|
|
VinnyLonga
new user
Reg'd: Fri
Posts: 15
|
|
A couple days ago I downloaded a file, and I'm almost sure it had a virus in it, because my PC started acting up immediately. As soon as it downloaded, Windows crashed, and would not boot up. I eventually got it to boot in safe mode, which is what I'm running right now. When I try to boot it normally, everything loads, but after about 2 minutes, it freezes and doesn't respond to anything. I use my PC mostly for college, and I have some online work due next week , so this is a VERY bad time for it to crash on me. I'm running Vista Home Premium. Thanks for any help you can give me. Here's my Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:44 PM, on 1/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Vinny\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=5...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F3 - REG:win.ini: load=C:\Windows\system32\byxxx.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D727A85-8D42-4996-B627-1734E1A06CC8} - C:\Windows\system32\byxxx.dll
O2 - BHO: (no name) - {D02323D6-7D6E-4792-AB62-82CCEE3B3EBD} - C:\Windows\system32\byxxx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\khfca.dll,#1
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://thisgen268.proboards49.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: crypt32set - \\fuwarxyus.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Unknown owner - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 7485 bytes
|
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7413
Loc: England
|
|
Hmmm...a few nasties there I see.
Reboot into Safe Mode WITH NETWORKING and download ComboFix from any of these links to your DESKTOP:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts. Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Before you begin, close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
You should have normal mode back after running this tool but please try and stay off the net as much as possible until I've given you the all clear. If possible, use another computer to read this topic. DO NOT under any circumstances use this machine for anything sensative such as banking, eBay or PayPal transactions for the moment.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
VinnyLonga
new user
Reg'd: Fri
Posts: 15
|
|
I ran combofix; still the same results when I try to boot in normal mode. After 2 minutes, it freezes. So, I ran it in safe mode. Here is the report. And thanks so much for the speedy response!
ComboFix 08-01-23.1C - Vinny 2008-01-23 18:40:16.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.621 [GMT -7:00]
Running from: C:\Users\Vinny\Desktop\ComboFix(2).exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\{3C24F~1
C:\Program Files\Common Files\{6C24F~1
C:\Program Files\Common Files\{6C24F~2
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\sks~1
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler .exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outerinfo
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outerinfo\Terms.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\temp\tn3
C:\Windows\system32\bund1
C:\Windows\system32\bund1\ClientBundle1.exe
C:\Windows\system32\bund1\temp.txt
C:\Windows\system32\byxxx.dll
C:\Windows\system32\byxxx.exe
C:\Windows\system32\msvcrtd.exe
C:\Windows\System32\xxxyb.ini
C:\Windows\System32\xxxyb.ini2
Code:
<pre>
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> QooBox
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe ---> QooBox
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe ---> QooBox
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> QooBox
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\QuickTime\QTTask .exe ---> QooBox
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CORE
-------\msupdate
-------\LEGACY_CORE
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.
2008-01-23 18:17 . 2000-08-31 08:00 51,200 --a------ C:\Windows\Nircmd.exe
2008-01-23 12:36 . 2008-01-23 12:36 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-01-23 11:10 . 2008-01-23 11:10 <DIR> d-------- C:\VundoFix Backups
2008-01-22 16:20 . 2008-01-22 16:56 58,368 --a------ C:\fypif.exe
2008-01-22 16:20 . 2008-01-22 16:56 53,760 --a------ C:\fuwarxyus.dll
2008-01-22 16:20 . 2008-01-22 16:56 8,704 --a------ C:\ttgkdaab.exe
2008-01-22 16:20 . 2008-01-22 16:56 2 --a------ C:\1814364089
2008-01-17 23:29 . 2008-01-23 14:27 54,156 --ah----- C:\Windows\QTFont.qfn
2008-01-17 23:29 . 2008-01-17 23:29 1,409 --a------ C:\Windows\QTFont.for
2008-01-17 23:28 . 2008-01-17 23:28 <DIR> d-------- C:\Program Files\iPod
2008-01-17 23:27 . 2008-01-23 18:22 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:00 . 2008-01-15 20:00 244 --ah----- C:\sqmnoopt18.sqm
2008-01-15 20:00 . 2008-01-15 20:00 244 --ah----- C:\sqmnoopt17.sqm
2008-01-15 20:00 . 2008-01-15 20:00 232 --ah----- C:\sqmdata18.sqm
2008-01-15 20:00 . 2008-01-15 20:00 232 --ah----- C:\sqmdata17.sqm
2008-01-15 12:55 . 2008-01-15 12:55 <DIR> d-------- C:\Program Files\LiteralMath
2008-01-15 12:18 . 2008-01-15 12:19 <DIR> d-------- C:\Program Files\Lava Lamp
2008-01-15 09:02 . 2008-01-15 09:02 244 --ah----- C:\sqmnoopt19.sqm
2008-01-15 09:02 . 2008-01-15 09:02 232 --ah----- C:\sqmdata19.sqm
2008-01-14 22:04 . 2008-01-14 22:04 244 --ah----- C:\sqmnoopt16.sqm
2008-01-14 22:04 . 2008-01-14 22:04 232 --ah----- C:\sqmdata16.sqm
