Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hello and thanks for reading this!
My iexplorer seems to be infected. First off, 50% of the time when I click the taskbar shortcut nothing happens. Yet when I check the task manager iexplore is running using around 8k or so of RAM. When I do manage to get iexplorer running, any link i click or bookmark i go to will open a new window. Sometimes iexplorer will freeze and I get a message that I don't have sufficent rights to the program that I am using. I have tried to log in as the admin in safe mode and give my login the proper rights to iexplorer but it doesn't seem to work.
I also get popups from time to time, especialy when I am not using the net. Usualy the Microsoft anti phishing security center pops up along with these ads.
Checking my task manager the program "pab2Ch62.exe" shows up. Killing this program seems to have no effect on the popups. Going through my system32 folder I see a few other virus/spyware programs.
I have run program after program and can't seem to get rid of these issues. I have run Avast, Malwarebytes' Anti-Malware, VundoFix, and others. I let these programs run, restart my computer and run again but they can't get rid of this.
The only reason I can post now I because I am using Internet Explorer with no add-ons.
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0 
Thanks for the reply.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:57 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\pab2Ch62.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {4C5AB1EC-0ADD-4825-AA2D-D046A4B35FAC} - C:\WINDOWS\system32\opnooNhe.dll (file missing)
O2 - BHO: (no name) - {8999933C-E3BF-4D7A-98D6-B4EE4FD8D027} - C:\WINDOWS\system32\ssqRIBUn.dll (file missing)
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\PABn7Hsl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.exe /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.exe /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downl...
O18 - Filter hijack: text/html - {36c88c48-6075-477f-afe3-ab19b065dd8a} - C:\WINDOWS\system32\iehlpr32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
0
Please download the OTMoveIt2 by OldTimer and save it to your desktop.
1. Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
2. Copy the lines between the X's below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
C:\WINDOWS\system32\pab2Ch62.exe
C:\WINDOWS\system32\opnooNhe.dll
C:\WINDOWS\system32\ssqRIBUn.dll
C:\WINDOWS\system32\iehlpr32.dll
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
4. Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
5. Click the red Moveit! button.
6. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
6. Close OTMoveIt2Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
Thanks again for your help.
Moveit:
C:\WINDOWS\system32\pab2Ch62.exe moved successfully.
File/Folder C:\WINDOWS\system32\opnooNhe.dll not found.
File/Folder C:\WINDOWS\system32\ssqRIBUn.dll not found.
File/Folder C:\WINDOWS\system32\iehlpr32.dll not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 081Combofix log:
ComboFix 08-08-18.05 - Owner 2008-08-19 22:16:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1522 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\8W9ZEXE4\interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\8W9ZEXE4\interclick.com\ud.sol
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\YZGTF865\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\YZGTF865\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\My Documents\SMANTE~1
C:\Documents and Settings\Owner\My Documents\WNSXS~1
C:\Documents and Settings\Owner\UserData
