Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtuemonde Infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 andymirasol

andymirasol

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 29 November 2007 - 10:27 AM

hi i seem to have this virtumonde infection and cant get rid of it,i have gone through the guide before posting but it still remains and its seems to be eating my memory up, and my computer is so slow ,this is my HJT log now: thx


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:23:47, on 29/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zfwwrodb.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zfwwrodb.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842873812
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842857843
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: zfwwrodb - zfwwrodb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8688 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:25 AM

Posted 30 November 2007 - 10:17 PM

Hello andymirasol,

Let's run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup
When everything is done and your log is clean again, you can enable it again.


disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.

Disable your antivirus program while running ComboFix.



If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 01 December 2007 - 04:59 AM

Hi SifuMike, thanks for responding :-) ,i have been reading through all your forums and think i might have cracked it "crossing fingers" i seem to have got rid of the infections but i have done what you asked and redone combofix and heres the log:

(Is there anything you can see that i may have missed....thanks so much yet again!)

ComboFix 07-11-19.4C - Andy 2007-12-01 10:48:53.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2440 [GMT 1:00]
Running from: C:\Documents and Settings\Andy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-11-30 10:54 <DIR> d-------- C:\Program Files\Download Manager
2007-11-30 10:42 <DIR> d-------- C:\Program Files\MRU-Blaster
2007-11-30 10:00 <DIR> d-------- C:\Program Files\Movistar
2007-11-29 19:33 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-29 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-29 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 18:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-28 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-27 21:33 <DIR> dr-h----- C:\Documents and Settings\Andy\Application Data\yahoo!
2007-11-27 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-27 21:08 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-26 17:53 <DIR> d-------- C:\Program Files\Google
2007-11-26 17:41 <DIR> d-------- C:\Program Files\EarthView
2007-11-26 17:41 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\DeskSoft
2007-11-25 20:50 <DIR> d-------- C:\Program Files\gmid
2007-11-25 20:28 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Intermedia Design
2007-11-25 20:27 <DIR> d-------- C:\Program Files\Intermedia Design
2007-11-25 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intermedia Design
2007-11-25 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Data
2007-11-25 10:46 <DIR> d-------- C:\Program Files\EzGenerator28
2007-11-22 23:33 <DIR> d-------- C:\Program Files\Winamp
2007-11-22 11:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-22 11:08 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-11-22 11:08 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-11-22 11:08 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-11-22 11:08 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-11-22 11:08 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-11-22 11:08 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-11-21 14:11 <DIR> d-------- C:\Program Files\BitDefender
2007-11-21 14:10 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-21 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Agnitum
2007-11-21 11:47 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Kerio
2007-11-21 11:46 <DIR> d-------- C:\Program Files\Kerio
2007-11-21 10:45 <DIR> d-------- C:\Program Files\TurboBT
2007-11-20 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2007-11-20 19:13 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Nokia Multimedia Player
2007-11-20 17:44 <DIR> d-------- C:\Documents and Settings\Andy\Phone Browser
2007-11-20 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-20 17:27 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-11-20 17:27 <DIR> d-------- C:\Program Files\Nokia
2007-11-20 17:27 <DIR> d-------- C:\Program Files\DIFX
2007-11-20 17:27 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-20 17:27 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-20 17:27 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\PC Suite
2007-11-20 17:27 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Nokia