2008-01-14 12:31 . 2008-01-14 12:31 244 --ah----- C:\sqmnoopt15.sqm
2008-01-14 12:31 . 2008-01-14 12:31 232 --ah----- C:\sqmdata15.sqm
2008-01-13 23:45 . 2008-01-13 23:45 244 --ah----- C:\sqmnoopt14.sqm
2008-01-13 23:45 . 2008-01-13 23:45 232 --ah----- C:\sqmdata14.sqm
2008-01-13 10:11 . 2008-01-13 10:11 244 --ah----- C:\sqmnoopt13.sqm
2008-01-13 10:11 . 2008-01-13 10:11 232 --ah----- C:\sqmdata13.sqm
2008-01-13 00:33 . 2008-01-13 00:33 244 --ah----- C:\sqmnoopt12.sqm
2008-01-13 00:33 . 2008-01-13 00:33 232 --ah----- C:\sqmdata12.sqm
2008-01-12 16:37 . 2008-01-12 16:37 244 --ah----- C:\sqmnoopt11.sqm
2008-01-12 16:37 . 2008-01-12 16:37 232 --ah----- C:\sqmdata11.sqm
2008-01-12 16:28 . 2008-01-12 16:28 <DIR> d-------- C:\Program Files\Wimba
2008-01-11 18:09 . 2008-01-11 18:09 <DIR> d-------- C:\Program Files\BatteryMon
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-01-09 03:04 . 2008-01-09 03:04 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 03:04 . 2008-01-09 03:04 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 03:04 . 2008-01-09 03:04 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 03:04 . 2008-01-09 03:04 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 03:04 . 2008-01-09 03:04 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 03:01 . 2008-01-09 03:01 11,776 --a------ C:\Windows\System32\sbunattend.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 01:22 --------- d-----w C:\Program Files\iTunes
2008-01-23 18:12 --------- d-----w C:\Program Files\SpywareGuard
2008-01-23 14:48 142,927,236 ----a-w C:\Windows\DUMPcaad.tmp
2008-01-23 14:21 143,304,068 ----a-w C:\Windows\DUMPcba7.tmp
2008-01-15 07:52 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-01-09 10:10 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-02 10:11 --------- d-----w C:\Program Files\DivX
2007-12-18 08:43 --------- d-----w C:\Program Files\Sony
2007-12-18 08:42 --------- d-----w C:\Program Files\Sony Setup
2007-12-16 21:53 --------- d-----w C:\Program Files\Skype
2007-12-16 21:53 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-13 10:14 --------- d-----w C:\Program Files\Azureus
2007-12-13 04:42 --------- d-----w C:\Program Files\Twoopy Entertainment
2007-12-12 10:04 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 10:03 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 10:03 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 10:03 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 10:03 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 10:02 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 10:02 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 10:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 10:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 10:02 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 10:02 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 10:01 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 10:01 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-11-29 22:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2007-11-26 22:46 --------- d-----w C:\Program Files\DVD Decrypter
2007-11-06 20:36 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
2007-03-06 04:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-03-06 04:20 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-03-06 04:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-05-05 04:08 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-05-05 04:08 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-05-05 04:08 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-09-17 21:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007091720070918\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]
C:\Users\Vinny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35 360448]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [2007-10-19 15:41:08 10215424]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{49D63E18-33B1-46F2-82C2-39431FB94794}"= C:\Windows\system32\khfca.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]
\\fuwarxyus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 01:44]
S2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-01-30 12:23]
S3 Alpham1;Ideazon Merc USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham1.sys [2007-03-20 10:49]
S3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-17 09:20]
S3 DfuUsb;DfuUsb;C:\Windows\system32\DRIVERS\DFUUsb.sys [2001-11-27 15:46]
S3 RDID1027;EDIROL PCR;C:\Windows\system32\Drivers\rdwm1027.sys [2006-09-27 21:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{340b1aa0-c997-11db-8c14-001636e26919}]
\shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{862bfbb4-2b43-11dc-ada0-001636e26919}]
\shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 21:49:24 C:\Windows\Tasks\At1.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2007-10-01 21:49:24 C:\Windows\Tasks\At2.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2007-10-01 21:49:24 C:\Windows\Tasks\At3.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2008-01-06 12:47:04 C:\Windows\Tasks\HPCeeScheduleForVinny.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe
"2008-01-24 01:29:15 C:\Windows\Tasks\User_Feed_Synchronization-{4E081438-8024-48D9-882B-676CD8FE0F81}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 18:47:00
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-23 18:50:08 - machine was rebooted [Vinny]
ComboFix-quarantined-files.txt 2008-01-24 01:50:04
.
