Help I Have A Trojan

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Help I Have A Trojan, I don't know how to get rid of it!

Options

Pooh85 View Member Profile	Aug 22 2008, 02:50 AM Post #1
Member Group: Members Posts: 15 Joined: 20-August 08 Member No.: 231,699	I know sure what I have but I know it came after I downloaded something from limewire, Mcafee has reported it as vundogen!p and spybot has shown entries for virtumundo. It's slowed my computer down and when I start my computer up, I have no desktop and have to run the process manually. It was only affecting internet explorer but it's also been making mozilla do some weird things lately. I also cant update windows defender! I've tried so many ways to get rid of this thing with no luck. Here's my HJT log... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:34:42 AM, on 8/22/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16681) Boot mode: Normal Running processes: C:\PROGRA~1\McAfee.com\Agent\mcagent.exe C:\Windows\system32\taskeng.exe C:\Windows\explorer.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\sdclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Windows\System32\mobsync.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=C:\Windows\System32\userints.exe, O1 - Hosts: ::1 localhost O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: (no name) - {DF191EC8-6BDA-40CD-B57A-E9337414AF08} - C:\Windows\system32\opnnnnLF.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Skytel] Skytel.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto O4 - HKLM\..\Run: [BM1bed053a] Rundll32.exe "C:\Windows\system32\chlvpvyd.dll",s O4 - HKLM\..\Run: [18de36a6] rundll32.exe "C:\Windows\system32\xijcrmyd.dll",b O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [Restore] C:\Windows\system32\rstrui.exe /RUNONCE O4 - HKLM\..\RunOnce: [WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [Host Process] C:\Users\Shala\svchost.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\APPLIC~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\History.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\TEMPOR~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\APPLIC~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\Cookies.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYMUSI~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYPICT~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYVIDE~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\LOCALS~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\MYDOCU~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\NetHood.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\PRINTH~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\Recent.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\SendTo.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\START O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\APPLIC~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\History.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\TEMPOR~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\APPLIC~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\Cookies.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYMUSI~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYPICT~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYVIDE~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\LOCALS~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\MYDOCU~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\NetHood.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\PRINTH~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\Recent.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\SendTo.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\START O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 10700 bytes

fenzodahl512 View Member Profile	Aug 30 2008, 02:12 AM Post #2
Distinguished Member Group: HJT Team Posts: 850 Joined: 4-December 07 Member No.: 174,482	Hello and welcome to BC.. Please read my post CAREFULLY before proceed with this step. Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop. For more information regarding this download, please visit this webpage Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop Please, never rename Combofix unless instructed. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please go HERE to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. Note: DO NOT mouseclick combofix's window while it's running. That may cause it to stall -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Away 1 Nov - 1 Dec