2007-11-20 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-11-20 16:54 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-20 16:54 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-11-17 12:54 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-11-17 10:37 <DIR> d-------- C:\temp_dvd
2007-11-17 10:36 <DIR> d-------- C:\Program Files\Dvd-cloner
2007-11-16 21:58 <DIR> d-------- C:\MPEGTmp
2007-11-16 21:58 <DIR> d-------- C:\CucusoftOutput
2007-11-16 21:35 <DIR> d-------- C:\Program Files\DScaler
2007-11-16 15:26 <DIR> d-------- C:\Program Files\ffdshow
2007-11-16 15:26 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-11-16 15:26 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-16 15:26 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2007-11-16 15:26 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-11-16 15:03 <DIR> d-------- C:\Program Files\DScaler5
2007-11-16 14:11 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-14 21:08 <DIR> d-------- C:\WINDOWS\PaltalkScene
2007-11-14 21:08 <DIR> d-------- C:\Program Files\Paltalk Messenger
2007-11-14 21:08 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Paltalk
2007-11-14 10:58 <DIR> d-------- C:\Program Files\Xvid
2007-11-14 10:58 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-14 10:58 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-14 10:27 <DIR> d-------- C:\Program Files\WMV9_VCM
2007-11-14 10:22 414,272 --a------ C:\WINDOWS\system32\DivXc32f.dll
2007-11-14 10:22 414,272 --a------ C:\WINDOWS\system32\DivXc32.dll
2007-11-14 10:22 291,408 --a------ C:\WINDOWS\system32\DivXa32.acm
2007-11-14 10:22 240,400 --a------ C:\WINDOWS\system32\DivX_c32.ax
2007-11-13 21:40 328,978 --a------ C:\WINDOWS\system32\dvda.exe
2007-11-13 21:40 139,264 --a------ C:\WINDOWS\system32\Mpeg2Decoder.ax
2007-11-13 21:40 94,208 --a------ C:\WINDOWS\system32\Mpeg2Parser.ax
2007-11-13 19:51 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Media Player Classic
2007-11-13 18:52 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-11-13 18:51 <DIR> d-------- C:\Program Files\Avi2Dvd
2007-11-13 17:40 <DIR> d-------- C:\ConverterOutput
2007-11-13 17:39 <DIR> d-------- C:\Program Files\Cucusoft
2007-11-13 17:39 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-11-13 16:21 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Azureus
2007-11-13 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-11-13 16:20 <DIR> d-------- C:\WINDOWS\Sun
2007-11-13 16:20 <DIR> d-------- C:\Program Files\Azureus
2007-11-13 16:18 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-12 20:40 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\dvdcss
2007-11-11 16:11 <DIR> d-------- C:\Program Files\Xilisoft
2007-11-11 15:39 <DIR> d-------- C:\Program Files\CamIM
2007-11-11 15:39 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\CamIM
2007-11-11 14:53 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\vlc
2007-11-11 14:50 <DIR> d-------- C:\Program Files\VideoLAN
2007-11-11 13:03 <DIR> d-------- C:\Downloads
2007-11-11 13:03 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-11-11 13:02 <DIR> d-------- C:\Program Files\BitComet
2007-11-10 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-07 10:40 <DIR> d-------- C:\WINDOWS\NV40723380.TMP
2007-11-07 10:40 136,260 --a------ C:\WINDOWS\system32\nvapps.nvb
2007-11-07 10:38 <DIR> d-------- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-28 16:15 145,984 ----a-w C:\WINDOWS\system32\wwdntdkm.dll
2007-11-27 17:59 --------- d-----w C:\Documents and Settings\Andy\Application Data\Corel
2007-11-26 16:41 102,400 ----a-w C:\WINDOWS\EarthView.scr
2007-11-25 20:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-23 18:46 57,856 ----a-w C:\WINDOWS\pico.exe
2007-11-21 17:23 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2007-11-21 11:02 2,478 ----a-w C:\WINDOWS\system32\drivers\kwflower.log
2007-11-21 11:01 2,937 ----a-w C:\WINDOWS\system32\drivers\kwfupper.log
2007-11-16 13:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-16 13:10 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-16 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-11-02 15:08 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-01 19:14 --------- d-----w C:\Program Files\Kaspersky Lab
2007-10-31 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-10-31 18:53 4,300 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-10-31 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2007-10-31 17:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-31 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 16:50 --------- d-----w C:\Program Files\MSBuild
2007-10-31 16:48 --------- d-----w C:\Program Files\Reference Assemblies
2007-10-31 16:13 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-31 16:12 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-31 16:11 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-31 13:28 --------- d-----w C:\Documents and Settings\Andy\Application Data\Nero
2007-10-31 13:27 --------- d-----w C:\Program Files\Nero
2007-10-30 13:32 --------- d-----w C:\Program Files\Common Files\Corel