2008-01-18 18:31:10 --- E O F ---
|
VinnyLonga
new user
Reg'd: Fri
Posts: 15
|
|
Oh, and here's my new Hijack This! log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:15 PM, on 1/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Users\Vinny\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=5...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://thisgen268.proboards49.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: crypt32set - \\fuwarxyus.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Unknown owner - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5277 bytes
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7413
Loc: England
|
|
Open notepad (Start > Run and type notepad) and copy/paste the text in the quote box below to it:
Code:
KillAll::
File::
C:\fypif.exe
C:\fuwarxyus.dll
C:\ttgkdaab.exe
C:\1814364089
C:\Windows\DUMPcaad.tmp
C:\Windows\DUMPcba7.tmp
ADS::
C:\windows\system32
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{49D63E18-33B1-46F2-82C2-39431FB94794}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]
Save this as "CFScript"
Refering to the picture above, drag CFScript into ComboFix.exe
Run ComboFix again and post the resultant log file please.
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.
Let me know if normal mode functionality is restored please.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
VinnyLonga
new user
Reg'd: Fri
Posts: 15
|
|
I created the CFScript, and dropped it into Combofix. It ran and restarted. My PC booted into normal mode, and froze again before Combo Fix could produce a report. So, I rebooted in safe mode, Combofix again, and hit F8 when it restarted, which booted it into safe mode again. Once in safe mode, Combofix created a log. Here's the Combofix and Hijack This log:
ComboFix 08-01-23.1C - Vinny 2008-01-23 19:28:16.4 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.620 [GMT -7:00]
Running from: C:\Users\Vinny\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\1814364089
C:\fuwarxyus.dll
C:\fypif.exe
C:\ttgkdaab.exe
C:\Windows\DUMPcaad.tmp
C:\Windows\DUMPcba7.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CORE
-------\LEGACY_CORE
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.
2008-01-23 19:18 . 2008-01-23 19:33 36,864 --a------ C:\Windows\System32\umstartup000.etl
2008-01-23 19:18 . 2008-01-23 19:33 0 --------- C:\Windows\System32\umstartup.etl
2008-01-23 18:17 . 2000-08-31 08:00 51,200 --a------ C:\Windows\Nircmd.exe
2008-01-23 12:36 . 2008-01-23 12:36 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-01-23 11:10 . 2008-01-23 11:10 <DIR> d-------- C:\VundoFix Backups
2008-01-17 23:29 . 2008-01-23 14:27 54,156 --ah----- C:\Windows\QTFont.qfn
2008-01-17 23:29 . 2008-01-17 23:29 1,409 --a------ C:\Windows\QTFont.for
2008-01-17 23:28 . 2008-01-17 23:28 <DIR> d-------- C:\Program Files\iPod
2008-01-17 23:27 . 2008-01-23 18:22 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:00 . 2008-01-15 20:00 244 --ah----- C:\sqmnoopt18.sqm
2008-01-15 20:00 . 2008-01-15 20:00 244 --ah----- C:\sqmnoopt17.sqm
2008-01-15 20:00 . 2008-01-15 20:00 232 --ah----- C:\sqmdata18.sqm
2008-01-15 20:00 . 2008-01-15 20:00 232 --ah----- C:\sqmdata17.sqm
2008-01-15 12:55 . 2008-01-15 12:55 <DIR> d-------- C:\Program Files\LiteralMath
2008-01-15 12:18 . 2008-01-15 12:19 <DIR> d-------- C:\Program Files\Lava Lamp
2008-01-15 09:02 . 2008-01-15 09:02 244 --ah----- C:\sqmnoopt19.sqm
2008-01-15 09:02 . 2008-01-15 09:02 232 --ah----- C:\sqmdata19.sqm
2008-01-14 22:04 . 2008-01-14 22:04 244 --ah----- C:\sqmnoopt16.sqm
2008-01-14 22:04 . 2008-01-14 22:04 232 --ah----- C:\sqmdata16.sqm
2008-01-14 12:31 . 2008-01-14 12:31 244 --ah----- C:\sqmnoopt15.sqm
2008-01-14 12:31 . 2008-01-14 12:31 232 --ah----- C:\sqmdata15.sqm
2008-01-13 23:45 . 2008-01-13 23:45 244 --ah----- C:\sqmnoopt14.sqm
2008-01-13 23:45 . 2008-01-13 23:45 232 --ah----- C:\sqmdata14.sqm
2008-01-13 10:11 . 2008-01-13 10:11 244 --ah----- C:\sqmnoopt13.sqm
2008-01-13 10:11 . 2008-01-13 10:11 232 --ah----- C:\sqmdata13.sqm
2008-01-13 00:33 . 2008-01-13 00:33 244 --ah----- C:\sqmnoopt12.sqm
2008-01-13 00:33 . 2008-01-13 00:33 232 --ah----- C:\sqmdata12.sqm
2008-01-12 16:37 . 2008-01-12 16:37 244 --ah----- C:\sqmnoopt11.sqm
2008-01-12 16:37 . 2008-01-12 16:37 232 --ah----- C:\sqmdata11.sqm
2008-01-12 16:28 . 2008-01-12 16:28 <DIR> d-------- C:\Program Files\Wimba
2008-01-11 18:09 . 2008-01-11 18:09 <DIR> d-------- C:\Program Files\BatteryMon
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-01-09 03:04 . 2008-01-09 03:04 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 03:04 . 2008-01-09 03:04 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 03:04 . 2008-01-09 03:04 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 03:04 . 2008-01-09 03:04 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 03:04 . 2008-01-09 03:04 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 03:01 . 2008-01-09 03:01 11,776 --a------ C:\Windows\System32\sbunattend.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 01:22 --------- d-----w C:\Program Files\iTunes
2008-01-23 18:12 --------- d-----w C:\Program Files\SpywareGuard
2008-01-15 07:52 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-01-09 10:10 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-02 10:11 --------- d-----w C:\Program Files\DivX
2007-12-18 08:43 --------- d-----w C:\Program Files\Sony