Pooh85 View Member Profile	Sep 1 2008, 03:20 PM Post #3
Member Group: Members Posts: 15 Joined: 20-August 08 Member No.: 231,699	Thanks for your response. Here are my combofix and HJT logs. ComboFix 08-08-30.03 - Shala 2008-09-01 10:32:05.1 - NTFSx86 Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.255 [GMT -7:00] Running from: C:\Users\Shala\Desktop\ComboFix.exe * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\crosof~1.net\??crosoft.NET\ C:\Program Files\Temporary C:\Users\Public\AUTORUN.INF C:\Users\Shala\AppData\Local\Microsoft\Windows\Temporary Internet Files\qeifuvvv.yyv C:\Users\Shala\AppData\Roaming\Adssite Advanced Toolbar C:\Users\Shala\AppData\Roaming\Adssite Advanced Toolbar\selected.xml C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\#SharedObjects\DZMEYGNY\bin.clearspring.com C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\#SharedObjects\DZMEYGNY\bin.clearspring.com\clearspring.sol C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\#SharedObjects\DZMEYGNY\interclick.com C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\#SharedObjects\DZMEYGNY\interclick.com\ud.sol C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\#SharedObjects\DZMEYGNY\www.broadcaster.com C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\#SharedObjects\DZMEYGNY\www.broadcaster.com\played_list.sol C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\#SharedObjects\DZMEYGNY\www.broadcaster.com\video_queue.sol C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Users\Shala\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Users\Shala\ctfmon.exe C:\Users\Shala\services.exe C:\Windows\System32\cqpvxstj.ini C:\Windows\system32\dnkebpin.dll C:\Windows\System32\dymrcjix.ini C:\Windows\system32\dyrkxkjc.ini C:\Windows\System32\evpibhdl.ini C:\Windows\System32\fhfffnlm.ini C:\Windows\System32\FLnnnnpo.ini C:\Windows\System32\FLnnnnpo.ini2 C:\Windows\system32\iqqmzb.dll C:\Windows\system32\jtsxvpqc.dll C:\Windows\system32\kcjbdent.dll C:\Windows\system32\mbnlrz.dll C:\Windows\system32\mcrh.tmp C:\Windows\system32\meioqhxo.dll C:\Windows\system32\mibqdd.dll C:\Windows\system32\mlnfffhf.dll C:\Windows\system32\MSINET.oca C:\Windows\system32\mxwqzl.dll C:\Windows\system32\opnnnnLF.dll C:\Windows\system32\ottedghx.dll C:\Windows\system32\pac.txt C:\Windows\system32\sikinpps.dll C:\Windows\system32\tnedbjck.ini C:\Windows\system32\wipsvlaw.dll C:\Windows\system32\xekaqfck.dll C:\Windows\system32\ytqegwno.ini . ((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 ))))))))))))))))))))))))))))))) . 2008-08-30 09:55 . 2008-08-30 09:55 <DIR> d----c--- C:\Program Files\Best IT Solutions 2008-08-29 20:23 . 2008-08-31 21:44 <DIR> d----c--- C:\Program Files\PhotoRescue Wizard PC 3.1.6.11178 2008-08-29 19:35 . 2008-08-29 19:40 <DIR> d-------- C:\Users\Shala\{ec773af2-6b93-4a81-b392-291e1cc21f9b} 2008-08-29 19:23 . 2008-09-01 10:46 54,156 --ah----- C:\Windows\QTFont.qfn 2008-08-29 19:23 . 2008-08-29 19:23 1,409 --a------ C:\Windows\QTFont.for 2008-08-26 11:54 . 2008-08-26 11:54 <DIR> d-------- C:\Users\Shala\AppData\Roaming\Leadertech 2008-08-26 11:54 . 2008-08-26 11:54 <DIR> d----c--- C:\EPSONREG 2008-08-26 11:50 . 2008-08-26 12:04 <DIR> d-------- C:\Users\Shala\AppData\Roaming\ArcSoft 2008-08-26 11:50 . 2008-08-26 11:50 <DIR> d----c--- C:\Program Files\Common Files\ArcSoft 2008-08-26 11:50 . 1995-08-01 04:44 212,480 --a------ C:\Windows\PCDLIB32.DLL 2008-08-26 11:50 . 2005-02-23 14:58 11,776 --a------ C:\Windows\System32\drivers\afc.sys 2008-08-26 11:48 . 2008-08-26 11:49 <DIR> d-------- C:\Users\All Users\EPSON 2008-08-26 11:48 . 2008-08-26 11:49 <DIR> d-------- C:\ProgramData\EPSON 2008-08-26 11:48 . 2008-08-26 12:06 <DIR> d----c--- C:\Program Files\ArcSoft 2008-08-26 11:40 . 2008-08-26 11:53 <DIR> d----c--- C:\Program Files\EPSON 2008-08-26 11:37 . 2008-08-26 11:54 77 --a------ C:\Windows\EPSC120.ini 2008-08-22 00:33 . 