2007-10-30 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-10-30 13:31 1,214,032 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-10-30 13:31 --------- d-----w C:\Program Files\Corel
2007-10-30 13:28 --------- d-----w C:\Program Files\InterVideo
2007-10-30 13:13 --------- d-----w C:\Program Files\Sunbelt Software
2007-10-30 12:06 --------- d-----w C:\Program Files\BitTornado
2007-10-30 12:06 --------- d-----w C:\Documents and Settings\Andy\Application Data\.BitTornado
2007-10-30 11:43 --------- d-----w C:\Documents and Settings\Andy\Application Data\Telefónica Móviles
2007-10-30 11:34 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-04 17:16 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-10-04 17:16 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-10-04 16:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-04 16:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-04 16:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-04 16:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-04 16:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-04 16:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-04 16:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-04 16:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 16:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-04 16:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-04 16:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-04 16:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-04 16:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-04 16:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-04 16:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-04 16:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 16:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-04 16:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-04 16:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-04 16:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-04 16:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-04 16:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-04 16:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-04 16:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-04 16:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 16:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-04 16:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-04 16:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 16:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-04 16:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-03 12:35 966,656 ----a-w C:\WINDOWS\system32\VSFilter.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-30_10.16.09.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 02:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-08 15:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
- 2007-11-30 09:15:28 213,160 ----a-w C:\WINDOWS\system32\drivers\etc\tmvsthfss.bin
+ 2007-12-01 09:49:19 213,160 ----a-w C:\WINDOWS\system32\drivers\etc\tmvsthfss.bin
- 2007-11-30 09:16:01 213,160 ----a-w C:\WINDOWS\system32\drivers\etc\tmvsthfud.bin
+ 2007-12-01 09:49:49 213,160 ----a-w C:\WINDOWS\system32\drivers\etc\tmvsthfud.bin
+ 2000-03-14 10:04:24 118,784 ----a-w C:\WINDOWS\system32\MSSTDFMT.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 04:00]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 08:28 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 07:26]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zfwwrodb]
zfwwrodb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamIM]
2005-12-30 08:50 1437696 --a------ C:\Program Files\CamIM\CamIM_Client.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2007-02-06 11:20 478800 --a------ C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2007-06-21 14:06 1318912 --a------ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-02-13 19:29 35328 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys
R1 tidnet;TID NDIS Protocol Driver;C:\WINDOWS\system32\DRIVERS\tidnet.sys
R3 Huawei;HUAWEI Mobile Connect - USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\ewdcsc.sys
R3 hwdatacard;Huawei DataCard USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
S3 AR2425;AzureWave AR5006 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\aw5006.sys
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys
S3 DSDrv4;DSDrv4;\??\C:\PROGRA~1\DScaler\DSDrv4.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;C:\WINDOWS\system32\DRIVERS\kwflower.sys
S3 PciCon;PciCon;\??\D:\PciCon.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{593e19c0-9f22-11dc-ace8-bcfd852d3e1b}]
\Shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e351dba3-91c0-11dc-bc69-f963795a41ac}]
\Shell\AutoRun\command - J:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 17:28:25 C:\WINDOWS\Tasks\User_Feed_Synchronization-{F97EB365-8B85-418A-A95E-5DB93FFF843D}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 10:49:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 10:50:21
.
--- E O F ---