2007-12-18 08:42 --------- d-----w C:\Program Files\Sony Setup
2007-12-16 21:53 --------- d-----w C:\Program Files\Skype
2007-12-16 21:53 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-13 10:14 --------- d-----w C:\Program Files\Azureus
2007-12-13 04:42 --------- d-----w C:\Program Files\Twoopy Entertainment
2007-12-12 10:04 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 10:03 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 10:03 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 10:03 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 10:03 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 10:02 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 10:02 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 10:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 10:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 10:02 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 10:02 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 10:01 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 10:01 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-11-29 22:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2007-11-26 22:46 --------- d-----w C:\Program Files\DVD Decrypter
2007-11-06 20:36 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
2007-03-06 04:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-03-06 04:20 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-03-06 04:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-05-05 04:08 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-05-05 04:08 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-05-05 04:08 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-09-17 21:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007091720070918\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-01-23_18.49.40.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 01:46:06 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-01-24 02:33:55 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-01-24 01:17:47 217,088 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 02:12:50 217,088 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 01:17:47 212,992 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
+ 2008-01-24 02:12:50 212,992 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
- 2008-01-24 01:17:47 2,949,120 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 02:12:50 2,949,120 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 01:17:47 3,158,016 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 02:12:51 3,178,496 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 01:28:16 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-24 02:20:38 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-24 01:46:38 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-24 02:34:37 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-24 01:28:16 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-24 02:20:28 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-24 01:46:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-24 02:34:37 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-24 02:34:37 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-01-24 01:35:58 7,050 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2672107303-2960508132-1344352591-1000_UserData.bin
+ 2008-01-24 01:59:04 7,074 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2672107303-2960508132-1344352591-1000_UserData.bin
- 2008-01-24 01:35:58 63,892 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-24 01:59:04 63,940 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-23 19:12:26 44,878 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-24 01:58:59 44,878 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]
C:\Users\Vinny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35 360448]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [2007-10-19 15:41:08 10215424]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 01:44]
S2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-01-30 12:23]
S3 Alpham1;Ideazon Merc USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham1.sys [2007-03-20 10:49]
S3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-17 09:20]
S3 DfuUsb;DfuUsb;C:\Windows\system32\DRIVERS\DFUUsb.sys [2001-11-27 15:46]
S3 RDID1027;EDIROL PCR;C:\Windows\system32\Drivers\rdwm1027.sys [2006-09-27 21:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{340b1aa0-c997-11db-8c14-001636e26919}]
\shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{862bfbb4-2b43-11dc-ada0-001636e26919}]
\shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 21:49:24 C:\Windows\Tasks\At1.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2007-10-01 21:49:24 C:\Windows\Tasks\At2.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2007-10-01 21:49:24 C:\Windows\Tasks\At3.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2008-01-06 12:47:04 C:\Windows\Tasks\HPCeeScheduleForVinny.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe
"2008-01-24 01:58:34 C:\Windows\Tasks\User_Feed_Synchronization-{4E081438-8024-48D9-882B-676CD8FE0F81}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 19:34:54
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-23 19:38:06 - machine was rebooted [Vinny]
ComboFix-quarantined-files.txt 2008-01-24 02:38:02
ComboFix2.txt 2008-01-24 01:50:08
.
