windows\Tasks\At19.jobc:\windows\Tasks\At2.jobc:\windows\Tasks\At20.jobc:\windows\Tasks\At21.jobc:\windows\Tasks\At22.jobc:\windows\Tasks\At23.jobc:\windows\Tasks\At24.jobc:\windows\Tasks\At25.jobc:\windows\Tasks\At26.jobc:\windows\Tasks\At27.jobc:\windows\Tasks\At28.jobc:\windows\Tasks\At29.jobc:\windows\Tasks\At3.jobc:\windows\Tasks\At30.jobc:\windows\Tasks\At31.jobc:\windows\Tasks\At32.jobc:\windows\Tasks\At33.jobc:\windows\Tasks\At34.jobc:\windows\Tasks\At35.jobc:\windows\Tasks\At36.jobc:\windows\Tasks\At37.jobc:\windows\Tasks\At38.jobc:\windows\Tasks\At39.jobc:\windows\Tasks\At4.jobc:\windows\Tasks\At40.jobc:\windows\Tasks\At41.jobc:\windows\Tasks\At42.jobc:\windows\Tasks\At43.jobc:\windows\Tasks\At44.jobc:\windows\Tasks\At45.jobc:\windows\Tasks\At46.jobc:\windows\Tasks\At47.jobc:\windows\Tasks\At48.jobc:\windows\Tasks\At49.jobc:\windows\Tasks\At5.jobc:\windows\Tasks\At6.jobc:\windows\Tasks\At7.jobc:\windows\Tasks\At8.jobc:\windows\Tasks\At9.job.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_icdbxzip-------\Service_icdbxzip-------\Service_twlqeoe-------\Service_478ecc1b((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 ))))))))))))))))))))))))))))))).2009-03-07 18:06 . 2009-03-07 18:06 2 --a------ C:\7920238.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-09 02:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-03-09 02:35 --------- d-----w c:\documents and settings\Chris\Application Data\OpenOffice.org22009-03-09 02:06 --------- d-----w c:\program files\Spyware Doctor2009-03-08 00:10 --------- d-----w c:\program files\Malwarebytes' Anti-Malware2009-03-07 06:29 --------- d-----w c:\program files\Google2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys2009-02-03 04:24 --------- d-----w c:\documents and settings\Chris\Application Data\Move Networks2009-01-15 04:37 --------- d-----w c:\documents and settings\Chris\Application Data\Viewpoint2009-01-15 03:32 --------- d-----w c:\documents and settings\Chris\Application Data\TextPad2006-11-10 02:07 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys.((((((((((((((((((((((((((((( SnapShot@2009-03-08_21.41.12.81 ))))))))))))))))))))))))))))))))))))))))).+ 2009-03-09 02:35:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a50.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 307200]"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728]"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-02 169984]"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 c:\windows\stsystra.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]c:\documents and settings\Chris\Start Menu\Programs\Startup\Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-09 113664]OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]PowerReg Scheduler V3.exe [2007-09-01 225280]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-09 25214]Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-02 24576]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\America Online 9.0\\waol.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\AIM6\\aim6.exe"="c:\\Program Files\\Google\\Google Talk\\googletalk.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-01 356920]R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-08-30 205328]R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889]R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792]R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-08-30 36368]R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-18 24652]S2 gupdate1c89dd83fc77b56;Google Update Service (gupdate1c89dd83fc77b56);c:\program files\Google\Update\GoogleUpdate.exe [2008-07-11 133104]--- Other Services/Drivers In Memory ---*Deregistered* - mchInjDrv[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHPService REG_MULTI_SZ HPSLPSVC[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10062954-c44f-11db-a379-00038a000015}]\Shell\AutoRun\command - F:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]\Shell\AutoRun\command - E:\setup.exe.Contents of the 'Scheduled Tasks' folder2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]2009-03-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-29 19:09]2009-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2919991478-152956865-3165286940-1006.job- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-29 19:09].- - - - ORPHANS REMOVED - - - -URLSearchHooks-HookURL - (no file)URLSearchHooks-Rank - (no file)HKCU-Run-system tool - c:\windows\sysguard.exe.------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102uInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglkFF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=FF - component: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dllFF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-08 22:36:11Windows 5.1.2600 Service Pack 3 NTFSdetected NTDLL code modification:ZwClosescanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(892)c:\windows\System32\BCMLogon.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\WLTRYSVC.EXEc:\windows\system32\BCMWLTRY.EXEc:\windows\system32\igfxsrvc.exec:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exec:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exec:\program files\Bonjour\mDNSResponder.exec:\windows\ehome\ehrecvr.exec:\program files\OpenOffice.org 2.2\program\soffice.exec:\windows\ehome\ehSched.exec:\program files\OpenOffice.org 2.2\program\soffice.binc:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Dell\QuickSet\NicConfigSvc.exec:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exec:\program files\Spyware Doctor\pctsSvc.exec:\program files\AIM6\aolsoftware.exec:\windows\ehome\mcrdsvc.exec:\program files\iPod\bin\iPodService.exec:\windows\system32\dllhost.exec:\windows\system32\wscntfy.exec:\program files\HP\Digital Imaging\bin\hpqste08.exec:\windows\ehome\ehmsas.exe.**************************************************************************.Completion time: 2009-03-08 22:56:13 - machine was rebootedComboFix-quarantined-files.txt 2009-03-09 02:56:07ComboFix2.txt 2009-03-09 01:42:36Pre-Run: 16,777,199,616 bytes freePost-Run: 16,771,956,736 bytes free295 --- E O F --- 2009-02-25 11:12:45HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:58:39 PM, on 3/8/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\stsystra.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Trend Micro\Internet Security 12\pccguide.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\AIM6\aim6.exeC:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS\eHome\ehRecvr.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.BINC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Program Files\AIM6\aolsoftware.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7 -reboot 1O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBLO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exeO4 - Startup: PowerReg Scheduler V3.exeO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Google Update Service (gupdate1c89dd83fc77b56) (gupdate1c89dd83fc77b56) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 13219 bytes Link to post Share on other sites More sharing options...
Tigger93 Posted March 9, 2009 ID:63101 Share Posted March 9, 2009 Looking a lot better.1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::C:\7920238Folder::C:\79202383. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log. Link to post Share on other sites More sharing options...
KaiW Posted March 10, 2009 Author ID:63122 Share Posted March 10, 2009 ComboFix Log:ComboFix 09-03-06.02 - Chris 2009-03-09 20:10:59.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.407 [GMT -4:00]Running from: c:\documents and settings\Chris\Desktop\ComboFix.exeCommand switches used :: F:\CFScript.txtAV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* * Created a new restore pointFILE ::C:\7920238.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\7920238.((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 ))))))))))))))))))))))))))))))).No new files created in this timespan.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-09 21:11 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-03-09 09:04 --------- d-----w c:\program files\Spyware Doctor2009-03-09 02:35 --------- d-----w c:\documents and settings\Chris\Application Data\OpenOffice.org22009-03-08 20:51 79,872 --sha-w c:\windows\system32\vowayore.dll2009-03-08 00:10 --------- d-----w c:\program files\Malwarebytes' Anti-Malware2009-03-07 22:05 79,872 --sha-w c:\windows\system32\kujogeve.dll2009-03-07 06:29 --------- d-----w c:\program files\Google2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys2009-02-03 04:24 --------- d-----w c:\documents and settings\Chris\Application Data\Move Networks2009-01-15 04:37 --------- d-----w c:\documents and settings\Chris\Application Data\Viewpoint2009-01-15 03:32 --------- d-----w c:\documents and settings\Chris\Application Data\TextPad2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll2008-12-11 22:47 410,984 ----a-w c:\windows\system32\deploytk.dll2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys2006-11-10 02:07 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys.((((((((((((((((((((((((((((( SnapShot@2009-03-08_21.41.12.81 ))))))))))))))))))))))))))))))))))))))))).+ 2009-03-09 02:35:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a50.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 307200]"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728]"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-02 169984]"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 c:\windows\stsystra.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]c:\documents and settings\Chris\Start Menu\Programs\Startup\Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-09 113664]OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]PowerReg Scheduler V3.exe [2007-09-01 225280]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-09 25214]Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-02 24576]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\America Online 9.0\\waol.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\AIM6\\aim6.exe"="c:\\Program Files\\Google\\Google Talk\\googletalk.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-01 356920]R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-08-30 205328]R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889]R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792]R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-08-30 36368]R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-18 24652]S2 gupdate1c89dd83fc77b56;Google Update Service (gupdate1c89dd83fc77b56);c:\program files\Google\Update\GoogleUpdate.exe [2008-07-11 133104]--- Other Services/Drivers In Memory ---*Deregistered* - mchInjDrv[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHPService REG_MULTI_SZ HPSLPSVC[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10062954-c44f-11db-a379-00038a000015}]\Shell\AutoRun\command - F:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]\Shell\AutoRun\command - E:\setup.exe.Contents of the 'Scheduled Tasks' folder2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]2009-03-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-29 19:09]2009-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2919991478-152956865-3165286940-1006.job- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-29 19:09].- - - - ORPHANS REMOVED - - - -URLSearchHooks-HookURL - (no file)URLSearchHooks-Rank - (no file).------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102uInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglkFF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=FF - component: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dllFF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-09 20:13:48Windows 5.1.2600 Service Pack 3 NTFSdetected NTDLL code modification:ZwClosescanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(892)c:\windows\System32\BCMLogon.dll.Completion time: 2009-03-09 20:15:40ComboFix-quarantined-files.txt 2009-03-10 00:15:36ComboFix2.txt 2009-03-09 02:56:16ComboFix3.txt 2009-03-09 01:42:36Pre-Run: 16,737,816,576 bytes freePost-Run: 16,721,305,600 bytes free202 --- E O F --- 2009-02-25 11:12:45HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:17:36 PM, on 3/9/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\stsystra.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Trend Micro\Internet Security 12\pccguide.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\AIM6\aim6.exeC:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS\eHome\ehRecvr.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.BINC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Program Files\AIM6\aolsoftware.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\eHome\ehmsas.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7 -reboot 1O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBLO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exeO4 - Startup: PowerReg Scheduler V3.exeO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Google Update Service (gupdate1c89dd83fc77b56) (gupdate1c89dd83fc77b56) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 13198 bytes Link to post Share on other sites More sharing options...
Tigger93 Posted March 10, 2009 ID:63139 Share Posted March 10, 2009 Well things were looking better. Hopefully this will get everything.Before doing this, please delete your current copy of Combofix and download a new copy.1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::c:\windows\system32\vowayore.dllc:\windows\system32\kujogeve.dllRegistry::[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log. Link to post Share on other sites More sharing options...
KaiW Posted March 10, 2009 Author ID:63141 Share Posted March 10, 2009 CF log:ComboFix 09-03-06.02 - Chris 2009-03-09 21:29:53.4 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.409 [GMT -4:00]Running from: c:\documents and settings\Chris\Desktop\ComboFix.exeCommand switches used :: F:\CFScript.txtAV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* * Created a new restore pointFILE ::c:\windows\system32\kujogeve.dllc:\windows\system32\vowayore.dll.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\kujogeve.dllc:\windows\system32\vowayore.dll.((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 ))))))))))))))))))))))))))))))).No new files created in this timespan.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-09 21:11 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-03-09 09:04 --------- d-----w c:\program files\Spyware Doctor2009-03-09 02:35 --------- d-----w c:\documents and settings\Chris\Application Data\OpenOffice.org22009-03-08 00:10 --------- d-----w c:\program files\Malwarebytes' Anti-Malware2009-03-07 06:29 --------- d-----w c:\program files\Google2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys2009-02-03 04:24 --------- d-----w c:\documents and settings\Chris\Application Data\Move Networks2009-01-15 04:37 --------- d-----w c:\documents and settings\Chris\Application Data\Viewpoint2009-01-15 03:32 --------- d-----w c:\documents and settings\Chris\Application Data\TextPad2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll2008-12-11 22:47 410,984 ----a-w c:\windows\system32\deploytk.dll2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys2006-11-10 02:07 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys.((((((((((((((((((((((((((((( SnapShot@2009-03-08_21.41.12.81 ))))))))))))))))))))))))))))))))))))))))).+ 2009-03-09 02:35:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a50.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 307200]"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728]"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-02 169984]"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 c:\windows\stsystra.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]c:\documents and settings\Chris\Start Menu\Programs\Startup\Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-09 113664]OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]PowerReg Scheduler V3.exe [2007-09-01 225280]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-09 25214]Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-02 24576]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\America Online 9.0\\waol.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\AIM6\\aim6.exe"="c:\\Program Files\\Google\\Google Talk\\googletalk.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-01 356920]R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-08-30 205328]R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889]R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792]R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-08-30 36368]R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-18 24652]S2 gupdate1c89dd83fc77b56;Google Update Service (gupdate1c89dd83fc77b56);c:\program files\Google\Update\GoogleUpdate.exe [2008-07-11 133104]--- Other Services/Drivers In Memory ---*Deregistered* - mchInjDrv[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHPService REG_MULTI_SZ HPSLPSVC[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10062954-c44f-11db-a379-00038a000015}]\Shell\AutoRun\command - F:\LaunchU3.exe -a.Contents of the 'Scheduled Tasks' folder2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]2009-03-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-29 19:09]2009-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2919991478-152956865-3165286940-1006.job- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-29 19:09].- - - - ORPHANS REMOVED - - - -URLSearchHooks-HookURL - (no file)URLSearchHooks-Rank - (no file).------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102uInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglkFF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=FF - component: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e0b89e78.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dllFF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-09 21:31:56Windows 5.1.2600 Service Pack 3 NTFSdetected NTDLL code modification:ZwClosescanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(892)c:\windows\System32\BCMLogon.dll.Completion time: 2009-03-09 21:33:45ComboFix-quarantined-files.txt 2009-03-10 01:33:42ComboFix2.txt 2009-03-10 00:15:42ComboFix3.txt 2009-03-09 02:56:16ComboFix4.txt 2009-03-09 01:42:36Pre-Run: 16,707,969,024 bytes freePost-Run: 16,691,654,656 bytes free201 --- E O F --- 2009-02-25 11:12:45HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:34:49 PM, on 3/9/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\stsystra.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Trend Micro\Internet Security 12\pccguide.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\AIM6\aim6.exeC:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS\eHome\ehRecvr.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\OpenOffice.org 2.2\program\soffice.BINC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Program Files\AIM6\aolsoftware.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\eHome\ehmsas.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061102R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7 -reboot 1O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBLO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exeO4 - Startup: PowerReg Scheduler V3.exeO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Google Update Service (gupdate1c89dd83fc77b56) (gupdate1c89dd83fc77b56) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 13148 bytes Link to post Share on other sites More sharing options...
KaiW Posted March 10, 2009 Author ID:63333 Share Posted March 10, 2009 Hope it's looking good this time - husband is climbing the walls without his computer. Verdict? Link to post Share on other sites More sharing options...
Tigger93 Posted March 10, 2009 ID:63334 Share Posted March 10, 2009 Go start -> run and type in combofix /u and press OK to remove Combofix.Everything looks good now. Still having any problems? Link to post Share on other sites More sharing options...
KaiW Posted March 11, 2009 Author ID:63382 Share Posted March 11, 2009 So far so good, my friend!Will be back if something pops up, but for now you are my personal god. THANK YOU. Link to post Share on other sites More sharing options...
Recommended Posts