C:\Documents and Settings\Owner\UserData\EZ95H6WK\dmtstore[1].xml
C:\Documents and Settings\Owner\UserData\EZ95H6WK\IsOnIE6tbPromo[1].xml
C:\Documents and Settings\Owner\UserData\EZ95H6WK\oWindowsUpdate[1].xml
C:\Documents and Settings\Owner\UserData\index.dat
C:\Documents and Settings\Owner\UserData\NFCQB4J2\oXMLStore[1].xml
C:\Documents and Settings\Owner\UserData\S8IEDPYB\dmtstore[1].xml
C:\Documents and Settings\Owner\UserData\S8IEDPYB\oWindowsUpdate[1].xml
C:\Documents and Settings\Owner\UserData\S8IEDPYB\Q42[1].xml
C:\Documents and Settings\Owner\UserData\S8MMOAXA\kbe[1].xml
C:\Documents and Settings\Owner\UserData\S8MMOAXA\oXMLStore[1].xml
C:\Documents and Settings\Owner\UserData\S8MMOAXA\YL[1].xml
C:\Program Files\icroso~1
C:\Program Files\icroso~1\?icrosoft\
C:\WINDOWS\system32\nUBIRqss.ini
C:\WINDOWS\system32\nUBIRqss.ini2
C:\WINDOWS\system32\PABn7Hsl.dll.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.2008-08-19 22:12 . 2008-08-19 22:12 <DIR> d-------- C:\_OTMoveIt
2008-08-17 23:11 . 2008-08-17 23:11 0 --a------ C:\WINDOWS\system32\pab2Ch62.exe.a_a
2008-08-17 22:16 . 2008-08-17 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-17 22:15 . 2008-08-17 22:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 22:15 . 2008-08-17 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 22:15 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 22:15 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 21:45 . 2008-08-17 21:45 <DIR> d--hs---- C:\found.000
2008-08-17 14:46 . 2008-08-17 14:46 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-08-17 14:37 . 2008-08-19 15:55 <DIR> d-------- C:\VundoFix Backups
2008-08-17 00:34 . 2008-08-17 00:34 244 --ah----- C:\sqmnoopt10.sqm
2008-08-17 00:34 . 2008-08-17 00:34 232 --ah----- C:\sqmdata10.sqm
2008-08-17 00:28 . 2008-08-17 00:28 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-16 16:19 . 2008-08-16 16:19 <DIR> d-------- C:\Program Files\COWON
2008-08-16 12:18 . 2008-08-16 12:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-16 12:17 . 2008-08-16 19:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-08-16 03:23 . 2008-08-16 13:38 32,598 ---hs---- C:\WINDOWS\system32\bqyktujx.ini
2008-08-15 21:42 . 2008-08-15 21:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-08-15 19:16 . 2008-08-17 18:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-15 19:16 . 2008-08-17 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 19:14 . 2008-08-15 22:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-15 13:38 . 2008-08-15 13:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-15 11:19 . 2008-08-15 11:19 244 --ah----- C:\sqmnoopt09.sqm
2008-08-15 11:19 . 2008-08-15 11:19 232 --ah----- C:\sqmdata09.sqm
2008-08-15 02:15 . 2008-08-15 02:14 29,760 --a------ C:\WINDOWS\system32\Gmmb84I6.exe
2008-08-14 20:46 . 2008-08-14 20:48 <DIR> d-------- C:\KMaestro
2008-08-14 20:42 . 2001-12-20 11:34 36,864 --a------ C:\WINDOWS\system32\KMUninst.exe
2008-08-14 20:42 . 2001-12-13 11:31 5,737 --a------ C:\WINDOWS\system32\drivers\Maestro0.sys
2008-08-12 11:21 . 2008-08-12 11:21 244 --ah----- C:\sqmnoopt08.sqm
2008-08-12 11:21 . 2008-08-12 11:21 232 --ah----- C:\sqmdata08.sqm
2008-08-10 11:10 . 2008-08-10 11:10 244 --ah----- C:\sqmnoopt07.sqm
2008-08-10 11:10 . 2008-08-10 11:10 232 --ah----- C:\sqmdata07.sqm
2008-08-09 11:45 . 2008-08-09 11:45 244 --ah----- C:\sqmnoopt06.sqm
2008-08-09 11:45 . 2008-08-09 11:45 232 --ah----- C:\sqmdata06.sqm
2008-08-08 18:21 . 2008-08-08 18:21 244 --ah----- C:\sqmnoopt05.sqm
2008-08-08 18:21 . 2008-08-08 18:21 232 --ah----- C:\sqmdata05.sqm
2008-08-05 16:56 . 2008-08-05 16:56 244 --ah----- C:\sqmnoopt04.sqm