2008-01-18 18:31:10 --- E O F ---
And the Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:51 PM, on 1/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Vinny\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=5...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://thisgen268.proboards49.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Unknown owner - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5155 bytes
Once again, thanks for the quickness of your replies. Much appreciated!
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7413
Loc: England
|
|
I've just noticed that you don't have any anti-virus software or firewall software installed!!
We'll leave the firewall for the moment but please downlaod and install the trial version of Kaspersky Anti-Virus 7.0. Update the definitions and run a full system scan (in SAFE MODE) quarantining anything it finds. Post the scan results when done please.
To post the log file.....
Double Click the K in the tray icon and the kaspersky Option window will open.
Look to the Lower left hand pane of the for the Info Pane.
You have a pair of arrows to scroll through all the details.
Scroll and find "All threats have been successfully neutrilized"
Click Details and wait for the next window to open.
Once its opened,Click Save As and another windows will appear.
Select to save this report to your Desktop and then name the report Kav.txt and then click Save.
A new small window should appear and show the progress then disappear when completed.
Default Settings should save this as a txt file.
Screenshot
http://webpages.charter.net/cretemonster/KavSave.JPG
These steps should generate Kav.txt on your desktop.
If you just so happened to try to save your report without the .txt extension, just find the file you saved and right click it,choose rename and rename it kav.txt and it should then be a readable,pastable report.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
VinnyLonga
new user
Reg'd: Fri
Posts: 15
|
|
I've been trying for the last 3 hours to install Kaspersky, and I can't. I can't run Windows Installer in safe mode. I tried the command line trick, and it didn't work. I tried the exe file that's supposed to automatically enable Windows Installer, and it didn't work. I tried selective mode with only Windows Installer, and I got an error that was a paragraph long; which I tried to copy but could not (I even typed the whole thing out in Notepad in selective start mode, only to find a blank Notepad doc when I rebooted in safe mode). I'm very frustrated. Frustrated at Windows, that is. I still really appreciate your time, and after checking out your website, I have no idea how you have time for all of this. Please help!
|
VinnyLonga
new user
Reg'd: Fri
Posts: 15
|
|
OK, I stepped away for a bit and regained my cool. Here's the exact error I get when I'm in selective start mode trying to install Kaspersky 7.0:
Error 1722. There is a problem with this Windows
Installer package. A program run as part of the
setup did not finish as expected. Contact your
support personnel or package vendor. Action
InstallDriverKlim6X86, location: C:\Program
Files\Kaspersky Lab\Kaspersky Anti-Virus
7.0\KLIM6X86\netconfig.exe, command: -g klim6 -l
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus
7.0\KLMX86\klim6.inf" -t "C:\Program Files\Kaspersky
Lab\...\klm6.cat" -z klm6.cat -c s -n kl_klim6 -i
I installed Kaspersky SOS 6.0 successfully. I'll do a scan and post the report when it's done.