2008-08-22 00:33 <DIR> d----c--- C:\Program Files\Trend Micro 2008-08-20 16:27 . 2008-08-20 16:32 <DIR> d-------- C:\Users\All Users\Lavasoft 2008-08-20 16:27 . 2008-08-20 16:32 <DIR> d-------- C:\ProgramData\Lavasoft 2008-08-20 16:27 . 2008-08-20 16:27 <DIR> d----c--- C:\Program Files\Lavasoft 2008-08-20 16:26 . 2008-08-20 16:26 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-20 14:08 . 2008-08-20 14:08 <DIR> d-------- C:\Users\Shala\AppData\Roaming\acccore 2008-08-20 13:57 . 2008-08-20 13:57 <DIR> d-------- C:\Users\Shala 2\AppData 2008-08-20 13:57 . 2008-08-26 11:52 <DIR> d-------- C:\Users\Shala 2 2008-08-20 13:57 . 2008-08-20 13:57 <DIR> d-------- C:\Users\All Users\Viewpoint 2008-08-20 13:57 . 2008-08-20 14:03 <DIR> d-------- C:\Users\All Users\AOL Downloads 2008-08-20 13:57 . 2008-08-20 13:57 <DIR> d-------- C:\Users\All Users\acccore 2008-08-20 13:57 . 2008-08-20 13:57 <DIR> d-------- C:\ProgramData\Viewpoint 2008-08-20 13:57 . 2008-08-20 14:03 <DIR> d-------- C:\ProgramData\AOL Downloads 2008-08-20 13:57 . 2008-08-20 13:57 <DIR> d-------- C:\ProgramData\acccore 2008-08-20 13:57 . 2008-08-20 13:57 21 --a------ C:\Windows\atid.ini 2008-08-20 13:56 . 2008-08-20 14:08 <DIR> d-------- C:\Users\All Users\AOL OCP 2008-08-20 13:56 . 2008-08-20 13:56 <DIR> d-------- C:\Users\All Users\AOL 2008-08-20 13:56 . 2008-08-20 14:08 <DIR> d-------- C:\ProgramData\AOL OCP 2008-08-20 13:56 . 2008-08-20 13:56 <DIR> d-------- C:\ProgramData\AOL 2008-08-20 13:56 . 2008-08-20 13:56 <DIR> d----c--- C:\Program Files\Common Files\AOL 2008-08-20 13:55 . 2008-08-20 14:07 <DIR> d----c--- C:\Program Files\AIM6 2008-08-20 13:55 . 2008-08-20 14:07 1,201 --ah-c--- C:\IPH.PH 2008-08-18 07:25 . 2008-08-18 07:30 <DIR> d----c--- C:\0.Fonts 2008-08-13 15:41 . 2008-08-13 15:41 <DIR> d----c--- C:\VundoFix Backups 2008-08-08 18:14 . 2008-08-29 21:35 174,685,229 --a------ C:\Windows\MEMORY.DMP 2008-08-01 01:35 . 2008-08-01 01:35 <DIR> d--h----- C:\Windows\PIF 2008-08-01 00:29 . 2008-08-20 00:54 <DIR> d----c--- C:\Program Files\Windows Live Safety Center . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-29 18:18 --------- d-----w C:\Users\Shala\AppData\Roaming\OpenOffice.org2 2008-08-26 19:26 --------- dc----w C:\Program Files\McAfee 2008-08-26 18:51 --------- dc-h--w C:\Program Files\InstallShield Installation Information 2008-08-20 22:46 --------- dc----w C:\Program Files\Apple Software Update 2008-08-04 05:18 --------- d-----w C:\ProgramData\Spybot - Search & Destroy 2008-08-04 05:18 --------- d-----w C:\Program Files\Windows Sidebar 2008-08-04 05:18 --------- d-----w C:\Program Files\Windows Collaboration 2008-07-28 21:37 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_motport_01005.Wdf 2008-07-28 21:36 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf 2008-07-28 21:36 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf 2008-07-28 21:34 --------- d-----w C:\ProgramData\BVRP Software 2008-07-28 17:33 --------- dc----w C:\Program Files\??crosoft.NET 2008-07-28 16:03 --------- dc----w C:\Program Files\LimeWire 2008-07-24 19:07 --------- dc----w C:\Program Files\Spybot - Search & Destroy 2008-07-24 17:05 --------- dc----w C:\Program Files\Incomplete 2008-07-24 06:52 --------- d-----w C:\Users\Shala\AppData\Roaming\LimeWire 2008-07-24 04:11 --------- dc----w C:\Program Files\Webtools 2008-07-24 02:54 511 ----a-w C:\Users\Shala\423.bat 2008-07-24 02:53 77 ----a-w C:\Users\Shala\5670.bat 2008-07-22 01:37 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll 2008-07-22 01:34 --------- d-----w C:\ProgramData\Microsoft Help 2008-07-15 04:01 174 --sha-w C:\Program Files\desktop.ini 2008-07-14 18:34 1,585,664 ----a-w C:\Windows\System32\setupapi.dll 2008-07-14 18:32 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys 2008-07-14 18:32 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys 2008-06-28 10:37 24,064 ----a-w C:\Windows\System32\netcfg.exe 2008-06-28 10:37 22,016 ----a-w C:\Windows\System32\netiougc.exe 2008-06-28 10:37 194,560 ----a-w C:\Windows\System32\WebClnt.dll 2008-06-28 10:37 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll 2008-06-28 10:35 296,448 ----a-w C:\Windows\System32\gdi32.dll 2008-06-28 10:35 2,027,008 ----a-w C:\Windows\System32\win32k.sys 2008-06-28 10:34 14,848 ----a-w C:\Windows\System32\wshrm.dll 