2008-08-05 16:56 . 2008-08-05 16:56 232 --ah----- C:\sqmdata04.sqm
2008-08-01 12:14 . 2008-08-01 12:14 244 --ah----- C:\sqmnoopt03.sqm
2008-08-01 12:14 . 2008-08-01 12:14 232 --ah----- C:\sqmdata03.sqm
2008-08-01 12:06 . 2008-08-01 12:06 244 --ah----- C:\sqmnoopt02.sqm
2008-08-01 12:06 . 2008-08-01 12:06 232 --ah----- C:\sqmdata02.sqm
2008-07-31 22:33 . 2008-07-31 22:33 244 --ah----- C:\sqmnoopt01.sqm
2008-07-31 22:33 . 2008-07-31 22:33 232 --ah----- C:\sqmdata01.sqm
2008-07-31 13:19 . 2008-08-15 13:44 <DIR> d-------- C:\Program Files\Common
2008-07-28 17:03 . 2008-07-28 17:03 244 --ah----- C:\sqmnoopt00.sqm
2008-07-28 17:03 . 2008-07-28 17:03 232 --ah----- C:\sqmdata00.sqm
2008-07-25 15:17 . 2008-07-25 15:17 <DIR> d-------- C:\Program Files\Easy Video Joiner.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 20:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-08-18 05:05 --------- d-----w C:\Program Files\Steam
2008-08-18 04:03 --------- d-----w C:\Program Files\Diablo II
2008-08-18 01:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-17 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-08-17 00:06 --------- d-----w C:\Program Files\mIRC
2008-08-16 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-16 20:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 04:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\DVD Flick
2008-08-15 23:25 --------- d-----w C:\Program Files\Enigma Software Group
2008-08-15 01:04 --------- d-----w C:\Program Files\Winamp
2008-08-02 20:36 --------- d-----w C:\Program Files\Microsoft Games
2008-07-25 19:24 --------- d-----w C:\Program Files\NavNet
2008-07-22 06:36 --------- d-----w C:\Program Files\Soulseek
2008-07-17 02:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-07-17 00:57 --------- d-----w C:\Program Files\Accessdiver
2008-07-07 05:55 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-07 05:55 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-06-29 00:39 --------- d-----w C:\Program Files\Focus Magic
2008-06-24 00:20 --------- d-----w C:\Program Files\AVG
2008-05-23 22:37 19 ----a-w C:\Documents and Settings\Owner\killbat.bat
2008-05-20 16:12 219,952 ----a-w C:\Program Files\utorrent.exe
2008-04-24 07:33 0 --sha-w C:\Documents and Settings\Owner\Application Data\[u]0[/u]0000000005.dat
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 10:16 171464]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.EXE][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=C:\WINDOWS\pss\SDK Tray Menu.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xfq]
C:\Program Files\?ecurity\?xplorer.exe [?][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyMaestro]
--a------ 2001-12-19 09:29 122880 C:\KMaestro\KMaestro.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 12:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\nvmctray.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 06:43 69632 C:\WINDOWS\ALCMTR.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
-ra------ 2006-02-20 04:01 2809856 C:\WINDOWS\ALCWZRD.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-02-27 04:28 16005120 C:\WINDOWS\RTHDCPL.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-02-20 04:00 86016 C:\WINDOWS\SOUNDMAN.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\chemical55@hotmail.com\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\chemical55@hotmail.com\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Anno 1701\\Anno1701.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41B90782-17F9-687A-C6CA-429E5E2A9589}]
C:\WINDOWS\system32\sv\sv.exe s[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7A8BCF3C-ADEB-B39D-3AD9-EE7208710DA7}]
C:\WINDOWS\system32\sv\server.exe s
.
