Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection!....help Needed Please!


  • This topic is locked This topic is locked
23 replies to this topic

#1 Speakersrock

Speakersrock

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 01 June 2008 - 03:22 PM

Hi there,
I have recently downloaded and run a program (and been on an infected site!) ( :) :thumbsup: )

I have run AVG, Malware Bytes, F-Secure online scanner, and C cleaner (I got a hint from one of those programs that there was something in the tempoary files)

I now have one which seams to be a downloader / re spawning - and AVG keeps catching them. (An example of where they are at is "C:\WINDOWS\system32\gEWQiiig.dll

I have another, which removes my desktop backgrounds and changes colour to blue - and finally! - when my computer is idle, virtual bus start calling around the screen! (no screen saver set)

Here's the HJL!

any help would be much appreciated.......Thanks! :)

----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:36, on 01/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Net Control 2\ncserver.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Net Control 2\ncscc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://heavens-end.co.uk/intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = \\serv-1:8090
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\pMdbaYoN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NTUserDispatcher] "C:\Program Files\Net Control 2\ncscc.exe" /NTUSER
O4 - HKLM\..\Run: [ImgTask] E:\Imgtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = heavens-end.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF3D7A1C-2404-4023-988C-72B3E412A495}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: pMdbaYoN - C:\WINDOWS\SYSTEM32\pMdbaYoN.dll
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: 3proxy tiny proxy server (3proxy) - Unknown owner - C:\Documents and Settings\matt.HEAVENS-END\Desktop\3proxy-0.5.3i\bin\3proxy.exe (file missing)
O23 - Service: ACLBDevMon - Unknown owner - C:\Documents and Settings\Administrator\Desktop\aclbdevmon.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe (file missing)
O23 - Service: Net Control 2 Server (NetControl2Server) - V.A.P. Software - C:\Program Files\Net Control 2\ncserver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

--
End of file - 9817 bytes

BC AdBot (Login to Remove)

 


#2 mz30

mz30

  • Members
  • 828 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:liverpool,england
  • Local time:03:07 AM

Posted 01 June 2008 - 03:24 PM

Hi
I'm Mz30
I will be helping you with your malware issue's.
I am currently reviewing your hjt log and will post back soon with instructions.
As I am still in training, everything that I post to you, must be checked by an Admin or Moderator. Therefore there could be a delay between posts, but it shouldn't be too long.
  • The fixes i post, are for fixing your issues only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean,as even if you appear clean the chances are you are not.
  • Please bookmark or favourite this page. In case you need it as reference.
  • Please remember that all the staff here are volunteers and help in our free time and you will sometimes have to wait for a reply.

    Important
  • Please do not attempt to remove anything or fix anything unless i ask,This includes running any sort of anti-virus/spyware programs as they may make thing's harder to remove.

god my head hurts.
if you don't ask ,you don't know



Posted Image

#3 Speakersrock

Speakersrock
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 01 June 2008 - 03:43 PM

Hi Mz

Thanks for jumping on me! - I will await and really appreciate your response, thanks :thumbsup:
:D

#4 mz30

mz30

  • Members
  • 828 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:liverpool,england
  • Local time:03:07 AM

Posted 02 June 2008 - 09:21 AM

Download and Run OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\pMdbaYoN.dll
O20 - Winlogon Notify: pMdbaYoN - C:\WINDOWS\SYSTEM32\pMdbaYoN.dll
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
C:\WINDOWS\system32\pMdbaYoN.dll
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2
Please now reboot your computer.

RENAME HIJACKTHIS

There is some infection hiding in your log.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.


In your next reply please post
  • otmoveit log
  • A fresh hjt log taken after renaming

Edited by mz30, 02 June 2008 - 03:06 PM.

god my head hurts.
if you don't ask ,you don't know



Posted Image

#5 Speakersrock

Speakersrock
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 02 June 2008 - 02:55 PM

Okay, thanks a lot Mz.

I have done exactly what you said.

Here is th HJL
-------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46:25, on 02/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\Program Files\Net Control 2\ncserver.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Net Control 2\ncscc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://heavens-end.co.uk/intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = \\serv-1:8090
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\pMdbaYoN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NTUserDispatcher] "C:\Program Files\Net Control 2\ncscc.exe" /NTUSER
O4 - HKLM\..\Run: [ImgTask] E:\Imgtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary%2

#6 Speakersrock

Speakersrock
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 02 June 2008 - 02:58 PM

Okay, thanks a lot Mz.