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:25 AM

Posted 01 December 2007 - 11:07 AM

Hi andymirasol,

I can see that you have run ComboFix five times. Why did you do this?

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 01 December 2007 - 11:14 AM

Hi mike, ah sorry i did not know this,i was just trying to sort it out :/ have i done any harm? it seems ok? thanks.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:25 AM

Posted 01 December 2007 - 12:45 PM

Hello Andy,

ah sorry i did not know this,i was just trying to sort it out :/ have i done any harm? it seems ok?


I have no idea what damage you may have done as I dont know what files you have been removing, or why you removed them. Guessing what files to remove is a recipe for distaster. You may have accientally removed vital system files, but I have no way of knowing.
Since I am coming in very late here, so I cant guarentee we can fix your computer. :thumbsup:


You should never run ComboFix youself and remove files without expert guidence.



Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
C:\WINDOWS\pico.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\wwdntdkm.dll

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zfwwrodb]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 01 December 2007 - 12:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 December 2007 - 04:41 AM

Hi Mike, thanks for your quick reply, heres the logs you asked for thanks!!

File pico.exe received on 11.06.2007 12:52:47 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 694922c57a6f4ee6beae62cab5c03c4a


ComboFix 07-12-02.5 - Andy 2007-12-02 10:26:12.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2516 [GMT 1:00]
Running from: C:\Documents and Settings\Andy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\wwdntdkm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wwdntdkm.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-11-30 10:54 . 2007-11-30 10:54 <DIR> d-------- C:\Program Files\Download Manager
2007-11-30 10:42 . 2007-11-30 10:42 <DIR> d-------- C:\Program Files\MRU-Blaster
2007-11-30 10:01 . 2007-04-20 10:40 100,992 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2007-11-30 10:01 . 2007-04-20 10:40 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2007-11-30 10:00 . 2007-11-30 10:00 <DIR> d-------- C:\Program Files\Movistar
2007-11-29 19:33 . 2007-11-30 14:15 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-29 15:46 . 2007-11-29 16:08 264 --a------ C:\WINDOWS\wininit.ini
2007-11-29 14:44 . 2007-11-29 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-29 14:44 . 2007-11-29 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 18:06 . 2007-11-28 18:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-28 17:59 . 2007-11-28 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-27 21:33 . 2007-11-27 21:33 <DIR> dr-h----- C:\Documents and Settings\Andy\Application Data\yahoo!
2007-11-27 21:17 . 2007-11-27 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-27 21:08 . 2007-11-28 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-27 14:56 . 2004-03-09 00:00 152,848 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2007-11-26 17:53 . 2007-11-26 17:53 <DIR> d-------- C:\Program Files\Google
2007-11-26 17:41 . 2007-11-26 17:42 <DIR> d-------- C:\Program Files\EarthView
2007-11-26 17:41 . 2007-11-26 17:41 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\DeskSoft
2007-11-26 17:41 . 2007-11-26 17:41 102,400 --a------ C:\WINDOWS\EarthView.scr
2007-11-25 20:50 . 2007-11-25 20:50 <DIR> d-------- C:\Program Files\gmid
2007-11-25 20:28 . 2007-11-25 20:28 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Intermedia Design
2007-11-25 20:27 . 2007-11-25 20:27 <DIR> d-------- C:\Program Files\Intermedia Design
2007-11-25 20:27 . 2007-11-25 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intermedia Design
2007-11-25 20:27 . 2007-11-25 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Data
2007-11-25 20:27 . 2003-04-18 15:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-11-25 10:48 . 2007-11-25 11:04 40 --a------ C:\WINDOWS\iltwain.ini
2007-11-25 10:46 . 2007-11-25 11:01 <DIR> d-------- C:\Program Files\EzGenerator28
2007-11-23 19:46 . 2007-11-23 19:46 57,856 --a------ C:\WINDOWS\pico.exe
2007-11-23 19:46 . 2007-11-23 19:46 191 --a------ C:\WINDOWS\Parchepalk.INI
2007-11-23 19:46 . 2007-11-23 19:46 39 --a------ C:\WINDOWS\PicoPhone.ini
2007-11-22 23:33 . 2007-11-22 23:44 <DIR> d-------- C:\Program Files\Winamp
2007-11-22 11:08 . 2007-11-29 11:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 11:08 . 2007-11-22 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-22 11:08 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-11-22 11:08 . 2006-12-29 07:53 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-11-22 11:08 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-11-22 11:08 . 2006-12-29 07:53 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-11-22 11:08 . 2006-12-29 07:53 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-11-22 11:08 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-11-21 14:22 . 2007-11-21 18:25 121 --a------ C:\WINDOWS\bdagent.INI
2007-11-21 14:12 . 2007-11-21 18:23 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-11-21 14:11 . 2007-11-21 14:11 <DIR> d-------- C:\Program Files\BitDefender
2007-11-21 14:10 . 2007-11-21 14:11 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-21 12:41 . 2007-11-21 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Agnitum
2007-11-21 11:47 . 2007-11-21 11:47 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Kerio