|
VinnyLonga
new user
Reg'd: Fri
Posts: 15
|
|
The report Kaspersky 6.0 created after the first scan was a bit over 65 megs. It listed every file on my PC. So, I copied the first part of the report which seems to be what it detected and disinfected. Here it is:
Scan
----
Scanned: 484535
Detected: 64
Untreated: 0
Start time: 1/27/2008 1:40:29 PM
Duration: 04:26:34
Finish time: 1/27/2008 6:07:03 PM
Signatures published: 1/27/2008 10:21:46 AM
Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Win32.Murlo.ji File: C:\Program Files\Mozilla Firefox\crack.exe
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Program Files\Skype\Phone\Skype.exe
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Program Files\Wimba\Pronto\pronto.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\QooBox\Quarantine\catchme2008-01-23_183351.75.zip/byxxx.dll
deleted: Trojan program Trojan-Spy.Win32.Delf.axf File: C:\QooBox\Quarantine\C\fuwarxyus.dll.vir
deleted: Trojan program Trojan-Downloader.Win32.Small.huv File: C:\QooBox\Quarantine\C\fypif.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\issch.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Common Files\Real\Update_OB\realsched.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask .exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\QuickTime\QTTask.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Program Files\Synaptics\SynTP\SynTPEnh.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\ProgramData\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe.vir
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\QooBox\Quarantine\C\Windows\System32\byxxx.exe.vir
deleted: Trojan program Backdoor.Win32.Agent.alm File: C:\QooBox\Quarantine\C\Windows\System32\msvcrtd.exe.vir
deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: C:\QooBox\Quarantine\C\Windows\System32\bund1\ClientBundle1.exe.vir//data0002
deleted: adware not-a-virus:AdWare.Win32.Agent.co File: C:\QooBox\Quarantine\C\Windows\System32\bund1\ClientBundle1.exe.vir//data0003
deleted: Trojan program Trojan.Win32.BHO.ab File: C:\QooBox\Quarantine\C\Windows\System32\bund1\ClientBundle1.exe.vir//data0004
deleted: adware not-a-virus:AdWare.Win32.SurfSide.ax File: C:\QooBox\Quarantine\C\Windows\System32\bund1\ClientBundle1.exe.vir//data0005
deleted: Trojan program Trojan-Dropper.Win32.Agent.bfr File: C:\QooBox\Quarantine\C\Windows\System32\bund1\ClientBundle1.exe.vir//data0006
deleted: adware not-a-virus:AdWare.Win32.ZenoSearch.o File: C:\QooBox\Quarantine\C\Windows\System32\bund1\ClientBundle1.exe.vir//data0007
deleted: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\431e7381-70c60d89/BaaaaBaa.class
deleted: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\431e7381-70c60d89/VaaaaaaaBaa.class
deleted: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\431e7381-70c60d89/Baaaaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\760104c1-64872d3c
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\2bf1fe15-38468f40/BaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\2bf1fe15-38468f40/VaaaaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\2bf1fe15-38468f40/Baaaaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\63f76a5b-5941d950/BaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\63f76a5b-5941d950/VaaaaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\63f76a5b-5941d950/Baaaaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\5c8ae323-2bb5c687/BaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\5c8ae323-2bb5c687/VaaaaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\5c8ae323-2bb5c687/Baaaaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\2a97bce8-7448becc/BaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\2a97bce8-7448becc/VaaaaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\2a97bce8-7448becc/Baaaaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6d768e69-7fe071a7/BaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6d768e69-7fe071a7/VaaaaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6d768e69-7fe071a7/Baaaaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\1b2ee72a-71fb6cb3/BaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\1b2ee72a-71fb6cb3/VaaaaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\1b2ee72a-71fb6cb3/Baaaaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\69a48f37-13eb6be6/BaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\69a48f37-13eb6be6/VaaaaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\69a48f37-13eb6be6/Baaaaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\3cd9d33a-789288f2/BaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\3cd9d33a-789288f2/VaaaaaaaBaa.class
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\3cd9d33a-789288f2/Baaaaa.class
deleted: malware Exploit.Java.ByteVerify File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\5001e5fb-3da04ac5/BlackBox.class
deleted: malware Exploit.Java.ByteVerify File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\5001e5fb-3da04ac5/VerifierBug.class
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.aa File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\5001e5fb-3da04ac5/Beyond.class
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\Users\Vinny\Desktop\backups\backup-20080123-133331-776.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dyx File: C:\Users\Vinny\Desktop\backups\backup-20080123-133351-222.dll
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\2bf1fe15-38468f40
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\63f76a5b-5941d950
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\5c8ae323-2bb5c687
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\2a97bce8-7448becc
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6d768e69-7fe071a7
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\1b2ee72a-71fb6cb3
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\69a48f37-13eb6be6
disinfected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\Vinny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\3cd9d33a-789288f2
Also, here is the last part of the report:
Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------
All objects 484535 64 0 26 0 4145 478 81 2
Documents 34990 0 0 0 0 29 1 3 0
Mailboxes 0 0 0 0 0 0 0 0 0
Local Disk (C:) 449466 64 0 26 0 4116 477 78 2
HP_RECOVERY (D:) 79 0 0 0 0 0 0 0 0
CD Drive (E:) 0 0 0 0 0 0 0 0 0
Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes
I also did the CFScript process again and when ComboFix rebooted, I booted it in safe mode so it created a log file. Here it is:
ComboFix 08-01-23.1C - Vinny 2008-01-28 3:50:01.6 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.652 [GMT -7:00]
Running from: C:\Users\Vinny\Desktop\ComboFix.exe
Command switches used :: C:\Users\Vinny\Desktop\CFScript.txt
FILE
C:\1814364089
C:\fuwarxyus.dll
C:\fypif.exe
C:\ttgkdaab.exe
C:\Windows\DUMPcaad.tmp
C:\Windows\DUMPcba7.tmp
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.