Contents of the 'Scheduled Tasks' folder2008-08-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -BHO-{4C5AB1EC-0ADD-4825-AA2D-D046A4B35FAC} - C:\WINDOWS\system32\opnooNhe.dll
BHO-{8999933C-E3BF-4D7A-98D6-B4EE4FD8D027} - C:\WINDOWS\system32\ssqRIBUn.dll
ShellExecuteHooks-{4C5AB1EC-0ADD-4825-AA2D-D046A4B35FAC} - C:\WINDOWS\system32\opnooNhe.dll
MSConfigStartUp-Aese - C:\PROGRA~1\ICROSO~1\javaw.exe
MSConfigStartUp-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-Awola6 - C:\Documents and Settings\Owner\Application Data\Awola6\Awola6.exe
MSConfigStartUp-BM035a0edd - C:\WINDOWS\system32\xtxgsddl.dll
MSConfigStartUp-ISMModule2 - C:\Program Files\ISM\ISMModule2.exe
MSConfigStartUp-ISMModule3 - C:\Program Files\ISM\ISMModule3.exe
MSConfigStartUp-lphcvvvj0ej71 - C:\WINDOWS\system32\lphcvvvj0ej71.exe
MSConfigStartUp-McAfeeUpdaterUI - C:\Program Files\McAfee\Common Framework\UdaterUI.exe
MSConfigStartUp-Microsoft Windows Adapter 5.1 - C:\Documents and Settings\Owner\Application Data\aqeeo.exe
MSConfigStartUp-runner1 - C:\WINDOWS\retadpu11.exe
MSConfigStartUp-SMrhcrvvj0ej71 - C:\Program Files\rhcrvvj0ej71\rhcrvvj0ej71.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
MSConfigStartUp-SUPERAntiSpyware - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSConfigStartUp-WinAble - C:\Program Files\WinAble\winable.exe
MSConfigStartUp-WinPop - C:\Program Files\WinPop\winpop.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pe823kq5.default\
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 22:24:05
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-19 22:29:03 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-20 02:29:01Pre-Run: 6,730,493,952 bytes free
Post-Run: 10,027,991,040 bytes free277 --- E O F --- 2008-05-28 07:00:49
0
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\system32\pab2Ch62.exe.a_a
C:\WINDOWS\system32\bqyktujx.ini
C:\WINDOWS\system32\Gmmb84I6.exe
C:\Documents and Settings\Owner\Application Data\[u]0[/u]0000000005.dat
C:\WINDOWS\system32\sv\sv.exe s
C:\WINDOWS\system32\sv\server.exe sDriver::
SMrhcrvvj0ej71Folder::
C:\Program Files\rhcrvvj0ej71
C:\WINDOWS\system32\pab2Ch62.exe.a_a
C:\WINDOWS\system32\sv
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xfq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41B90782-17F9-687A-C6CA-429E5E2A9589}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7A8BCF3C-ADEB-B39D-3AD9-EE7208710DA7}]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
Please download Malwarebytes' Anti-Malware from one of these sites:
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
0
Combofix:
ComboFix 08-08-18.05 - Owner 2008-08-20 0:37:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1615 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\Documents and Settings\Owner\Application Data\[u]0[/u]0000000005.dat
C:\WINDOWS\system32\bqyktujx.ini
C:\WINDOWS\system32\Gmmb84I6.exe
C:\WINDOWS\system32\pab2Ch62.exe.a_a
C:\WINDOWS\system32\sv\server.exe s
C:\WINDOWS\system32\sv\sv.exe s
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Owner\Cookies\owner@2o7[4].txt
C:\Documents and Settings\Owner\Cookies\owner@c.gamelink[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clicksor[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clicktorrent[2].txt
C:\Documents and Settings\Owner\Cookies\owner@clicktorrent[4].txt
C:\Documents and Settings\Owner\Cookies\owner@clicktorrent[5].txt
C:\Documents and Settings\Owner\Cookies\owner@clicktorrent[6].txt
C:\Documents and Settings\Owner\Cookies\owner@clicktorrent[8].txt
C:\Documents and Settings\Owner\Cookies\owner@crwdcntrl[4].txt
C:\Documents and Settings\Owner\Cookies\owner@crwdcntrl[5].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-viacom.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@etology[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hb.pcworld[3].txt
C:\Documents and Settings\Owner\Cookies\owner@hits.gureport.co[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hits.gureport.co[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hits.gureport.co[3].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[5].txt
