|
|
TG
new user
Reg'd: Wed
Posts: 7
|
|
I think I have a malware problem or something?
My iexplorer.exe keeps loading and keeps taking memory even when no internet explorer is open.
Can anyone help?
I have run a scan with Avast & AVG anti-spyware and A2 Free rebooted - it has cleaned stuff out but something seems to keep coming back...
Logfile of HijackThis v1.99.1
Scan saved at 20:36:21, on 12/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\antiviirus.exe
C:\Program Files\tmp73275.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\tmp78793.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPRV10.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - http://www.ie-cards.com/flashplayer.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: MonAlrt - {a5081646-6e82-4da4-b0d5-a2d0af958b35} - C:\WINDOWS\Installer\{a5081646-6e82-4da4-b0d5-a2d0af958b35}\MonAlrt.dll (file missing)
O21 - SSODL: zip - {20f35cb8-9781-4a20-a331-b4ce6392ac4d} - C:\WINDOWS\Installer\{20f35cb8-9781-4a20-a331-b4ce6392ac4d}\zip.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ip6flrrv - Intel Corporation - (no file)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - Unknown owner - C:\Program Files\TalkTalk\bin\sprtsvc.exe" /service /p TalkTalk (file missing)
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - Unknown owner - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe" /p TalkTalk (file missing)
|
|
Pancake
HijackThis Helper
Reg'd: Sat
Posts: 1257
Loc: Victoria,Australia
|
|
Yes you do have a trojan to remove.
You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.
Please download HijackThis to your desktop..
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Upon install, HijackThis should open for you.
Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
============================
Please download SDFix from here and save it to your desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post that log in your next reply.
=================================
Ok.We need to download ComboFix.exe. This will give a better view to what is running on your computer.
Please visit this webpage for download links, and instructions for running the tool
When the tool is finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.
Caution: Never run and remove files with Combofix unless supervised by a security analyst.
--------------------
|
TG
new user
Reg'd: Wed
Posts: 7
|
|
Thanks -
OK here is Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55:58, on 13/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\antiviirus.exe
C:\Program Files\tmp112251.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\tmp117398.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\My Documents\Downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-436374069-1606980848-839522115-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Sarah')
O4 - HKUS\S-1-5-21-436374069-1606980848-839522115-1005\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Sarah')
O4 - HKUS\S-1-5-21-436374069-1606980848-839522115-1005\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all (User 'Sarah')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - http://www.ie-cards.com/flashplayer.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: MonAlrt - {a5081646-6e82-4da4-b0d5-a2d0af958b35} - C:\WINDOWS\Installer\{a5081646-6e82-4da4-b0d5-a2d0af958b35}\MonAlrt.dll (file missing)
O21 - SSODL: zip - {20f35cb8-9781-4a20-a331-b4ce6392ac4d} - C:\WINDOWS\Installer\{20f35cb8-9781-4a20-a331-b4ce6392ac4d}\zip.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ip6flrrv - Intel Corporation - (no file)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
--
End of file - 13780 bytes
And here is SDFix log:
SDFix: Version 1.156
Run on 13/03/2008 at 20:10
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\SYSTEM32\ARAUDI~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\ARAUDI~2.DLL - Deleted
C:\WINDOWS\SYSTEM32\ARAUDI~3.DLL - Deleted
C:\Program Files\antiviirus.exe - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 20:26:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMail.exe"="C:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMail.exe:*:Enabled:ChoiceMail"
"C:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"="C:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe:*:Enabled:WS_FTP Pro Application"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"C:\\My Downloads\\eMule0.47c\\eMule0.47c\\emule.exe"="C:\\My Downloads\\eMule0.47c\\eMule0.47c\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Macromedia\\FreeHand 10\\FreeHand 10.exe"="C:\\Program Files\\Macromedia\\FreeHand 10\\FreeHand 10.exe:*:Disabled:FreeHand 10"
"C:\\Downloads\\eMule0.47c\\eMule0.47c\\emule.exe"="C:\\Downloads\\eMule0.47c\\eMule0.47c\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"="C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe:*:Disabled:Fireworks MX"
"C:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe"="C:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe:*:Enabled:sprtsvc.exe"
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"="C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe:*:Enabled:sprtcmd.exe"
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"="C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe:*:Enabled:bcont_nm.exe"