2008-01-28 03:33 . 2008-01-28 03:56 3,072 --a------ C:\Windows\System32\umstartup000.etl
2008-01-27 13:23 . 2008-01-27 13:23 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-24 00:17 . 2008-01-27 12:53 <DIR> d-------- C:\kav
2008-01-23 23:18 . 2008-01-27 13:20 1,581,088 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-01-23 23:18 . 2008-01-27 13:20 15,812 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-01-23 18:17 . 2000-08-31 08:00 51,200 --a------ C:\Windows\Nircmd.exe
2008-01-23 12:36 . 2008-01-23 12:36 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-01-23 11:10 . 2008-01-23 11:10 <DIR> d-------- C:\VundoFix Backups
2008-01-17 23:29 . 2008-01-23 14:27 54,156 --ah----- C:\Windows\QTFont.qfn
2008-01-17 23:29 . 2008-01-17 23:29 1,409 --a------ C:\Windows\QTFont.for
2008-01-17 23:28 . 2008-01-17 23:28 <DIR> d-------- C:\Program Files\iPod
2008-01-17 23:27 . 2008-01-23 18:22 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:00 . 2008-01-15 20:00 244 --ah----- C:\sqmnoopt18.sqm
2008-01-15 20:00 . 2008-01-15 20:00 244 --ah----- C:\sqmnoopt17.sqm
2008-01-15 20:00 . 2008-01-15 20:00 232 --ah----- C:\sqmdata18.sqm
2008-01-15 20:00 . 2008-01-15 20:00 232 --ah----- C:\sqmdata17.sqm
2008-01-15 12:55 . 2008-01-15 12:55 <DIR> d-------- C:\Program Files\LiteralMath
2008-01-15 12:18 . 2008-01-15 12:19 <DIR> d-------- C:\Program Files\Lava Lamp
2008-01-15 09:02 . 2008-01-15 09:02 244 --ah----- C:\sqmnoopt19.sqm
2008-01-15 09:02 . 2008-01-15 09:02 232 --ah----- C:\sqmdata19.sqm
2008-01-14 22:04 . 2008-01-14 22:04 244 --ah----- C:\sqmnoopt16.sqm
2008-01-14 22:04 . 2008-01-14 22:04 232 --ah----- C:\sqmdata16.sqm
2008-01-14 12:31 . 2008-01-14 12:31 244 --ah----- C:\sqmnoopt15.sqm
2008-01-14 12:31 . 2008-01-14 12:31 232 --ah----- C:\sqmdata15.sqm
2008-01-13 23:45 . 2008-01-13 23:45 244 --ah----- C:\sqmnoopt14.sqm
2008-01-13 23:45 . 2008-01-13 23:45 232 --ah----- C:\sqmdata14.sqm
2008-01-13 10:11 . 2008-01-13 10:11 244 --ah----- C:\sqmnoopt13.sqm
2008-01-13 10:11 . 2008-01-13 10:11 232 --ah----- C:\sqmdata13.sqm
2008-01-13 00:33 . 2008-01-13 00:33 244 --ah----- C:\sqmnoopt12.sqm
2008-01-13 00:33 . 2008-01-13 00:33 232 --ah----- C:\sqmdata12.sqm
2008-01-12 16:37 . 2008-01-12 16:37 244 --ah----- C:\sqmnoopt11.sqm
2008-01-12 16:37 . 2008-01-12 16:37 232 --ah----- C:\sqmdata11.sqm
2008-01-12 16:28 . 2008-01-12 16:28 <DIR> d-------- C:\Program Files\Wimba
2008-01-11 18:09 . 2008-01-11 18:09 <DIR> d-------- C:\Program Files\BatteryMon
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-01-09 03:04 . 2008-01-09 03:04 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 03:04 . 2008-01-09 03:04 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 03:04 . 2008-01-09 03:04 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 03:04 . 2008-01-09 03:04 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 03:04 . 2008-01-09 03:04 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 03:01 . 2008-01-09 03:01 11,776 --a------ C:\Windows\System32\sbunattend.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 01:22 --------- d-----w C:\Program Files\iTunes
2008-01-23 18:12 --------- d-----w C:\Program Files\SpywareGuard
2008-01-15 07:52 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-01-09 10:10 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-02 10:11 --------- d-----w C:\Program Files\DivX
2007-12-18 08:43 --------- d-----w C:\Program Files\Sony
2007-12-18 08:42 --------- d-----w C:\Program Files\Sony Setup
2007-12-16 21:53 --------- d-----w C:\Program Files\Skype
2007-12-16 21:53 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-13 10:14 --------- d-----w C:\Program Files\Azureus
2007-12-13 04:42 --------- d-----w C:\Program Files\Twoopy Entertainment
2007-12-12 10:04 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 10:03 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 10:03 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 10:03 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 10:03 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 10:02 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 10:02 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 10:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 10:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 10:02 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 10:02 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 10:01 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 10:01 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-11-29 22:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2007-11-06 20:36 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