C:\Documents and Settings\Owner\Cookies\owner@live[1].txt
C:\Documents and Settings\Owner\Cookies\owner@live[2].txt
C:\Documents and Settings\Owner\Cookies\owner@members[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[4].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[3].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@t.spike[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tenbux.somethingawful[2].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[4].txt
C:\Documents and Settings\Owner\Cookies\owner@turn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@turn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.clicktorrent[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www35.vzw[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www35.vzw[4].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[5].txt
C:\Documents and Settings\Owner\UserData
C:\Documents and Settings\Owner\UserData\index.dat
C:\WINDOWS\system32\bqyktujx.ini
C:\WINDOWS\system32\Gmmb84I6.exe
C:\WINDOWS\system32\pab2Ch62.exe.a_a
C:\WINDOWS\system32\pab2Ch62.exe.a_a\
C:\WINDOWS\system32\PABn7Hsl.dll
C:\WINDOWS\system32\sv.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.2008-08-19 23:11 . 2008-08-19 23:11 80,898 --a------ C:\WINDOWS\system32\pab2Ch62.exe
2008-08-19 22:12 . 2008-08-19 22:12 <DIR> d-------- C:\_OTMoveIt
2008-08-17 22:16 . 2008-08-17 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-17 22:15 . 2008-08-17 22:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 22:15 . 2008-08-17 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 22:15 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 22:15 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 21:45 . 2008-08-17 21:45 <DIR> d--hs---- C:\found.000
2008-08-17 14:46 . 2008-08-17 14:46 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-08-17 14:37 . 2008-08-19 15:55 <DIR> d-------- C:\VundoFix Backups
2008-08-17 00:34 . 2008-08-17 00:34 244 --ah----- C:\sqmnoopt10.sqm
2008-08-17 00:34 . 2008-08-17 00:34 232 --ah----- C:\sqmdata10.sqm
2008-08-17 00:28 . 2008-08-17 00:28 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-16 16:19 . 2008-08-16 16:19 <DIR> d-------- C:\Program Files\COWON
2008-08-16 12:18 . 2008-08-16 12:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-16 12:17 . 2008-08-16 19:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-08-15 21:42 . 2008-08-15 21:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-08-15 19:16 . 2008-08-17 18:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-15 19:16 . 2008-08-17 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 19:14 . 2008-08-15 22:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-15 13:38 . 2008-08-15 13:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-15 11:19 . 2008-08-15 11:19 244 --ah----- C:\sqmnoopt09.sqm
2008-08-15 11:19 . 2008-08-15 11:19 232 --ah----- C:\sqmdata09.sqm
2008-08-14 20:46 . 2008-08-14 20:48 <DIR> d-------- C:\KMaestro
2008-08-14 20:42 . 2001-12-20 11:34 36,864 --a------ C:\WINDOWS\system32\KMUninst.exe
2008-08-14 20:42 . 2001-12-13 11:31 5,737 --a------ C:\WINDOWS\system32\drivers\Maestro0.sys
2008-08-12 11:21 . 2008-08-12 11:21 244 --ah----- C:\sqmnoopt08.sqm
2008-08-12 11:21 . 2008-08-12 11:21 232 --ah----- C:\sqmdata08.sqm
2008-08-10 11:10 . 2008-08-10 11:10 244 --ah----- C:\sqmnoopt07.sqm
2008-08-10 11:10 . 2008-08-10 11:10 232 --ah----- C:\sqmdata07.sqm
2008-08-09 11:45 . 2008-08-09 11:45 244 --ah----- C:\sqmnoopt06.sqm
2008-08-09 11:45 . 2008-08-09 11:45 232 --ah----- C:\sqmdata06.sqm
2008-08-08 18:21 . 2008-08-08 18:21 244 --ah----- C:\sqmnoopt05.sqm
2008-08-08 18:21 . 2008-08-08 18:21 232 --ah----- C:\sqmdata05.sqm
2008-08-05 16:56 . 2008-08-05 16:56 244 --ah----- C:\sqmnoopt04.sqm
2008-08-05 16:56 . 2008-08-05 16:56 232 --ah----- C:\sqmdata04.sqm
2008-08-01 12:14 . 2008-08-01 12:14 244 --ah----- C:\sqmnoopt03.sqm
2008-08-01 12:14 . 2008-08-01 12:14 232 --ah----- C:\sqmdata03.sqm