I have done exactly what you said.

Here is th HJL
-------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46:25, on 02/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\Program Files\Net Control 2\ncserver.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Net Control 2\ncscc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://heavens-end.co.uk/intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = \\serv-1:8090
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\pMdbaYoN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NTUserDispatcher] "C:\Program Files\Net Control 2\ncscc.exe" /NTUSER
O4 - HKLM\..\Run: [ImgTask] E:\Imgtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = heavens-end.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF3D7A1C-2404-4023-988C-72B3E412A495}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: pMdbaYoN - C:\WINDOWS\SYSTEM32\pMdbaYoN.dll
O23 - Service: 3proxy tiny proxy server (3proxy) - Unknown owner - C:\Documents and Settings\matt.HEAVENS-END\Desktop\3proxy-0.5.3i\bin\3proxy.exe (file missing)
O23 - Service: ACLBDevMon - Unknown owner - C:\Documents and Settings\Administrator\Desktop\aclbdevmon.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe (file missing)
O23 - Service: Net Control 2 Server (NetControl2Server) - V.A.P. Software - C:\Program Files\Net Control 2\ncserver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

--
End of file - 9527 bytes



------------------

Here is the OTMOVE log

------------------

File/Folder C:\WINDOWS\system32\pMdbaYoN.dl not found.
File/Folder C:\WINDOWS\SYSTEM32\WinCtrl32.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06022008_202709

-------------------

(If that is doing what I am thinking, I am wondering if AVG has already stolen them!)
Thanks again
Matt

----------------------------------------------
Edit!

Okay..Im not too sure what/where the post above came from!!....ignore it and use this one sorry!

Edited by Speakersrock, 02 June 2008 - 03:01 PM.


#7 mz30

mz30

  • Members
  • 828 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:liverpool,england
  • Local time:03:07 AM

Posted 02 June 2008 - 03:11 PM

Hi speakersrock,
I am sorry i made a boo boo with my script above,my fault please try the instructions below ,obviously you already have otmoveit2 follow after that.

Download and Run OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\pMdbaYoN.dll
O20 - Winlogon Notify: pMdbaYoN - C:\WINDOWS\SYSTEM32\pMdbaYoN.dll
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
C:\WINDOWS\system32\pMdbaYoN.dll
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2
Please now reboot your computer.

RENAME HIJACKTHIS

There is some infection hiding in your log.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.


In your next reply please post
  • otmoveit log
  • A fresh hjt log taken after renaming

god my head hurts.
if you don't ask ,you don't know



Posted Image

#8 Speakersrock

Speakersrock
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 02 June 2008 - 03:48 PM

Okay no worries! - Thanks Mz.

OTMOVE LOG;

-------------------
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pMdbaYoN.dll
C:\WINDOWS\system32\pMdbaYoN.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\pMdbaYoN.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\SYSTEM32\WinCtrl32.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06022008_214140

--------------------

HJL

---------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43:50, on 02/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\Program Files\Net Control 2\ncserver.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Net Control 2\ncscc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Net Control 2\NetCtl.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://heavens-end.co.uk/intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = \\serv-1:8090
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\pMdbaYoN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NTUserDispatcher] "C:\Program Files\Net Control 2\ncscc.exe" /NTUSER
O4 - HKLM\..\Run: [ImgTask] E:\Imgtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\RunOnce: [OTScanIt] \\Serv-1\network resources\OTMoveIt2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: VirtuaGirl HD.LNK = C:\Program Files\vghd\vghd.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = heavens-end.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF3D7A1C-2404-4023-988C-72B3E412A495}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: pMdbaYoN - C:\WINDOWS\SYSTEM32\pMdbaYoN.dll
O23 - Service: 3proxy tiny proxy server (3proxy) - Unknown owner - C:\Documents and Settings\matt.HEAVENS-END\Desktop\3proxy-0.5.3i\bin\3proxy.exe (file missing)
O23 - Service: ACLBDevMon - Unknown owner - C:\Documents and Settings\Administrator\Desktop\aclbdevmon.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe (file missing)
O23 - Service: Net Control 2 Server (NetControl2Server) - V.A.P. Software - C:\Program Files\Net Control 2\ncserver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

--
End of file - 9567 bytes

----------------
Thanks

#9 Speakersrock

Speakersrock
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 04 June 2008 - 08:46 AM

ermmmmmm

bump

?