2007-03-06 04:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-03-06 04:20 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-03-06 04:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-05-05 04:08 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-05-05 04:08 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-05-05 04:08 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-09-17 21:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007091720070918\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-01-23_18.49.40.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 01:46:06 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-01-28 10:56:16 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-01-24 01:17:47 217,088 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-28 10:49:56 217,088 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 01:17:47 212,992 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
+ 2008-01-28 10:49:56 212,992 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
- 2008-01-24 01:17:47 2,949,120 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-28 10:49:56 2,949,120 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 01:17:47 3,158,016 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-28 10:49:57 3,178,496 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 01:28:16 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-28 10:35:12 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-24 01:46:38 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-28 10:56:39 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-24 01:28:16 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-28 10:35:31 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-24 01:46:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-28 10:56:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-28 10:56:39 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-01-24 01:17:57 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-28 02:29:19 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-24 04:47:44 4,280 ----a-w C:\Windows\System32\networklist\icons\{F8FFA1A5-273C-4BC1-8897-CA4FEC25F673}_32.bin
+ 2008-01-24 04:47:44 9,560 ----a-w C:\Windows\System32\networklist\icons\{F8FFA1A5-273C-4BC1-8897-CA4FEC25F673}_48.bin
- 2008-01-24 01:35:58 7,050 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2672107303-2960508132-1344352591-1000_UserData.bin
+ 2008-01-28 02:40:06 7,446 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2672107303-2960508132-1344352591-1000_UserData.bin
- 2008-01-24 01:35:58 63,892 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-28 02:40:05 64,116 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-23 19:12:26 44,878 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-28 02:39:56 44,878 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 02:45 222208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]
C:\Users\Vinny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35 360448]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [2007-10-19 15:41:08 10215424]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 01:44]
S2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-01-30 12:23]
S3 Alpham1;Ideazon Merc USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham1.sys [2007-03-20 10:49]
S3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-17 09:20]
S3 DfuUsb;DfuUsb;C:\Windows\system32\DRIVERS\DFUUsb.sys [2001-11-27 15:46]
S3 RDID1027;EDIROL PCR;C:\Windows\system32\Drivers\rdwm1027.sys [2006-09-27 21:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{340b1aa0-c997-11db-8c14-001636e26919}]
\shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{862bfbb4-2b43-11dc-ada0-001636e26919}]
\shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 21:49:24 C:\Windows\Tasks\At1.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2007-10-01 21:49:24 C:\Windows\Tasks\At2.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2007-10-01 21:49:24 C:\Windows\Tasks\At3.job"
- C:\Users\Vinny\Desktop\Look2Me-Destroyer.exe
"2008-01-06 12:47:04 C:\Windows\Tasks\HPCeeScheduleForVinny.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe
"2008-01-28 10:35:10 C:\Windows\Tasks\User_Feed_Synchronization-{4E081438-8024-48D9-882B-676CD8FE0F81}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 03:57:01
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-28 4:00:10 - machine was rebooted [Vinny]
ComboFix-quarantined-files.txt 2008-01-28 11:00:06
ComboFix2.txt 2008-01-24 02:38:07
ComboFix3.txt 2008-01-24 01:50:08
.
2008-01-18 18:31:10 --- E O F --- | |
Previous
Index
Next
Threaded
Edit
Reply
Quote