2008-08-01 12:06 . 2008-08-01 12:06 244 --ah----- C:\sqmnoopt02.sqm
2008-08-01 12:06 . 2008-08-01 12:06 232 --ah----- C:\sqmdata02.sqm
2008-07-31 22:33 . 2008-07-31 22:33 244 --ah----- C:\sqmnoopt01.sqm
2008-07-31 22:33 . 2008-07-31 22:33 232 --ah----- C:\sqmdata01.sqm
2008-07-31 13:19 . 2008-08-15 13:44 <DIR> d-------- C:\Program Files\Common
2008-07-28 17:03 . 2008-07-28 17:03 244 --ah----- C:\sqmnoopt00.sqm
2008-07-28 17:03 . 2008-07-28 17:03 232 --ah----- C:\sqmdata00.sqm
2008-07-25 15:17 . 2008-07-25 15:17 <DIR> d-------- C:\Program Files\Easy Video Joiner.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 20:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-08-18 05:05 --------- d-----w C:\Program Files\Steam
2008-08-18 04:03 --------- d-----w C:\Program Files\Diablo II
2008-08-18 01:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-17 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-08-17 00:06 --------- d-----w C:\Program Files\mIRC
2008-08-16 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-16 20:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 04:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\DVD Flick
2008-08-15 23:25 --------- d-----w C:\Program Files\Enigma Software Group
2008-08-15 01:04 --------- d-----w C:\Program Files\Winamp
2008-08-02 20:36 --------- d-----w C:\Program Files\Microsoft Games
2008-07-25 19:24 --------- d-----w C:\Program Files\NavNet
2008-07-22 06:36 --------- d-----w C:\Program Files\Soulseek
2008-07-17 02:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-07-17 00:57 --------- d-----w C:\Program Files\Accessdiver
2008-07-07 05:55 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-07 05:55 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-06-29 00:39 --------- d-----w C:\Program Files\Focus Magic
2008-06-24 00:20 --------- d-----w C:\Program Files\AVG
2008-05-23 22:37 19 ----a-w C:\Documents and Settings\Owner\killbat.bat
2008-05-20 16:12 219,952 ----a-w C:\Program Files\utorrent.exe
2008-04-24 07:33 0 --sha-w C:\Documents and Settings\Owner\Application Data\[u]0[/u]0000000005.dat
.((((((((((((((((((((((((((((( snapshot@2008-08-19_22.28.51.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-18 13:00:00 231,693 ----a-w C:\WINDOWS\Help\msimtf.dll
+ 2004-08-18 13:00:00 315,465 ----a-w C:\WINDOWS\Help\msimtf.dll
+ 2008-08-20 04:39:54 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 10:16 171464]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.EXE][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=C:\WINDOWS\pss\SDK Tray Menu.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyMaestro]
--a------ 2001-12-19 09:29 122880 C:\KMaestro\KMaestro.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 12:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\nvmctray.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
-ra------ 2006-02-20 04:01 2809856 C:\WINDOWS\ALCWZRD.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-02-27 04:28 16005120 C:\WINDOWS\RTHDCPL.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-02-20 04:00 86016 C:\WINDOWS\SOUNDMAN.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\chemical55@hotmail.com\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\chemical55@hotmail.com\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Anno 1701\\Anno1701.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 00:45:50
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-20 0:50:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-20 04:50:32
ComboFix2.txt 2008-08-20 02:29:04Pre-Run: 9,992,437,760 bytes free
Post-Run: 10,004,959,232 bytes free271 --- E O F --- 2008-05-28 07:00:49
Malwarebytes' Program Log:
Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 211:57:37 AM 8/20/2008
mbam-log-08-20-2008 (11-57-37).txtScan type: Quick Scan
Objects scanned: 46780
Time elapsed: 38 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
C:\WINDOWS\Help\msimtf.dll (Adware.Agent) -> Quarantined and deleted successfully.