#10 mz30

mz30

  • Members
  • 828 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:liverpool,england
  • Local time:03:07 AM

Posted 04 June 2008 - 11:14 AM

Hi speakersrock sorry for the delay,work issues.
Just before i make a fresh fix for you could you please reboot your p.c then post afresh hjt to see if anything has changed.

Thanks
god my head hurts.
if you don't ask ,you don't know



Posted Image

#11 Speakersrock

Speakersrock
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 04 June 2008 - 04:50 PM

Hi okay no worries!

All yours! :thumbsup:

------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:16, on 04/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Net Control 2\ncserver.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Net Control 2\ncscc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Net Control 2\NetCtl.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://heavens-end.co.uk/intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = \\serv-1:8090
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\pMdbaYoN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NTUserDispatcher] "C:\Program Files\Net Control 2\ncscc.exe" /NTUSER
O4 - HKLM\..\Run: [ImgTask] E:\Imgtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: VirtuaGirl HD.LNK = C:\Program Files\vghd\vghd.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = heavens-end.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF3D7A1C-2404-4023-988C-72B3E412A495}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: pMdbaYoN - C:\WINDOWS\SYSTEM32\pMdbaYoN.dll
O23 - Service: 3proxy tiny proxy server (3proxy) - Unknown owner - C:\Documents and Settings\matt.HEAVENS-END\Desktop\3proxy-0.5.3i\bin\3proxy.exe (file missing)
O23 - Service: ACLBDevMon - Unknown owner - C:\Documents and Settings\Administrator\Desktop\aclbdevmon.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe (file missing)
O23 - Service: Net Control 2 Server (NetControl2Server) - V.A.P. Software - C:\Program Files\Net Control 2\ncserver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

--
End of file - 9648 bytes

#12 mz30

mz30

  • Members
  • 828 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:liverpool,england
  • Local time:03:07 AM

Posted 05 June 2008 - 09:39 AM

Hi speakersrock,

Press Start->Run, copy/paste the following command into the box and press OK:

cmd /c dir C:\*.* /L /A /B /S|Find "pmdbayon.dll" >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of this file.
god my head hurts.
if you don't ask ,you don't know



Posted Image

#13 Speakersrock

Speakersrock
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 05 June 2008 - 10:22 AM

Hi Mz,

all it says is this;

"c:\windows\system32\pmdbayon.dll"

Hope thats right!:thumbsup:

#14 mz30

mz30

  • Members
  • 828 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:liverpool,england
  • Local time:03:07 AM

Posted 05 June 2008 - 04:41 PM

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

god my head hurts.
if you don't ask ,you don't know



Posted Image

#15 Speakersrock

Speakersrock
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 06 June 2008 - 04:57 AM

Okay, thanks.

HJL
----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:29, on 06/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\Program Files\Net Control 2\ncserver.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Net Control 2\ncscc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Net Control 2\NetCtl.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://heavens-end.co.uk/intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = \\serv-1:8090
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NTUserDispatcher] "C:\Program Files\Net Control 2\ncscc.exe" /NTUSER
O4 - HKLM\..\Run: [ImgTask] E:\Imgtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: VirtuaGirl HD.LNK = C:\Program Files\vghd\vghd.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = heavens-end.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF3D7A1C-2404-4023-988C-72B3E412A495}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: 3proxy tiny proxy server (3proxy) - Unknown owner - C:\Documents and Settings\matt.HEAVENS-END\Desktop\3proxy-0.5.3i\bin\3proxy.exe (file missing)
O23 - Service: ACLBDevMon - Unknown owner - C:\Documents and Settings\Administrator\Desktop\aclbdevmon.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Net Control 2 Server (NetControl2Server) - V.A.P. Software - C:\Program Files\Net Control 2\ncserver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

--
End of file - 9324 bytes


------------------------
Combo fix (nice tool!)

