Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recent Trojan.Vundo/Trojan.Agent Infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 Obfuscated

Obfuscated

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:23 AM

Posted 25 January 2009 - 03:38 PM

Hey ,

I've recently gotten a trojan.vundo / Trojan.agent (are they the same thing?) infection, but I've managed to remove all but four of the infected files through MBAM.

Here's the log for MBAM:

Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.1.2600 Service Pack 2

1/25/2009 12:13:36 AM
mbam-log-2009-01-25 (00-13-36).txt

Scan type: Quick Scan
Objects scanned: 57803
Time elapsed: 10 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xxyyxYQg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqRHbXq.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6b70589-057d-4dc5-a644-c4b5fbb1904d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a6b70589-057d-4dc5-a644-c4b5fbb1904d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrhbxq (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule35 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyyxyqg -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyyxyqg -> Delete on reboot.

Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Claire\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xxyyxYQg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gQYxyyxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gQYxyyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqRHbXq.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule35.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv351232809217.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


(I'm not sure what "delete on reboot" actually does; is it automatically deleted after the reboot?)
And here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:42 PM, on 1/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\HandWrite\MyNewRecog.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Speeditup Free\SpeedItUp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\HandWrite\InsTalk\InsTalk.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Anti-Spyware, Malware, Trojan, etc\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NewRecog] C:\Program Files\HandWrite\MyNewRecog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [WinShrink] G:\Other Programs\WinShrink\AutoJob.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Other Programs\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [Glary Memory Optimizer] "F:\Cleaning and Tidying\Glary Utilities\memdefrag.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs:
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9815 bytes


I'm not sure if I've completely gotten rid of the infection yet, can you guys check it over for me?

Greatly Appreciated! :D

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 07 February 2009 - 12:53 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.

(I'm not sure what "delete on reboot" actually does; is it automatically deleted after the reboot?)
And here's the HJT log:

Yes, that usually means it will be delete on reboot. Let's see if they are still there. I think it may still be active because these files aren't that easy to get rid of because they inject into system core files.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Please post back with:
-New pair of DDS log (look at the preparation guide)
-Kaspersky log
-What Problems do you still have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 10 February 2009 - 01:14 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:23 AM

Posted 10 February 2009 - 09:19 PM

Yes, sorry, I am still here, I just haven't checked b/c I was waiting for you guys to finish with your other "clients."
I will post the ATF Cleaner in my next post.

Thanks For Your Help!

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 10 February 2009 - 09:25 PM

Hello.

No. Post back with the following, not the ATFCleaner log.... That's just a tool to clear your temp files, caches etc.... :thumbup2:

-New pair of DDS log (look at the preparation guide)
-Kaspersky log
-What Problems do you still have?


I need to leave now, so I will analyze it probably tomorrow. It's fairly late for me now.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:23 AM

Posted 10 February 2009 - 09:27 PM

Sorry, but what do you mean by a DDS log? :thumbup2:

(Edit) (Sorry, moved edit to a new post) :)

Edited by Obfuscated, 11 February 2009 - 12:25 AM.


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 10 February 2009 - 09:28 PM

Hello.

It's the log that you should of posted instead of the Hijackthis log.

Read the Preparation Guide. IT tells you to run DDs at the end.

Post the logs when it's complete.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:23 AM

Posted 11 February 2009 - 12:26 AM

Also, when I am running the Kaspersky Online Scan, the scanner keeps stopping in the middle (stops updating), or it says that the Java app failed to load. I have all the Anti-Virus protections turned off, too. :\

#9 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:23 AM

Posted 11 February 2009 - 01:12 AM

Here Is the DDS Log :)
and The attach.txt in the attachment


DDS (Ver_09-02-01.01) - NTFSx86
Run by Claire at 22:04:52.90 on 02/10/2009 Tue
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.1024.356 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
FW: COMODO Firewall *enabled* <==( I don't think that's right :thumbup2:)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\HandWrite\MyNewRecog.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Speeditup Free\SpeedItUp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\HandWrite\InsTalk\InsTalk.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\7-Zip\7zFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Claire\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?client=aff-ime
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch =
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpeedItUpEX] c:\program files\speeditup free\SpeedItUp.exe -MINI
uRun: [Glary Memory Optimizer] "f:\cleaning and tidying\glary utilities\memdefrag.exe" /autostart
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDTray] "c:\program files\hp dvd\umbrella\DVDTray.exe"
mRun: [DVDBitSet] "c:\program files\hp dvd\umbrella\DVDBitSet.exe" /NOUI
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NewRecog] c:\program files\handwrite\MyNewRecog.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [WinShrink] \AutoJob.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "g:\other programs\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ieee80~1.lnk - c:\program files\wireless lan\WlanUtil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000} - c:\program files\visualroute lite edition\vrie.dll
DPF: {00000055-9980-0010-8000-00AA00389B71}
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs:
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\claire\applic~1\mozilla\firefox\profiles\024eezi0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\documents and settings\claire\application data\mozilla\firefox\profiles\024eezi0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 is-5Q6CUdrv;is-5Q6CUdrv;c:\windows\system32\drivers\47540411.sys [2008-11-3 148496]
R1 is-PN6PCdrv;is-PN6PCdrv;c:\windows\system32\drivers\82587926.sys [2008-10-29 148496]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 207656]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-8 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-8 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-11-8 40488]
R3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [2006-3-4 247296]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 lvdevenb;Logitech Device Enabler Filter;c:\windows\system32\drivers\lvdevenb.sys --> c:\windows\system32\drivers\lvdevenb.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-11-8 34152]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\lv532av.sys --> c:\windows\system32\drivers\LV532AV.SYS [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [2006-3-4 19200]

=============== Created Last 30 ================

2009-01-24 23:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-24 23:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-24 16:11 <DIR> --d----- c:\docume~1\claire\applic~1\ESBCalc
2009-01-24 16:10 <DIR> --d----- c:\program files\ESBCalc
2009-01-23 00:17 280 a------- c:\windows\proxy.pac

==================== Find3M ====================

2009-02-10 22:06 249,395,232 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-09 21:21 2,900,456 a--sh--- c:\windows\system32\drivers\fidbox.idx
2006-05-03 01:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 02:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 04:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 22:09:47.32 ===============

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 11 February 2009 - 04:16 PM

Hello.

Forget about the Kaspersky scan for now. We will run Combofix, it can remove most of the infections you have currently.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-New Hijackthis log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:23 AM

Posted 11 February 2009 - 10:16 PM

First off, the Combofix:

ComboFix 09-02-11.02 - Claire 2009-02-11 18:37:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.1024.356 [GMT -8:00]
Running From: c:\documents and settings\Claire\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created From 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-11 18:29 . 2009-02-11 18:33 <DIR> d-------- C:\32788R22FWJFW
2009-02-10 22:43 . 2006-09-12 03:46 227,328 -r-hs---- c:\windows\system32\ac3DX.ax
2009-02-10 22:43 . 2008-03-16 05:30 216,064 -r-hs---- c:\windows\system32\nbDX.dll
2009-02-10 22:43 . 2006-03-10 13:48 169,472 -r-hs---- c:\windows\system32\MatroskaDX.ax
2009-02-10 22:43 . 2006-05-03 02:06 163,328 -r-hs---- c:\windows\system32\flvDX.dll
2009-02-10 22:43 . 2005-11-25 12:46 161,792 -r-hs---- c:\windows\system32\RealMediaDX.ax
2009-02-10 22:43 . 2006-01-12 15:23 123,904 -r-hs---- c:\windows\system32\AVCDX.ax
2009-02-10 22:43 . 2003-11-20 15:00 54,784 -r-hs---- c:\windows\system32\RLAPEDec.ax
2009-02-10 22:43 . 2004-04-26 15:00 37,888 -r-hs---- c:\windows\system32\RLMPCDec.ax
2009-02-10 22:43 . 2007-02-21 03:47 31,232 -r-hs---- c:\windows\system32\msfDX.dll
2009-01-24 23:54 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-24 23:54 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-24 16:11 . 2009-01-24 16:13 <DIR> d-------- c:\documents and settings\Claire\Application Data\ESBCalc
2009-01-24 16:10 . 2009-01-24 16:10 <DIR> d-------- c:\program files\ESBCalc
2009-01-23 00:17 . 2003-08-12 10:45 280 --a------ c:\windows\proxy.pac

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 02:45 252,022,816 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-12 00:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-11 08:45 2,942,672 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-05 07:21 --------- d-----w c:\documents and settings\Claire\Application Data\aMule
2009-02-05 06:02 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-25 07:54 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-21 21:55 --------- d-----w c:\program files\McAfee
2009-01-19 19:00 --------- d-----w c:\program files\Speeditup Free
2009-01-03 07:34 --------- d-----w c:\documents and settings\Claire\Application Data\Any Video Converter
2008-12-22 04:47 --------- d-----w c:\documents and settings\Claire\Application Data\Apple Computer
2008-12-20 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-20 23:03 --------- d-----w c:\program files\iPod
2008-12-20 23:03 --------- d-----w c:\program files\Common Files\Apple
2008-12-20 23:03 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-20 23:02 --------- d-----w c:\program files\Bonjour
2008-12-20 23:01 --------- d-----w c:\program files\QuickTime
2008-12-20 22:59 --------- d-----w c:\program files\Apple Software Update
2008-12-20 22:57 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-18 07:25 --------- d-----w c:\documents and settings\Claire\Application Data\LimeWire
2008-12-13 21:17 --------- d-----w c:\program files\Google
2008-10-27 07:53 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-04-09 23:26 36,864 ----a-w c:\program files\mozilla firefox\components\NsThunderLoader.dll
2008-04-09 23:26 53,248 ----a-w c:\program files\mozilla firefox\components\ThunderComponent.dll
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

2006-01-13 09:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 04:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-04 04:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 18:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\tcpip.sys
2006-04-20 03:51 359808 1dbf125862891817f374f407626967f4 c:\windows\system32\dllcache\tcpip.sys
2006-04-20 03:51 359808 45265cbad25c6254afafc7bdd88bdb4b c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-29 68856]
"SpeedItUpEX"="c:\program files\Speeditup Free\SpeedItUp.exe" [2009-01-19 948224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-02 372736]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 57344]
"DVDBitSet"="c:\program files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NewRecog"="c:\program files\HandWrite\MyNewRecog.exe" [2007-08-30 778240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-26 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2008-07-10 5129504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-03-04 49254]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-04 113664]
IEEE 802.11g USB Wireless LAN Utility.lnk - c:\program files\Wireless LAN\WlanUtil.exe [2006-03-04 413696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.PIM1"= pclepim1.dll
"vidc.i420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Claire^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC-Checkup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2007-10-22 12:52 75584 c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 17:20 20058152 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"ccosm"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Programs - Bowei\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 is-5Q6CUdrv;is-5Q6CUdrv;c:\windows\system32\drivers\47540411.sys [2008-11-03 148496]
R1 is-PN6PCdrv;is-PN6PCdrv;c:\windows\system32\drivers\82587926.sys [2008-10-29 148496]
R2 HDDlife HDD Access service;HDDlife HDD Access service;c:\program files\BinarySense\HDDlife 3\hldasvc.exe [2007-08-09 816376]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-11-08 206096]
R3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [2006-03-04 247296]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-10-26 30192]
S3 lvdevenb;Logitech Device Enabler Filter;c:\windows\system32\DRIVERS\lvdevenb.sys --> c:\windows\system32\DRIVERS\lvdevenb.sys [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS --> c:\windows\system32\DRIVERS\LV532AV.SYS [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [2006-03-04 19200]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9d6c206-5df1-11dd-bcd6-0011a301243f}]
\Shell\AutoRun\command - f:\wd_windows_tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbb8412c-08bf-11db-94ac-0011a3013c53}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-12 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-11-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Glary Memory Optimizer - f:\cleaning and tidying\Glary Utilities\memdefrag.exe
HKLM-Run-WinShrink - \AutoJob.exe
HKLM-Run-iTunesHelper - g:\other programs\iTunes\iTunesHelper.exe


.
------- Other Running Processes -------
.
uStart Page = hxxp://www.google.com/webhp?client=aff-ime
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch =
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: {00000055-9980-0010-8000-00AA00389B71}
FF - ProfilePath - c:\documents and settings\Claire\Application Data\Mozilla\Firefox\Profiles\024eezi0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\documents and settings\Claire\Application Data\Mozilla\Firefox\Profiles\024eezi0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 18:44:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\SUPER *]
"DisplayName"="SUPER ?Version 2009.bld.35 (Jan 5, 2009)"
"UninstallString"="h:\\OTHERP~1\\SUPER\\Setup.exe /remove /q0"
"InstallDate"="2009-02-10 22:41:45"
"InstallLocation"="h:\\Other Programs\\SUPER"
"InstallSource"="c:\\Documents and Settings\\Claire\\Local Settings\\Temporary Internet Files\\Content.IE5\\UROT05MT"
"DisplayIcon"="h:\\Other Programs\\SUPER\\SUPER.exe"
"DisplayVersion"="Version 2009.bld.35 (Jan 5, 2009)"
"VersionMajor"=dword:00000000
"VersionMinor"=dword:00000000
"Publisher"="eRightSoft"
"HelpLink"="http://www.eRightSoft.com"
"URLInfoAbout"="http://www.eRightSoft.com"
"URLUpdateInfo"="http://www.eRightSoft.com"
"Contact"="support@eRightSoft.com"
.
Finish Time: 2009-02-11 18:50:36
ComboFix-quarantined-files.txt 2009-02-12 02:50:28
ComboFix2.txt 2008-11-01 06:11:16

Pre-Run: 11,644,403,712 bytes free
Post-Run: 12,038,492,160 bytes free

233 --- E O F --- 2008-11-13 01:11:33

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 12 February 2009 - 05:33 PM

Hello.

I would like you to post all the logs, not one at a time. Also why did you run Combofix 4 times? Do not run it more than once unless I tell you to.... :thumbup2:

Post back with the other logs as well and a description of any problems you may still have.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:23 AM

Posted 12 February 2009 - 07:54 PM

Oh, sorry. :thumbup2:

I just didn't want to re-start the computer yet, so I waited a while.
And in the combofix, I actually closed the program before it started because my anti-virus was still on, so I had to restart it again.

Will post all logs next. :)

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 12 February 2009 - 08:29 PM

Okay, thanks for letting me know.

Post the logs once it's complete. I need to go now. I will analyze it once it comes in and when I come back. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:23 AM

Posted 13 February 2009 - 02:23 AM

The GMER Log (Finally!) I have it but,

Edit: Posted wrong log? :thumbup2:

(first time ppsted the one in the section under "log" tab, this time copied off "rootkit" tab;

also, log file was too big to send as attachment --->over 3mb!)

How should I send you the log? :)

Here's the HJT tho:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:58 PM, on 2/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Speeditup Free\SpeedItUp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ssstars.scr
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Anti-Spyware, Malware, Trojan, etc\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NewRecog] C:\Program Files\HandWrite\MyNewRecog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs:
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9301 bytes

Edited by Obfuscated, 13 February 2009 - 02:40 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users