0
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\system32\pab2Ch62.exe
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
C:\sqmnoopt06.sqm
C:\sqmdata06.sqm
C:\sqmnoopt05.sqm
C:\sqmdata05.sqm
C:\sqmnoopt04.sqm
C:\sqmdata04.sqm
C:\sqmnoopt03.sqm
C:\sqmdata03.sqm
C:\sqmnoopt02.sqm
C:\sqmdata02.sqm
C:\sqmnoopt01.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
C:\sqmdata00.sqm
C:\Documents and Settings\Owner\Application Data\[u]0[/u]0000000005.datFolder::
C:\Program Files\Viewpoint
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
Run an online scan with Kaspersky from the following link:
Kaspersky Online ScannerNote: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
0
ComboFix 08-08-19.06 - Owner 2008-08-21 1:50:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1638 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\Documents and Settings\Owner\Application Data\[u]0[/u]0000000005.dat
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\WINDOWS\system32\pab2Ch62.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Owner\Cookies\owner@interclick[3].txt
C:\Documents and Settings\Owner\Cookies\owner@track.bestbuy[1].txt
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\WINDOWS\system32\pab2Ch62.exe.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.2008-08-20 12:00 . 2008-08-20 12:00 <DIR> d--hs---- C:\Documents and Settings\Owner\UserData
2008-08-19 22:12 . 2008-08-19 22:12 <DIR> d-------- C:\_OTMoveIt
2008-08-17 22:16 . 2008-08-17 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-17 22:15 . 2008-08-20 01:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 22:15 . 2008-08-17 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 22:15 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 22:15 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 21:45 . 2008-08-17 21:45 <DIR> d--hs---- C:\found.000
2008-08-17 14:46 . 2008-08-17 14:46 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-08-17 14:37 . 2008-08-19 15:55 <DIR> d-------- C:\VundoFix Backups
2008-08-17 00:28 . 2008-08-17 00:28 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-16 16:19 . 2008-08-16 16:19 <DIR> d-------- C:\Program Files\COWON
2008-08-16 12:18 . 2008-08-16 12:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-16 12:17 . 2008-08-16 19:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-08-15 21:42 . 2008-08-15 21:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-08-15 19:16 . 2008-08-17 18:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-15 19:16 . 2008-08-17 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 19:14 . 2008-08-15 22:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-15 13:38 . 2008-08-15 13:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 20:46 . 2008-08-14 20:48 <DIR> d-------- C:\KMaestro
2008-08-14 20:42 . 2001-12-20 11:34 36,864 --a------ C:\WINDOWS\system32\KMUninst.exe
2008-08-14 20:42 . 2001-12-13 11:31 5,737 --a------ C:\WINDOWS\system32\drivers\Maestro0.sys
2008-07-31 13:19 . 2008-08-15 13:44 <DIR> d-------- C:\Program Files\Common
2008-07-25 15:17 . 2008-07-25 15:17 <DIR> d-------- C:\Program Files\Easy Video Joiner.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 22:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-08-18 05:05 --------- d-----w C:\Program Files\Steam
2008-08-18 04:03 --------- d-----w C:\Program Files\Diablo II
2008-08-18 01:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-17 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-08-17 00:06 --------- d-----w C:\Program Files\mIRC
2008-08-16 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-16 20:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 04:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\DVD Flick
2008-08-15 23:25 --------- d-----w C:\Program Files\Enigma Software Group
2008-08-15 01:04 --------- d-----w C:\Program Files\Winamp
2008-08-02 20:36 --------- d-----w C:\Program Files\Microsoft Games
2008-07-25 19:24 --------- d-----w C:\Program Files\NavNet
2008-07-22 06:36 --------- d-----w C:\Program Files\Soulseek
2008-07-17 02:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-07-17 00:57 --------- d-----w C:\Program Files\Accessdiver
2008-07-07 05:55 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-07 05:55 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-06-29 00:39 --------- d-----w C:\Program Files\Focus Magic