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"="C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe:*:Enabled:bcont.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 12 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp1068045.exe"
Wed 12 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp1074985.exe"
Thu 13 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp112251.exe"
Thu 13 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp117398.exe"
Thu 13 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp242678.exe"
Thu 13 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp248066.exe"
Thu 13 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp3233799.exe"
Thu 13 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp3239327.exe"
Thu 13 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp56090.exe"
Thu 13 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp62950.exe"
Wed 12 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp73275.exe"
Wed 12 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp78793.exe"
Wed 12 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp86454.exe"
Wed 12 Mar 2008 16,644 ..SHR --- "C:\Program Files\tmp92012.exe"
Sun 8 Jul 2007 145,920 A.SHR --- "C:\Program Files\InstantAdminV2\Setup.exe"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe"
Fri 24 Jun 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 13 Jun 2007 95,232 ...H. --- "C:\Documents and Settings\My Documents\~WRL3766.tmp"
Fri 7 Mar 2008 23,374 ...H. --- "C:\Program Files\Ipswitch\WS_FTP Home\wsftpgui.exe-CommandBars"
Mon 3 Sep 2007 468 A..H. --- "C:\WINDOWS\ER MapperMBC\7.1\ermapper_mbc.dll"
Fri 29 Feb 2008 45,810 ...H. --- "C:\Documents and Settings\Ryan\My Documents\eFax Messenger 4.2\J2GPlus.exe-BarState"
Wed 12 Mar 2008 16,644 A.SHR --- "C:\Documents and Settings\Local Settings\Temp\Sh\rePpi51x.exe"
Sun 8 Jul 2007 145,920 A.SHR --- "C:\Documents and Settings\All Users\Documents\Accounts Backup\InstantAdminV2\Setup.exe"
Wed 18 Jul 2007 63,488 ...H. --- "C:\Documents and Settings\Sh\Local Settings\Temporary Internet Files\OLKE\~WRL3474.tmp"
Sat 16 Jun 2007 245,248 ...H. --- "C:\Documents and Settings\My Documents\TG\TG(Admin Etc)\1_Delivery Notes\~WRL1044.tmp"
Sat 16 Jun 2007 238,592 ...H. --- "C:\Documents and Settings\My Documents\TG\TG(Admin Etc)\2_Raised Invoices\Customer Invoices\~WRL3608.tmp"
Finished!
What do any of those do? anything particularly dodgy like record my usernames/passwords for things?
thanks tg
|
Pancake
HijackThis Helper
Reg'd: Sat
Posts: 1257
Loc: Victoria,Australia
|
|
I need the Combofix log please.
--------------------
|
TG
new user
Reg'd: Wed
Posts: 7
|
|
Oops - sorry here you go:
ComboFix 08-03-13.2 - Ryan 2008-03-13 21:59:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.549 [GMT 0:00]
Running from: C:\Documents and Settings\My Documents\Downloads\ComboFix.exe
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Sarah\Desktop\Error Cleaner.url
C:\Documents and Settings\Sarah\Desktop\Privacy Protector.url
C:\Documents and Settings\Sarah\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Sarah\Favorites\Error Cleaner.url
C:\Documents and Settings\Sarah\Favorites\Privacy Protector.url
C:\Documents and Settings\Sarah\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\Web\default.htt
----- BITS: Possible infected sites -----
hxxp://assist.talktalk.net
.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.
2008-03-13 20:04 . 2008-03-13 20:05 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-13 20:04 . 2008-03-13 20:42 <DIR> d-------- C:\SDFix
2008-03-13 18:55 . 2008-03-13 18:55 16,644 -r-hs---- C:\Program Files\tmp3239327.exe
2008-03-13 18:55 . 2008-03-13 18:55 16,644 -r-hs---- C:\Program Files\tmp3233799.exe
2008-03-13 18:03 . 2008-03-13 18:03 16,644 -r-hs---- C:\Program Files\tmp117398.exe
2008-03-13 18:03 . 2008-03-13 18:03 16,644 -r-hs---- C:\Program Files\tmp112251.exe
2008-03-13 12:52 . 2008-03-13 12:52 16,644 -r-hs---- C:\Program Files\tmp62950.exe
2008-03-13 12:52 . 2008-03-13 12:52 16,644 -r-hs---- C:\Program Files\tmp56090.exe
2008-03-13 07:07 . 2008-03-13 07:07 16,644 -r-hs---- C:\Program Files\tmp248066.exe
2008-03-13 07:06 . 2008-03-13 07:06 16,644 -r-hs---- C:\Program Files\tmp242678.exe
2008-03-12 18:48 . 2008-03-12 18:48 16,644 -r-hs---- C:\Program Files\tmp1074985.exe
2008-03-12 18:48 . 2008-03-12 18:48 16,644 -r-hs---- C:\Program Files\tmp1068045.exe
2008-03-12 18:31 . 2008-03-12 18:31 16,644 -r-hs---- C:\Program Files\tmp78793.exe
2008-03-12 18:31 . 2008-03-12 18:31 16,644 -r-hs---- C:\Program Files\tmp73275.exe
2008-03-12 13:01 . 2008-03-12 13:01 16,644 -r-hs---- C:\Program Files\tmp92012.exe
2008-03-12 13:01 . 2008-03-12 13:01 16,644 -r-hs---- C:\Program Files\tmp86454.exe
2008-03-11 19:06 . 2008-03-11 19:06 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Grisoft
2008-03-11 12:39 . 2008-03-11 19:36 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-11 12:38 . 2008-03-11 12:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-11 12:38 . 2008-03-11 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 20:33 . 2008-03-10 20:33 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Grisoft