ComboFix 08-06-05.3 - matt 2008-06-06 10:28:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.378 [GMT 1:00]
Running from: C:\Documents and Settings\matt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\matt\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\tpBe12
C:\WINDOWS\system32\28463
C:\WINDOWS\system32\28463\QJVF.001
C:\WINDOWS\system32\28463\QJVF.005
C:\WINDOWS\system32\28463\QJVF.006
C:\WINDOWS\system32\28463\QJVF.007
C:\WINDOWS\system32\28463\QTJL.001
C:\WINDOWS\system32\28463\QTJL.002
C:\WINDOWS\system32\28463\QTJL.002.tmp
C:\WINDOWS\system32\28463\QTJL.005
C:\WINDOWS\system32\28463\QTJL.006
C:\WINDOWS\system32\28463\QTJL.007
C:\WINDOWS\system32\28463\QTJL.009
C:\WINDOWS\system32\28463\QTJL.009.tmp
C:\WINDOWS\system32\28463\SALQ.001
C:\WINDOWS\system32\28463\SALQ.002
C:\WINDOWS\system32\28463\SALQ.005
C:\WINDOWS\system32\28463\SALQ.006
C:\WINDOWS\system32\28463\SALQ.007
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pMdbaYoN.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Legacy_NPF
-------\Service_msupdate
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-05 22:39 . 2008-06-05 22:39 5,376 --a------ C:\WINDOWS\system32\drivers\MS1000.sys
2008-06-05 22:38 . 2008-06-06 07:41 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-06-05 21:19 . 2008-06-05 21:19 <DIR> d-------- C:\Program Files\Sling Media
2008-06-05 18:54 . 2008-06-05 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-05 10:13 . 2008-06-05 10:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-05 10:13 . 2008-06-05 10:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 17:58 . 2008-06-04 17:58 <DIR> d-------- C:\Program Files\EASEUS
2008-06-04 17:58 . 2008-04-16 09:10 797,696 -ra------ C:\WINDOWS\system32\bootman.exe
2008-06-02 20:27 . 2008-06-02 20:27 <DIR> d-------- C:\_OTMoveIt
2008-06-02 16:28 . 2008-06-02 16:28 <DIR> d-------- C:\Program Files\Windows Journal Viewer
2008-06-02 09:14 . 2008-06-02 09:14 230 --a------ C:\config.xml
2008-06-02 09:08 . 2008-06-02 09:08 <DIR> d-------- C:\Program Files\Microsoft Research
2008-06-01 21:03 . 2008-06-01 21:03 50,052 --a------ C:\How To Use Sdfix.html
2008-06-01 10:53 . 2008-06-01 10:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-01 04:29 . 2008-06-01 04:29 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\AVG7
2008-06-01 04:29 . 2008-06-01 04:29 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\AVG7
2008-06-01 04:28 . 2008-06-01 04:29 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Tibia
2008-06-01 04:28 . 2008-06-01 04:29 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Tibia
2008-06-01 04:27 . 2008-06-01 04:27 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\SiteClasses
2008-06-01 04:27 . 2008-06-01 04:28 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Joost
2008-06-01 04:27 . 2008-06-01 04:27 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\SiteClasses
2008-06-01 04:27 . 2008-06-01 04:28 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Joost
2008-05-31 22:35 . 2008-06-01 09:42 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-31 16:31 . 2008-05-31 16:31 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Tunebite
2008-05-31 16:31 . 2008-05-31 16:31 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Tunebite
2008-05-31 16:25 . 2008-05-31 16:25 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Xara
2008-05-31 16:25 . 2008-05-31 16:25 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Xara
2008-05-31 16:24 . 2008-05-31 16:24 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\SmartFTP
2008-05-31 16:24 . 2008-06-01 04:27 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Sites
2008-05-31 16:24 . 2008-05-31 16:24 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\SmartFTP
2008-05-31 16:24 . 2008-06-01 04:27 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Sites
2008-05-31 16:20 . 2008-06-01 04:29 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\NCH Swift Sound
2008-05-31 16:20 . 2008-05-31 16:20 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\NCH Software
2008-05-31 16:20 . 2008-06-01 04:29 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\NCH Swift Sound
2008-05-31 16:20 . 2008-05-31 16:20 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\NCH Software
2008-05-31 16:19 . 2008-05-31 16:20 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\mioObjects
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Media Player Classic
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\IsolatedStorage
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\gtk-2.0
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Dynamic
2008-05-31 16:19 . 2008-06-01 04:28 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\dvdcss
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\AutoPowerOn
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Audacity
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\.#
2008-05-31 16:19 . 2008-05-31 16:20 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\mioObjects
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Media Player Classic
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\IsolatedStorage
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\gtk-2.0
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Dynamic
2008-05-31 16:19 . 2008-06-01 04:28 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\dvdcss
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\AutoPowerOn
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Audacity
2008-05-31 16:19 . 2008-05-31 16:19 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\.#
2008-05-31 10:06 . 2008-05-31 10:06 <DIR> d-------- C:\SPAMfighter
2008-05-31 09:42 . 2008-05-31 16:34 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\Winamp
2008-05-31 09:42 . 2008-05-31 16:34 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\Winamp
2008-05-31 00:02 . 2008-05-31 00:02 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\InstallShield
2008-05-31 00:02 . 2008-05-31 00:02 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\InstallShield
2008-05-30 23:09 . 2008-06-01 04:29 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\BitTorrent
2008-05-30 23:09 . 2008-06-01 04:29 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\BitTorrent
2008-05-29 22:49 . 2008-05-29 22:49 <DIR> d-------- C:\Program Files\Ventrilo
2008-05-29 22:44 . 2008-05-29 22:48 <DIR> d-------- C:\Program Files\VentSrv
2008-05-29 22:44 . 2008-06-05 19:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 20:10 . 2008-05-29 20:23 <DIR> d-------- C:\Program Files\OPENXTRA
2008-05-29 09:42 . 2008-06-02 17:21 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-05-29 09:42 . 2008-06-01 22:32 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-29 09:41 . 2008-05-29 09:41 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-05-29 09:09 . 2008-05-31 18:55 <DIR> d-------- C:\Program Files\WarRock
2008-05-28 18:31 . 2008-05-28 18:31 <DIR> d-------- C:\Games
2008-05-26 21:59 . 2008-05-26 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\4p-r9-67-55-p3-26
2008-05-26 21:54 . 2008-05-26 21:55 <DIR> d-------- C:\Program Files\GameHouse
2008-05-26 15:05 . 2008-05-26 15:05 <DIR> d-------- C:\Program Files\Serif
2008-05-26 15:05 . 2008-05-26 15:05 <DIR> d-------- C:\Program Files\3d plus
2008-05-26 15:05 . 2008-05-26 15:05 <DIR> d-------- C:\My Documents
2008-05-26 11:46 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-26 11:46 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-26 11:46 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-26 09:33 . 2008-06-06 09:57 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-26 00:34 . 2008-05-26 00:34 <DIR> d-------- C:\Program Files\Tibia8.10
2008-05-25 20:35 . 2008-06-01 09:42 <DIR> d-------- \\Serv-1\usrhme_2\matt\Application Data\SPAMfighter
2008-05-25 20:35 . 2008-06-01 09:42 <DIR> d-------- \\Serv-1\usrhme_2\matt\APPLIC~1\SPAMfighter
2008-05-25 20:34 . 2008-06-06 10:44 <DIR> d-------- C:\Program Files\SPAMfighter
2008-05-25 20:34 . 2008-05-25 20:34 <DIR> d-------- C:\Program Files\Common Files\Application
2008-05-25 20:34 . 2008-05-25 20:34 <DIR> d-------- C:\Program Files\Common Files\Ankiro
2008-05-25 19:33 . 2008-05-25 19:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-25 19:32 . 2008-05-25 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-25 09:11 . 2008-05-25 11:09 <DIR> d-------- C:\Program Files\Saga
2008-05-21 18:46 . 2008-06-06 08:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-21 18:46 . 2008-05-21 18:46 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-21 18:46 . 2008-05-21 18:46 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-21 18:46 . 2008-05-21 18:46 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-21 18:45 . 2008-05-21 18:45 <DIR> d-------- C:\Program Files\AVG
2008-05-21 18:45 . 2008-05-21 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-21 17:36 . 2008-05-21 17:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 17:36 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-21 17:36 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-19 10:13 . 2008-05-19 10:13 <DIR> d-------- C:\Program Files\Tibia
2008-05-19 10:09 . 2008-05-19 10:09 <DIR> d-------- C:\Program Files\TibiaTek Bot Development Team
2008-05-17 21:52 . 2008-05-17 21:52 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-17 21:52 . 2008-05-17 21:52 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-17 21:52 . 2008-05-17 21:52 <DIR> d-------- C:\Program Files\MSBuild
2008-05-17 21:51 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-17 21:33 . 2008-05-17 21:33 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-16 23:23 . 2008-05-16 23:23 <DIR> d-------- C:\fsaua.data