2008-06-24 00:20 --------- d-----w C:\Program Files\AVG
2008-05-23 22:37 19 ----a-w C:\Documents and Settings\Owner\killbat.bat
2008-05-20 16:12 219,952 ----a-w C:\Program Files\utorrent.exe
2008-04-24 07:33 0 --sha-w C:\Documents and Settings\Owner\Application Data\[u]0[/u]0000000005.dat
.((((((((((((((((((((((((((((( snapshot@2008-08-19_22.28.51.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-21 05:55:47 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_68c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 10:16 171464]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.EXE][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=C:\WINDOWS\pss\SDK Tray Menu.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyMaestro]
--a------ 2001-12-19 09:29 122880 C:\KMaestro\KMaestro.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 12:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\nvmctray.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
-ra------ 2006-02-20 04:01 2809856 C:\WINDOWS\ALCWZRD.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-02-27 04:28 16005120 C:\WINDOWS\RTHDCPL.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-02-20 04:00 86016 C:\WINDOWS\SOUNDMAN.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\chemical55@hotmail.com\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\chemical55@hotmail.com\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Anno 1701\\Anno1701.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder2008-08-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 02:08:33
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-21 2:12:46 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-21 06:12:43
ComboFix2.txt 2008-08-20 04:50:35
ComboFix3.txt 2008-08-20 02:29:04Pre-Run: 9,395,949,568 bytes free
Post-Run: 9,907,064,832 bytes free277 --- E O F --- 2008-05-28 07:00:49
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 21, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 21, 2008 07:03:30
Records in database: 1117229
----------------------Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yesScan area - My Computer:
C:\
D:\
E:\
F:\
G:\Scan statistics:
Files scanned: 196605
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:26:51
File name / Threat name / Threats count
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\54\7c9afc76-42a79fa4 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pab2Ch62.exe.vir Infected: Trojan-Downloader.Win32.Agent.abrf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\PABn7Hsl.dll.vir Infected: Trojan-Downloader.Win32.BHO.pe 1
C:\_OTMoveIt\MovedFiles\08192008_221226\WINDOWS\system32\pab2Ch62.exe Infected: Trojan-Downloader.Win32.Agent.abrf 1The selected area was scanned.
0
Go to start> run> type in combofix /u this will uninstall combofix.
Navigate to and delete this folder:
C:\_OTMoveIt
Go to Start> control panel> java> General> settings> delete files> ok> ok.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Post a new Hijack This log.
Let us know how the computer is operating.
0
Almost everything seems back to normal. The only problem is that ~25% of the time when I click the IE shortcut nothing happens. I check task manager and there it is using 8k of memory. I have to kill the process and try again. This can go on 5 or 6 times before I'm able to get IE started.
Here is my HT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:33 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.exe /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.exe /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downl...
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)--
End of file - 3829 bytes
0
Sorry for the delayed reply, have had a power outage due to a tropical storm.
Please go to Virus Total and upload the following file for analysis:
C:\Documents and Settings\Owner\Application Data\[u]0[/u]0000000005.dat
Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.
0
Hi "jabuck"
... I'm NOT too impressed with "OTMoveIt2.exe"
... is this a false positive??
http://www.virustotal.com/analisis/...
... please check!
Grrrr
"...pentathol makes you sing like a canary"
... got brain freeze
0
... I'v had my screen turn off a couple of times since, hence:
http://virscan.org/report/a8b1f881f...
Grrrr
"...pentathol makes you sing like a canary"
... got brain freeze
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