2008-06-28 10:33 11,776 ----a-w C:\Windows\System32\sbunattend.exe 2008-06-28 10:32 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll 2008-06-28 10:32 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe 2008-06-28 10:32 1,327,104 ----a-w C:\Windows\System32\quartz.dll 2008-06-28 10:27 826,368 ----a-w C:\Windows\System32\wininet.dll 2008-06-28 10:27 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-06-28 10:26 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-06-28 10:26 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2007-11-27 06:48 92,064 ----a-w C:\Users\Shala\mqdmmdm.sys 2007-11-27 06:48 9,232 ----a-w C:\Users\Shala\mqdmmdfl.sys 2007-11-27 06:48 79,328 ----a-w C:\Users\Shala\mqdmserd.sys 2007-11-27 06:48 66,656 ----a-w C:\Users\Shala\mqdmbus.sys 2007-11-27 06:48 6,208 ----a-w C:\Users\Shala\mqdmcmnt.sys 2007-11-27 06:48 5,936 ----a-w C:\Users\Shala\mqdmwhnt.sys 2007-11-27 06:48 4,048 ----a-w C:\Users\Shala\mqdmcr.sys 2007-11-27 06:48 25,600 ----a-w C:\Users\Shala\usbsermptxp.sys 2007-11-27 06:48 22,768 ----a-w C:\Users\Shala\usbsermpt.sys 2008-01-16 01:37 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat 2008-01-16 01:37 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat 2008-01-16 01:37 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat 2007-11-03 19:57 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007110320071104\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-06-28 03:33 1232896] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 08:21 50472] "EPSON Stylus C120 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICCA.EXE" [2007-03-12 06:00 182272] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-22 19:37 894248] "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-06-06 11:52 142104] "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-06-06 11:52 154392] "Persistence"="C:\Windows\system32\igfxpers.exe" [2007-06-06 11:52 138008] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-09 15:10 1006264] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 13:00 174872] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 21:16 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-19 17:39 1838592] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792] "Windows Mobile Device Center"="C:\Windows\WindowsMobile\wmdc.exe" [2007-05-31 09:21 648072] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] "MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 02:45 222208] "RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 11:06 4669440 C:\Windows\RtHDVCpl.exe] "Skytel"="Skytel.exe" [2007-06-15 16:45 1826816 C:\Windows\SkyTel.exe] "NDSTray.exe"="NDSTray.exe" [BU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.EXE" [2007-12-04 13:32 111904] C:\Users\Shala\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL "LoadAppInit_DLLs"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3755113-2926593688-121144640-1000] "EnableNotifications"=dword:00000001 "EnableNotificationsRef"=dword:00000003 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{1EABF151-C3B3-4535-AEC6-F617FBEBBB90}"= Profile=Private\|Profile=Public\|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent "{0CCA6A13-2AF4-4805-BF4F-8B15A813B2B9}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{C6B1F4F6-3E6E-45B6-8551-C784D9D30653}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{9616139D-06C2-4471-96C9-8B0FB33B6A8F}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{63299DA1-1DD2-4B46-8A23-8808842FC9BE}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{5996FA5C-35B5-43A4-8513-2FB6FDCF4B7B}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{3AF28DDB-1FD6-43B6-AF65-ACDF4B5E9E9C}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{59616ACA-E94A-47BA-8E2D-78FB5F760BF0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes "{19947D2A-F959-4C7C-B648-3443520B2BC8}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes "{15EEB190-CDD1-4D83-AAA7-20DDDABBE38B}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{65721BAA-FD2D-48A8-87B1-66B2E701E6FC}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{EAEF2D31-B0D4-45C4-81CB-E8848BCED597}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{A79981E2-6B45-4308-A6F7-531A34334BD8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{249FE1D9-A001-4509-BB4E-DC50873B6634}"= TCP:6004\|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{B4875569-92C9-4E49-AB79-B8CA236FCF47}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{46A8E5AE-F75F-4ECE-8F19-741C5B0BDA6A}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{CC0B5FB2-7D1A-44B4-8FB7-1CCC03F210AE}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM "{1A77E004-E762-4807-8388-B3306BD1D442}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722\|UDP:%SystemRoot%\system32\svchost.exe\|Svc=DFSR:Allow inbound TCP traffic\| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe::Enabled:NIE - Toshiba Software Upgrades Engine "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe::Enabled:Toshiba Software Upgrades Pinger S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys [2007-02-27 14:31] S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03] S3 motport;Motorola USB Diagnostic Port;C:\Windows\system32\DRIVERS\motport.sys [2007-02-27 14:31] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f540013-67aa-11dc-8c80-806e6f6e6963}] \shell\AutoRun\command - D:\Epsetup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{417bae8f-8116-11dc-ae79-001644161285}] \shell\AutoRun\command - setupSNK.exe . Contents of the 'Scheduled Tasks' folder 2007-08-09 C:\Windows\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-09-01 C:\Windows\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - - BHO-{15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file) BHO-{37E10337-6A37-45BB-BB1A-146C7D2A6E73} - (no file) BHO-{BBFB5FFB-043C-40AB-913D-540E09F00486} - (no file) HKCU-Run-Host Process - C:\Users\Shala\svchost.exe HKCU-Run-TOSCDSPD - TOSCDSPD.EXE HKLM-Run-BM1bed053a - C:\Windows\system32\sikinpps.dll HKLM-Run-18de36a6 - C:\Windows\system32\kcjbdent.dll ShellExecuteHooks-{37E10337-6A37-45BB-BB1A-146C7D2A6E73} - (no file) MSConfigStartUp-mjc - C:\Program Files\mjc\mjc.exe MSConfigStartUp-Skra - C:\Program Files\Skra\Skra.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Users\Shala\AppData\Roaming\Mozilla\Firefox\Profiles\5ht0dkk8.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-01 10:46:07 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Windows\System32\audiodg.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\ATK Hotkey\ASLDRSrv.exe C:\Windows\System32\agrsmsvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\VirusScan\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\TOSHIBA\IVP\ISM\pinger.exe C:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe C:\Windows\System32\TODDSrv.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\ATK Hotkey\HControl.exe C:\Program Files\ATK Hotkey\ATKOSD.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\Program Files\McAfee\VirusScan\mcvsshld.exe C:\Windows\System32\wbem\unsecapp.exe C:\Windows\System32\igfxsrvc.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.bin C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-09-01 10:53:39 - machine was rebooted [Shala] ComboFix-quarantined-files.txt 2008-09-01 17:52:22 Pre-Run: 18,600,927,232 bytes free Post-Run: 18,397,958,144 bytes free 322 --- E O F --- 2008-07-23 10:06:36 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:19:12 PM, on 9/1/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16681) Boot mode: Normal Running processes: C:\PROGRA~1\McAfee.com\Agent\mcagent.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\RtHDVCpl.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Windows\WindowsMobile\wmdc.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN C:\Windows\system32\notepad.exe C:\Windows\System32\rundll32.exe C:\Windows\explorer.exe C:\Windows\System32\mobsync.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file) O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Skytel] Skytel.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\iifgFyXO.dll,#1 O4 - HKLM\..\Run: [BM1bed053a] Rundll32.exe "C:\Windows\system32\mehujcjg.dll",s O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [EPSON Stylus C120 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICCA.EXE /FU "C:\Windows\TEMP\E_SB6FD.tmp" /EF "HKCU" O4 - HKCU\..\Run: [Skra] C:\Program Files\Skra\Skra.exe O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe O4 - HKCU\..