2007-11-21 11:46 . 2007-11-21 12:02 <DIR> d-------- C:\Program Files\Kerio
2007-11-21 10:45 . 2007-11-21 12:37 <DIR> d-------- C:\Program Files\TurboBT
2007-11-20 19:20 . 2007-11-20 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2007-11-20 19:13 . 2007-11-20 19:13 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Nokia Multimedia Player
2007-11-20 17:44 . 2007-11-20 19:13 <DIR> d-------- C:\Documents and Settings\Andy\Phone Browser
2007-11-20 17:28 . 2007-11-20 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-20 17:27 . 2007-11-20 17:27 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-11-20 17:27 . 2007-11-20 19:20 <DIR> d-------- C:\Program Files\Nokia
2007-11-20 17:27 . 2007-11-20 17:27 <DIR> d-------- C:\Program Files\DIFX
2007-11-20 17:27 . 2007-11-20 17:27 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-20 17:27 . 2007-11-20 19:20 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-20 17:27 . 2007-11-20 19:13 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\PC Suite
2007-11-20 17:27 . 2007-11-20 19:30 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Nokia
2007-11-20 17:27 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-11-20 17:27 . 2007-02-22 11:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-11-20 17:27 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-11-20 17:27 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-11-20 17:27 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-11-20 17:27 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-11-20 17:26 . 2007-11-20 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-11-20 16:54 . 2007-11-21 10:26 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-20 16:54 . 2005-10-21 02:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-11-20 16:54 . 2005-10-21 02:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-11-17 12:54 . 2007-11-17 12:54 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-11-17 10:37 . 2007-11-23 14:27 <DIR> d-------- C:\temp_dvd
2007-11-17 10:36 . 2007-11-17 10:37 <DIR> d-------- C:\Program Files\Dvd-cloner
2007-11-16 21:58 . 2007-12-01 14:13 <DIR> d-------- C:\MPEGTmp
2007-11-16 21:58 . 2007-12-01 14:09 <DIR> d-------- C:\CucusoftOutput
2007-11-16 21:58 . 2007-12-01 14:09 205 --a------ C:\WINDOWS\cucon.xml
2007-11-16 21:35 . 2007-11-16 21:35 <DIR> d-------- C:\Program Files\DScaler
2007-11-16 15:26 . 2007-11-16 15:26 <DIR> d-------- C:\Program Files\ffdshow
2007-11-16 15:26 . 2007-11-13 15:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-11-16 15:26 . 2007-11-13 15:30 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-16 15:26 . 2007-11-13 15:30 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2007-11-16 15:26 . 2007-11-13 15:30 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-11-16 15:03 . 2007-11-16 21:28 <DIR> d-------- C:\Program Files\DScaler5
2007-11-16 14:11 . 2007-11-16 14:11 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-16 14:11 . 2007-11-16 14:10 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-11-16 14:04 . 2002-11-02 09:53 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2007-11-16 13:48 . 2007-11-16 13:48 72 --a------ C:\WINDOWS\GraphEdit.INI
2007-11-14 21:08 . 2007-11-14 21:08 <DIR> d-------- C:\WINDOWS\PaltalkScene
2007-11-14 21:08 . 2007-11-23 19:45 <DIR> d-------- C:\Program Files\Paltalk Messenger
2007-11-14 21:08 . 2007-11-23 19:45 <DIR> d-------- C:\Documents and Settings\Andy\Application Data\Paltalk
2007-11-14 10:58 . 2007-11-16 13:42 <DIR> d-------- C:\Program Files\Xvid
2007-11-14 10:58 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-14 10:58 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-14 10:27 . 2007-11-14 10:27 <DIR> d-------- C:\Program Files\WMV9_VCM
2007-11-14 10:22 . 2000-04-01 05:35 414,272 --a------ C:\WINDOWS\system32\DivXc32f.dll
2007-11-14 10:22 . 2000-04-01 05:35 414,272 --a------ C:\WINDOWS\system32\DivXc32.dll
2007-11-14 10:22 . 2000-04-01 04:11 291,408 --a------ C:\WINDOWS\system32\DivXa32.acm
2007-11-14 10:22 . 2000-04-26 19:48 240,400 --a------ C:\WINDOWS\system32\DivX_c32.ax
2007-11-13 21:40 . 2004-05-13 18:39 1,208,320 --a------ C:\WINDOWS\system32\cygxml2-2.dll
2007-11-13 21:40 . 2004-05-26 10:07 1,153,417 --a------ C:\WINDOWS\system32\cygwin1.dll
2007-11-13 21:40 . 2003-08-11 04:59 980,992 --a------ C:\WINDOWS\system32\cygiconv-2.dll
2007-11-13 21:40 . 2005-07-02 15:55 328,978 --a------ C:\WINDOWS\system32\dvda.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-27 17:59 --------- d-----w C:\Documents and Settings\Andy\Application Data\Corel
2007-11-25 20:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-23 18:11 --------- d-----w C:\Documents and Settings\Andy\Application Data\AdobeUM
2007-11-21 11:02 2,478 ----a-w C:\WINDOWS\system32\drivers\kwflower.log
2007-11-21 11:01 2,937 ----a-w C:\WINDOWS\system32\drivers\kwfupper.log
2007-11-21 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 13:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-16 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-11-02 15:09 --------- d-----w C:\Program Files\Realtek
2007-11-01 19:14 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-01 13:50 --------- d-----w C:\Program Files\Intel
2007-11-01 13:48 --------- d-----w C:\Program Files\ASUS WiFi-AP Solo
2007-11-01 13:47 --------- d-----w C:\Program Files\Attansic
2007-11-01 13:47 --------- d-----w C:\Documents and Settings\Andy\Application Data\InstallShield
2007-11-01 13:32 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-01 12:06 --------- d-----w C:\Program Files\Windows Defender
2007-11-01 11:49 --------- d-----w C:\Program Files\Orca
2007-11-01 10:19 --------- d-----w C:\Program Files\Wise Registry Cleaner