2008-03-10 20:32 . 2008-03-10 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-10 20:32 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-09 22:04 . 2008-03-09 22:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-09 22:04 . 2008-03-09 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-02 14:52 . 2008-03-02 14:53 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\uTorrent
2008-02-29 18:56 . 2008-02-29 18:56 <DIR> d-------- C:\Program Files\uTorrent
2008-02-29 18:56 . 2008-03-02 15:04 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\uTorrent
2008-02-17 02:10 . 2008-02-17 02:10 1,877,057 --a------ C:\TEMP\MyFontsOrder1011967.zip
2008-02-16 18:22 . 2008-02-16 18:22 836,531 --a------ C:\TEMP\MyFontsOrder1011737.zip
2008-02-16 18:00 . 2008-02-16 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-16 17:43 . 2008-02-16 17:43 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-02-16 17:38 . 2008-02-16 17:38 <DIR> d-------- C:\Program Files\Bonjour
2008-02-16 17:12 . 2008-02-16 17:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 21:30 --------- d-----w C:\Documents and Settings\Rn\Application Data\AdobeUM
2008-03-13 18:58 --------- d-----w C:\Documents and Settings\Sh\Application Data\Skype
2008-03-09 22:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-07 08:28 --------- d-----w C:\Documents and Settings\Rn\Application Data\FileZilla
2008-02-16 17:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-04 21:17 112,064 ----a-w C:\Documents and Settings\Rn\Application Data\GDIPFONTCACHEV1.DAT
2008-02-03 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-29 18:17 19,300 ----a-w C:\9780955569821.zip
2008-01-28 20:35 --------- d-----w C:\Program Files\Microsoft Works
2008-01-28 20:32 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-20 18:48 --------- d-----w C:\Program Files\TalkTalk
2008-01-20 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-14 21:45 --------- d-----w C:\Program Files\Dan Elwell's Broadband Speed Test
2008-01-13 17:05 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-25 18:19 83,392 ----a-w C:\Documents and Settings\Sh\Application Data\GDIPFONTCACHEV1.DAT
2007-01-15 15:34 678,682 ----a-w C:\Documents and Settings\Rn\Application Data\unins000.exe
2007-01-15 15:34 19,127 ----a-w C:\Documents and Settings\Rn\Application Data\unins000.dat
2005-05-25 06:42 266 ---h--w C:\Program Files\desktop.ini
2005-05-25 06:42 11,079 ---h--w C:\Program Files\folder.htt
2003-01-13 10:20 278,528 ------w C:\Program Files\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ------w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2005-07-14 12:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 15:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 22:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-02-28 13:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POINTER"="point32.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-04 18:26 188416]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 15:50 4620288]
"nwiz"="nwiz.exe" [2004-10-29 15:50 921600 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 15:50 86016]
"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 15:24 1732608]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 14:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
"LWBKEYBOARD"="C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe" [2005-01-28 10:23 387584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-19 17:14 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-06-20 00:30 107008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 09:33 202016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-05-25 18:58:05 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2008-01-10 21:57:49 327765]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-06-20 22:05:21 962667]
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2006-07-17 21:53:03 612352]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 00:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView5\NkvMon.exe [2005-05-25 06:31:44 233472]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-07-15 18:52:25 806912]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MonAlrt"= {a5081646-6e82-4da4-b0d5-a2d0af958b35} - C:\WINDOWS\Installer\{a5081646-6e82-4da4-b0d5-a2d0af958b35}\MonAlrt.dll [ ]
"zip"= {20f35cb8-9781-4a20-a331-b4ce6392ac4d} - C:\WINDOWS\Installer\{20f35cb8-9781-4a20-a331-b4ce6392ac4d}\zip.dll [ ]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Macromedia\\FreeHand 10\\FreeHand 10.exe"=
"C:\\Downloads\\eMule0.47c\\eMule0.47c\\emule.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 11:49]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);"C:\Program Files\TalkTalk\bin\sprtsvc.exe" /service /p TalkTalk []
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);"C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe" /p TalkTalk []
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]
S3 Aldtc50piss;Aldtc50piss;C:\WINDOWS\system32\drivers\nwlnkspx.sys [2001-08-23 12:00]
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS [2003-04-01 09:23]
S3 Drmels5s;Drmels5s;C:\WINDOWS\system32\ntoskrnl.exe [2007-02-28 09:10]
S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 11:49]
S3 ham50;Intel V92 HaM Data Fax Voice;C:\WINDOWS\system32\DRIVERS\IntelH51.sys [2001-10-12 09:48]
S3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 15:44]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe [2007-08-02 14:42]
.