\Run: [Host Process] C:\Users\Shala\svchost.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\APPLIC~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\History.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\TEMPOR~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\APPLIC~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\Cookies.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYMUSI~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYPICT~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYVIDE~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\LOCALS~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\MYDOCU~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\NetHood.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\PRINTH~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\Recent.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\SendTo.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\START O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\APPLIC~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\History.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\AppData\Local\TEMPOR~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\APPLIC~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\Cookies.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYMUSI~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYPICT~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\DOCUME~1\MYVIDE~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\LOCALS~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\MYDOCU~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\NetHood.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\PRINTH~1.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\Recent.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\SendTo.SH! C:\$Recycle.Bin\S-1-5-~4\$RA5M1FP\START O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O13 - Gopher Prefix: O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 11526 bytes

fenzodahl512 View Member Profile	Sep 1 2008, 10:13 PM Post #4
Distinguished Member Group: HJT Team Posts: 850 Joined: 4-December 07 Member No.: 174,482	Important! Please disable your Lavasoft Ad-Aware and Spybot S&D prior to our fix.. Please visit below webpage if you do not know how.. http://wiki.castlecops.com/Malware_Removal...toring_Programs Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - (no file) O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file) O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\iifgFyXO.dll,#1 O4 - HKLM\..\Run: [BM1bed053a] Rundll32.exe "C:\Windows\system32\mehujcjg.dll",s O4 - HKCU\..\Run: [Skra] C:\Program Files\Skra\Skra.exe O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe O4 - HKCU\..\Run: [Host Process] C:\Users\Shala\svchost.exe O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) Now close all windows other than HijackThis, then click Fix checked. Close HijackThis. *NEXT* 1. Please open Notepad Click Start, then Run Type notepad.exe in the Run Box. 2. Now copy/paste the entire content of the codebox below into the Notepad window: CODE KillAll:: File:: C:\Users\Shala\5670.bat C:\Users\Shala\423.bat C:\Windows\system32\iifgFyXO.dll C:\Windows\system32\mehujcjg.dll C:\Users\Shala\svchost.exe Folder:: C:\Program Files\??crosoft.NET C:\Program Files\Skra C:\Program Files\mjc Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{417bae8f-8116-11dc-ae79-001644161285}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f540013-67aa-11dc-8c80-806e6f6e6963}] DirLook:: C:\0.Fonts 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log. Please re-enable your Lavasoft Ad-Aware and Spybot S&D after performing all steps given.. -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Away 1 Nov - 1 Dec

fenzodahl512 View Member Profile	Sep 8 2008, 11:44 AM Post #5
Distinguished Member Group: HJT Team Posts: 850 Joined: 4-December 07 Member No.: 174,482	Due to the lack of feedback this Topic is closed. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Away 1 Nov - 1 Dec

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 22nd November 2008 - 01:06 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides