Jump to content

I'm Infected, HELP PLEASE!

ESSYMOND

By ESSYMOND
in Resolved Malware Removal Logs

 Share

Recommended Posts

ESSYMOND

ESSYMOND

Posted
Posted

Still experiencing weird problems, please help analyze this! Much love... Here is the MBAM Log:

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 5.1.2600 Service Pack 2

08/09/2009 8:37:15 PM

mbam-log-2009-09-08 (20-37-15).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 190392

Time elapsed: 50 minute(s), 4 second(s)

Memory Processes Infected: 5

Memory Modules Infected: 0

Registry Keys Infected: 16

Registry Values Infected: 2

Registry Data Items Infected: 5

Folders Infected: 4

Files Infected: 81

Memory Processes Infected:

C:\WINDOWS\system32\temp1.exe (Trojan.Downloader) -> Unloaded process successfully.

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\Fonts\Fonts.exe (Worm.Archive) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe (Security.Hijack) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe (Security.Hijack) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe (Security.Hijack) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe (Worm.Archive) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe (Worm.Archive) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmanager.exe (Worm.AutoRun) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys (Worm.Archive) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\pchealth\Global.exe) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\windows\svchost.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E} (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\temp1.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\copy.exe (Worm.Perlovga) -> Quarantined and deleted successfully.

C:\Documents and Settings\Esmond\protect.dll (Rootkit.Small) -> Quarantined and deleted successfully.

C:\Documents and Settings\Esmond\Start Menu\Programs\Startup\ChkDisk.dll (Rootkit.Small) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\protect.dll (Rootkit.Small) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Common\svchost.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP193\A0062387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP193\A0062388.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP198\A0063386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP198\A0063387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP199\A0064386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP199\A0064387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP199\A0064777.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP199\A0065386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP199\A0065387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP201\A0066386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP201\A0066387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP201\A0067386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP201\A0067387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP163\A0055385.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP163\A0055386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP163\A0056385.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP163\A0056386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP167\A0057385.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP167\A0057386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP170\A0058386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP170\A0058387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP171\A0059386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP171\A0059387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP172\A0060386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP172\A0060387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP179\A0061386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C8CB69C1-4515-4BD3-B2B6-1337CA6903E7}\RP179\A0061387.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\xcopy.exe (Worm.Perlovga) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\temp2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\protect.dll (Rootkit.Small) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Rootkit.Small) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\ms.dll (Rootkit.Small) -> Quarantined and deleted successfully.

D:\copy.exe (Worm.Perlovga) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\init.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss3356.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss3411.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss34bd.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss40e2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss418e.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss4269.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss706d.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss7251.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdss73d8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSS852d.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdssbd77.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdssbe52.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdssbefe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdssc372.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdssc49b.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdssccc9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSScd62.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdsscd75.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tdssce50.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Fonts\Fonts.exe (Worm.Archive) -> Delete on reboot.

C:\WINDOWS\Fonts\tskmgr.exe (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Windows_update.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.

C:\autorun.inf (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\MS-DOS.com (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\WINDOWS\PCHealth\Global.exe (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.com (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\WINDOWS\Media\rndll32.pif (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\WINDOWS\Cursors\Boom.vbs (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dllcache\Global.exe (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dllcache\rndll32.exe (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dllcache\tskmgr.exe (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\Drivers.cab.exe (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\host.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Heres the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:45:43 PM, on 08/09/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Norman\Nvc\Bin\ZLH.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Norman\Nvc\Bin\Zanda.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - D:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Nvc\Bin\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

O4 - HKLM\..\Run: [RemoveWGA] E:\RemoveWGA.exe -startup

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [D-Link Network USB Utility] C:\Program Files\D-Link\SharePort\SharePort Network USB Utility.exe -mini

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [] C:\WINDOWS\system\KEYBOARD.exe

O4 - HKLM\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe

O4 - HKLM\..\Policies\Explorer\Run: [sys] C:\WINDOWS\Fonts\Fonts.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')

O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')

O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: Download Link Using Mega Manager... - D:\Program Files\Megaupload\Mega Manager\mm_file.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab

O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Nvc\Bin\Zanda.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--

End of file - 8806 bytes

THANKS!!!

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Bumping your topic makes it seem like you are already being helped, and as you've noticed, you were overlooked because of it.

With that said, please update MBAM, run a Quick Scan, and post its log.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
  • 4 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.