Contents of the 'Scheduled Tasks' folder
"2006-01-14 08:31:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1128667665.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-03-13 20:26:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 22:07:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-13 22:10:05
ComboFix-quarantined-files.txt 2008-03-13 22:09:47
.
2008-03-12 23:45:56 --- E O F ---
|
Pancake
HijackThis Helper
Reg'd: Sat
Posts: 1257
Loc: Victoria,Australia
|
|
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O21 - SSODL: MonAlrt - {a5081646-6e82-4da4-b0d5-a2d0af958b35} - C:\WINDOWS\Installer\{a5081646-6e82-4da4-b0d5-a2d0af958b35}\MonAlrt.dll (file missing)
O21 - SSODL: zip - {20f35cb8-9781-4a20-a331-b4ce6392ac4d} - C:\WINDOWS\Installer\{20f35cb8-9781-4a20-a331-b4ce6392ac4d}\zip.dll (file missing)
Reboot....
=============================
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Quote:
Killall::
File::
C:\Program Files\tmp3239327.exe
C:\Program Files\tmp3233799.exe
C:\Program Files\tmp117398.exe
C:\Program Files\tmp112251.exe
C:\Program Files\tmp62950.exe
C:\Program Files\tmp56090.exe
C:\Program Files\tmp248066.exe
C:\Program Files\tmp242678.exe
C:\Program Files\tmp1074985.exe
C:\Program Files\tmp1068045.exe
C:\Program Files\tmp78793.exe
C:\Program Files\tmp73275.exe
C:\Program Files\tmp92012.exe
C:\Program Files\tmp86454.exe
C:\Program Files\antiviirus.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MonAlrt"=-
"zip"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
--------------------
|
TG
new user
Reg'd: Wed
Posts: 7
|
|
ComboFix 08-03-13.2 - rn 2008-03-17 19:07:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT 0:00]
Running from: C:\Documents and Settings\rn\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rn\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Program Files\antiviirus.exe
C:\Program Files\tmp1068045.exe
C:\Program Files\tmp1074985.exe
C:\Program Files\tmp112251.exe
C:\Program Files\tmp117398.exe
C:\Program Files\tmp242678.exe
C:\Program Files\tmp248066.exe
C:\Program Files\tmp3233799.exe
C:\Program Files\tmp3239327.exe
C:\Program Files\tmp56090.exe
C:\Program Files\tmp62950.exe
C:\Program Files\tmp73275.exe
C:\Program Files\tmp78793.exe
C:\Program Files\tmp86454.exe
C:\Program Files\tmp92012.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\tmp1068045.exe
C:\Program Files\tmp1074985.exe
C:\Program Files\tmp112251.exe
C:\Program Files\tmp117398.exe
C:\Program Files\tmp242678.exe
C:\Program Files\tmp248066.exe
C:\Program Files\tmp3233799.exe
C:\Program Files\tmp3239327.exe
C:\Program Files\tmp56090.exe
C:\Program Files\tmp62950.exe
C:\Program Files\tmp73275.exe
C:\Program Files\tmp78793.exe
C:\Program Files\tmp86454.exe
C:\Program Files\tmp92012.exe
----- BITS: Possible infected sites -----
hxxp://assist.talktalk.net
.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.