2007-11-01 09:54 --------- d-----w C:\Program Files\MSN Messenger
2007-11-01 08:51 --------- d-----w C:\Program Files\CleanMyPC
2007-10-31 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-10-31 18:53 4,300 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-10-31 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2007-10-31 17:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-31 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 16:50 --------- d-----w C:\Program Files\MSBuild
2007-10-31 16:48 --------- d-----w C:\Program Files\Reference Assemblies
2007-10-31 16:13 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-31 16:12 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-31 16:11 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-31 13:28 --------- d-----w C:\Documents and Settings\Andy\Application Data\Nero
2007-10-31 13:27 --------- d-----w C:\Program Files\Nero
2007-10-30 13:32 --------- d-----w C:\Program Files\Common Files\Corel
2007-10-30 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-10-30 13:31 1,214,032 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-10-30 13:31 --------- d-----w C:\Program Files\Corel
2007-10-30 13:28 --------- d-----w C:\Program Files\InterVideo
2007-10-30 13:13 --------- d-----w C:\Program Files\Sunbelt Software
2007-10-30 12:06 --------- d-----w C:\Program Files\BitTornado
2007-10-30 12:06 --------- d-----w C:\Documents and Settings\Andy\Application Data\.BitTornado
2007-10-30 11:43 --------- d-----w C:\Documents and Settings\Andy\Application Data\Telefónica Móviles
2007-10-30 11:34 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-04 16:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-30_10.16.09.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-03-14 10:04:24 118,784 ----a-w C:\WINDOWS\system32\MSSTDFMT.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 04:00]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 08:28 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 07:26]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamIM]
2005-12-30 08:50 1437696 --a------ C:\Program Files\CamIM\CamIM_Client.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2007-02-06 11:20 478800 --a------ C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2007-06-21 14:06 1318912 --a------ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-02-13 19:29 35328 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys
R1 tidnet;TID NDIS Protocol Driver;C:\WINDOWS\system32\DRIVERS\tidnet.sys
R3 Huawei;HUAWEI Mobile Connect - USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\ewdcsc.sys
R3 hwdatacard;Huawei DataCard USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
S3 AR2425;AzureWave AR5006 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\aw5006.sys
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys
S3 DSDrv4;DSDrv4;\??\C:\PROGRA~1\DScaler\DSDrv4.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;C:\WINDOWS\system32\DRIVERS\kwflower.sys
S3 PciCon;PciCon;\??\D:\PciCon.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{593e19c0-9f22-11dc-ace8-bcfd852d3e1b}]
\Shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e351dba3-91c0-11dc-bc69-f963795a41ac}]
\Shell\AutoRun\command - J:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 09:10:32 C:\WINDOWS\Tasks\User_Feed_Synchronization-{F97EB365-8B85-418A-A95E-5DB93FFF843D}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 10:28:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 10:30:45 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-01 10:50
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:02, on 02/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842873812
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842857843
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7838 bytes



Thanks again :thumbsup:

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:25 AM

Posted 02 December 2007 - 01:38 PM

Hi andy,

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)


these are optinal fixes. The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 December 2007 - 05:15 PM

Hi Mike,i did as u said,heres the log from HJT, by the way when i was installing ccleaner pccillin popped a box up saying do u want to allow this file,it was called something lik GA06.TMP, i pressed it it said low risk thought it was to do with the install but it was a setup file for OpenCV.exe which i thought i had got rid of, as my virus scanner said it contained a trojan, but i cancelled the install obviously..will ccleaner have got rid of this .TMP file now?by the way my computer seems to be fine,heres my log, thx again for your quick response:)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:05:09, on 02/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\My Folder\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842873812
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1193842857843
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7772 bytes

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:25 AM

Posted 02 December 2007 - 05:54 PM

Hi andy,

as my virus scanner said it contained a trojan, but i cancelled the install obviously..will ccleaner have got rid of this .TMP file now?

It should have. Run CCleaner again and see if you get the same message from your virus scanner.



Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 02 December 2007 - 06:11 PM

Thx for your help and patience Mike! :thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:25 AM

Posted 07 December 2007 - 03:46 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users