2008-05-16 21:09 . 2008-04-29 21:10 378,402 --a------ C:\WINDOWS\system32\decrypter.exe
2008-05-16 20:57 . 2008-05-17 21:24 <DIR> d--hs---- C:\WINDOWS\system32\Sys
2008-05-16 18:06 . 2008-05-16 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 17:30 . 2008-05-16 17:30 <DIR> d-------- C:\Automap
2008-05-16 15:15 . 2008-05-16 15:24 <DIR> d-------- C:\Program Files\WinHex
2008-05-15 21:41 . 2008-05-15 21:42 <DIR> d-------- C:\Program Files\BPFTP Server
2008-05-15 16:53 . 2008-01-17 23:55 <DIR> d-------- C:\Documents and Settings\matt\WINDOWS
2008-05-15 16:53 . 2008-04-20 19:49 <DIR> d-------- C:\Documents and Settings\matt\Tracing
2008-05-15 16:53 . 2008-01-17 23:55 <DIR> d-------- C:\Documents and Settings\matt\Templates_NTFRS_003f9315
2008-05-15 16:53 . 2008-01-17 23:55 <DIR> d-------- C:\Documents and Settings\matt\Start Menu_NTFRS_003f6c15
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\SendTo_NTFRS_003f5fb1
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\Recent_NTFRS_003f4572
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\Program Files
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\NetHood_NTFRS_003f3fd5
2008-05-15 16:53 . 2008-03-09 22:06 <DIR> d-------- C:\Documents and Settings\matt\NCH Software
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\My Documents_NTFRS_003f2911
2008-05-15 16:53 . 2007-01-23 18:52 <DIR> d-------- C:\Documents and Settings\matt\groups
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\Favorites_NTFRS_003f1d88
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\Desktop_NTFRS_003f18a6
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\Cookies_NTFRS_003f14cd
2008-05-15 16:53 . 2008-01-17 23:56 <DIR> d-------- C:\Documents and Settings\matt\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 20:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 18:49 --------- d-----w C:\Program Files\Food Force
2008-05-30 17:50 --------- d-----w C:\Program Files\Google
2008-05-29 19:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-25 18:33 --------- d-----w C:\Program Files\Windows Live
2008-05-25 09:28 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-25 09:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-05-21 16:37 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-18 11:23 --------- d-----w C:\Program Files\Opera
2008-05-18 09:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 06:00 71,495 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-05-10 09:58 114 ----a-w C:\sccfg.sys
2008-05-08 15:13 --------- d-----w C:\Program Files\Java
2008-05-03 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\YoGen
2008-05-03 10:58 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-05-03 10:57 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-05-01 05:29 --------- d-----w C:\Program Files\Doblon
2008-04-29 15:25 111 ----a-w C:\UnInstallService.bat
2008-04-27 17:57 --------- d-----w C:\Program Files\HMV
2008-04-26 22:38 --------- d-----w C:\Program Files\UltraISO
2008-04-25 21:07 --------- d-----w C:\Program Files\CCleaner
2008-04-25 20:16 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-04-25 19:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-25 17:35 --------- d-----w C:\Program Files\WhiteCanyon
2008-04-20 18:48 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-04-18 20:44 --------- d-----w C:\Program Files\Network Stumbler
2008-04-18 16:06 --------- d-----w C:\Program Files\DIFX
2008-04-18 16:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Applications
2008-04-17 23:06 --------- d-----w C:\Program Files\Active WebCam
2008-04-17 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PY_Software
2008-04-15 22:43 --------- d-----w C:\Program Files\VideoLAN
2008-04-15 21:38 2,723,264 ----a-w C:\Documents and Settings\All Users\vcredist_x86.exe
2008-04-15 15:08 --------- d-----w C:\Program Files\Inno Setup 5
2008-04-15 08:43 --------- d-----w C:\Program Files\XPPEN
2008-04-11 21:51 --------- d-----w C:\Program Files\VMware
2008-04-11 21:51 --------- d-----w C:\Program Files\Common Files\VMware
2008-04-11 20:53 --------- d-----w C:\Program Files\Challenger
2008-04-11 20:43 --------- d-----w C:\Program Files\Folder Lock
2008-04-11 20:38 --------- d-----w C:\Program Files\HD Tune Pro
2008-04-11 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-04-09 21:17 --------- d-----w C:\Program Files\Virtual Audio Cable
2008-04-09 20:22 --------- d-----w C:\Program Files\RapidSolution
2008-04-08 21:25 --------- d-----w C:\Program Files\BitTorrent
2008-04-08 09:49 --------- d-----w C:\Program Files\Photo Story 3 for Windows
2008-04-07 11:42 --------- d-----w C:\Program Files\Winamp
2008-03-08 21:48 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-08 21:48 249,856 ------w C:\WINDOWS\Setup1.exe
.

------- Sigcheck -------

2004-08-04 11:00 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\explorer.exe
2007-06-13 12:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 11:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2004-08-04 11:00 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 20:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WService"="WService.EXE" []
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [2008-03-03 20:05 55856]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 11:00 143360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 10:07 827392]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"NTUserDispatcher"="C:\Program Files\Net Control 2\ncscc.exe" [2006-09-20 08:21 27136]
"ImgTask"="E:\Imgtask.exe" [ ]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 11:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-07 02:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-07 02:10 118784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-21 18:45 1177368]
"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2008-05-14 15:23 321160]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 19:49 36352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 11:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 20:34 5724184]

C:\Documents and Settings\Administrator.HEAVENS-END.000\Start Menu\Programs\Startup\
audiorepeater.exe [2006-03-24 12:48:20 13898]

C:\Documents and Settings\matt.HEAVENS-END\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\Documents and Settings\matt\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [2007-12-11 21:34:40 10252288]
ScanPanel.lnk - C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe [2007-12-28 19:45:05 1363968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"NoLogOff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fmS85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HeavyWeatherPublisher]
--a------ 2004-02-23 00:23 1302528 C:\HeavyWeather\HeavyWeatherPublisher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tunebite]
C:\Program Files\RapidSolution\Tunebite\Tunebite.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Net Control 2\\NetCtl.exe"=
"C:\\Program Files\\Net Control 2\\ncserver.exe"=
"C:\\Program Files\\Net Control 2\\NcView.exe"= C:\\Program Files\\Net Control 2\\NCView.exe
"C:\\Program Files\\Net Control 2\\NCVServer.exe"=
"C:\\Program Files\\Net Control 2\\NetChat.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"C:\\Program Files\\IBP 10\\IBP.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-21 18:46]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-21 18:45]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-21 18:45]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-21 18:46]
R2 NetControl2Server;Net Control 2 Server;C:\Program Files\Net Control 2\ncserver.exe [2007-05-06 21:07]
R2 SPAMfighter Update Service;SPAMfighter Update Service;"C:\Program Files\SPAMfighter\sfus.exe" [2008-05-14 15:24]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2006-03-24 12:48]
R3 nckbdsup;nckbdsup;C:\WINDOWS\system32\drivers\nckbdsup.sys [2006-04-06 06:53]
R3 ncvhook;ncvhook;C:\WINDOWS\system32\DRIVERS\ncvhook.sys [2006-01-29 12:42]
S0 fmS85;fmS85;C:\WINDOWS\system32\Drivers\fmS85.sys []
S2 3proxy;3proxy tiny proxy server;"C:\Documents and Settings\matt.HEAVENS-END\Desktop\3proxy-0.5.3i\bin\3proxy.exe" "C:\Documents and Settings\3proxy.cfg" []
S2 ACLBDevMon;ACLBDevMon;C:\Documents and Settings\Administrator\Desktop\aclbdevmon.exe []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 03:12]
S3 PV8630;USB Flatbed Scanner Driver;C:\WINDOWS\system32\DRIVERS\A1236.sys [2000-06-27 08:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a371486-f9b8-11dc-a6c4-000e2e34d371}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 20:26:39 C:\WINDOWS\Tasks\airraid.job"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 10:43:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\drivers\WtSrv.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-06-06 10:49:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 09:49:17

Pre-Run: 806,883,328 bytes free
Post-Run: 1,707,446,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" Microsoft Windows XP Professional
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

357 --- E O F --- 2008-06-06 02:00:38
---------------------



Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users