2008-03-13 20:04 . 2008-03-13 20:05 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-13 20:04 . 2008-03-13 20:42 <DIR> d-------- C:\SDFix
2008-03-11 19:06 . 2008-03-11 19:06 <DIR> d-------- C:\Documents and Settings\sh\Application Data\Grisoft
2008-03-11 12:39 . 2008-03-11 19:36 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-11 12:38 . 2008-03-11 12:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-11 12:38 . 2008-03-11 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 20:33 . 2008-03-10 20:33 <DIR> d-------- C:\Documents and Settings\rn\Application Data\Grisoft
2008-03-10 20:32 . 2008-03-10 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-10 20:32 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-09 22:04 . 2008-03-09 22:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-09 22:04 . 2008-03-09 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-02 14:52 . 2008-03-02 14:53 <DIR> d-------- C:\Documents and Settings\rn\Application Data\uTorrent
2008-02-29 18:56 . 2008-02-29 18:56 <DIR> d-------- C:\Program Files\uTorrent
2008-02-29 18:56 . 2008-03-02 15:04 <DIR> d-------- C:\Documents and Settings\sh\Application Data\uTorrent
2008-02-17 02:10 . 2008-02-17 02:10 1,877,057 --a------ C:\TEMP\MyFontsOrder1011967.zip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 07:20 --------- d-----w C:\Documents and Settings\rn\Application Data\AdobeUM
2008-03-16 22:35 8,224 ----a-w C:\Documents and Settings\rn\Application Data\GDIPFONTCACHEV1.DAT
2008-03-15 18:51 --------- d-----w C:\Documents and Settings\rn\Application Data\FileZilla
2008-03-14 18:57 --------- d-----w C:\Documents and Settings\sh\Application Data\Skype
2008-03-09 22:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-16 17:43 --------- d-----w C:\Program Files\Common Files\Control Panels
2008-02-16 17:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-16 17:38 --------- d-----w C:\Program Files\Bonjour
2008-02-16 17:12 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-02-03 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-29 18:17 19,300 ----a-w C:\9780955569821.zip
2008-01-28 20:35 --------- d-----w C:\Program Files\Microsoft Works
2008-01-28 20:32 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-20 18:48 --------- d-----w C:\Program Files\TalkTalk
2008-01-20 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-03-25 18:19 83,392 ----a-w C:\Documents and Settings\sh\Application Data\GDIPFONTCACHEV1.DAT
2007-01-15 15:34 678,682 ----a-w C:\Documents and Settings\rn\Application Data\unins000.exe
2007-01-15 15:34 19,127 ----a-w C:\Documents and Settings\rn\Application Data\unins000.dat
2005-05-25 06:42 266 ---h--w C:\Program Files\desktop.ini
2005-05-25 06:42 11,079 ---h--w C:\Program Files\folder.htt
2003-01-13 10:20 278,528 ------w C:\Program Files\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ------w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2005-07-14 12:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 15:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 22:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-02-28 13:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-13_22.09.11.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-17 19:16:06 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat
- 2008-03-13 20:24:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_ac.dat
+ 2008-03-14 07:03:47 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POINTER"="point32.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-04 18:26 188416]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 15:50 4620288]
"nwiz"="nwiz.exe" [2004-10-29 15:50 921600 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 15:50 86016]
"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 15:24 1732608]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 14:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
"LWBKEYBOARD"="C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe" [2005-01-28 10:23 387584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-19 17:14 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-06-20 00:30 107008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 09:33 202016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-05-25 18:58:05 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2008-01-10 21:57:49 327765]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-06-20 22:05:21 962667]
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2006-07-17 21:53:03 612352]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 00:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView5\NkvMon.exe [2005-05-25 06:31:44 233472]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-07-15 18:52:25 806912]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Macromedia\\FreeHand 10\\FreeHand 10.exe"=
"C:\\Downloads\\eMule0.47c\\eMule0.47c\\emule.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 11:49]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);"C:\Program Files\TalkTalk\bin\sprtsvc.exe" /service /p TalkTalk []
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);"C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe" /p TalkTalk []
S3 Aldtc50piss;Aldtc50piss;C:\WINDOWS\system32\drivers\nwlnkspx.sys [2001-08-23 12:00]
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS [2003-04-01 09:23]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]
S3 Drmels5s;Drmels5s;C:\WINDOWS\system32\ntoskrnl.exe [2007-02-28 09:10]
S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 11:49]
S3 ham50;Intel V92 HaM Data Fax Voice;C:\WINDOWS\system32\DRIVERS\IntelH51.sys [2001-10-12 09:48]
S3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 15:44]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe [2007-08-02 14:42]
.
Contents of the 'Scheduled Tasks' folder
"2006-01-14 08:31:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1128667665.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-03-17 19:19:07 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 19:40:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2008-03-17 19:47:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-17 19:47:26
ComboFix2.txt 2008-03-13 22:10:07
.
2008-03-14 09:01:02 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:04, on 17/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rn\My Documents\Downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - http://www.ie-cards.com/flashplayer.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ip6flrrv - Intel Corporation - (no file)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
--
End of file - 12789 bytes
|
Pancake
HijackThis Helper
Reg'd: Sat
Posts: 1257
Loc: Victoria,Australia
|
| |
Previous
Index
Next
Threaded
Edit
Reply
Quote
