|
|
Picaso
regular
Reg'd: Tue
Posts: 321
Loc: Essex
|
|
When running in IE8 ( I am on XP Home) I keep getting asked to shut down as explorer come across a fault.
I am told by Windows Live One care that i am infected with AgentByPass.gen!K yet the programme does not send it to the quarantine for me to delete and therefore when I run the virus check again I get the same report.
I am not sure if this is why I am getting the problem, perhaps someone would be kind enough to review my log, Thank You.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:16, on 21/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PCPal\PCPalSrvHost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InkSaver\InkSaver.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S8C.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://virginmedia.oberon-media.com/online/online2/luxor_amun_rising/mjolauncher.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCPalSrvHost - Unknown owner - C:\Program Files\PCPal\PCPalSrvHost.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 10883 bytes
--------------------
A woman worries about the future until she gets a husband.
A man never worries about the future until he gets a wife.
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28583
Loc: belfast
|
|
Please download ComboFix from either of these two locations
BleepingComputerComboFix
geeks to go combofix
And save it to your DESKTOP.
* Double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Post back with the log from ComboFix and a new HJT log please.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
 
You don't stop laughing when you get old, you get old when you stop laughing! 
|
Picaso
regular
Reg'd: Tue
Posts: 321
Loc: Essex
|
|
Spyware Doctor will not allow me to run ComboFix as it state it is infected with a trojan PWS Bancos rated High.
--------------------
A woman worries about the future until she gets a husband.
A man never worries about the future until he gets a wife.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28583
Loc: belfast
|
|
disable spywaredoctor then run combofix :-
1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
Picaso
regular
Reg'd: Tue
Posts: 321
Loc: Essex
|
|
ComboFix
ComboFix 08-03-21.1 - New 2008-03-22 12:28:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.495 [GMT 0:00]
Running from: C:\Documents and Settings\New\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\New\Application Data\.#
C:\Documents and Settings\New\Application Data\.#\MBX@C98@855C08.###
C:\Documents and Settings\New\Application Data\.#\MBX@C98@855D28.###
C:\WINDOWS\system32\iernonce.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.
2008-03-21 18:11 . 2008-03-21 18:11 3,631 --a------ C:\25.tmp
2008-03-21 18:03 . 2008-03-21 18:03 <DIR> d-------- C:\ComboFix(2)
2008-03-21 18:03 . 2008-03-21 18:03 3,631 --a------ C:\1A.tmp
2008-03-21 17:58 . 2008-03-21 17:58 3,631 --a------ C:\11.tmp
2008-03-21 17:57 . 2008-03-21 17:57 3,631 --a------ C:\10.tmp
2008-03-21 17:47 . 2008-03-21 17:47 <DIR> d-------- C:\ComboFix(1)
2008-03-21 17:47 . 2008-03-21 17:47 3,631 --a------ C:\F.tmp
2008-03-21 15:28 . 2008-03-21 15:28 <DIR> d--hs---- C:\found.000
2008-03-21 13:54 . 2008-03-21 13:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 15:57 . 2008-03-20 15:57 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-20 10:37 . 2008-03-20 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-20 10:35 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-03-20 10:35 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-03-20 10:34 . 2008-03-20 10:34 <DIR> d-------- C:\WINDOWS\system32\bits
2008-03-20 10:34 . 2007-07-06 15:09 70,928 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-03-20 10:34 . 2007-03-29 12:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-03-20 10:34 . 2007-03-29 12:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-03-20 10:30 . 2008-03-22 11:30 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-03-19 13:54 . 2008-03-20 08:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-18 12:15 . 2008-03-18 12:15 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Motive
2008-03-08 16:48 . 2008-03-08 16:48 <DIR> d-------- C:\Documents and Settings\New\Application Data\PC Tools
2008-03-08 15:38 . 2008-03-08 15:39 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 3
2008-03-08 12:52 . 2008-03-08 12:52 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-03-07 15:54 . 2008-03-07 15:57 <DIR> d-------- C:\Documents and Settings\New\Application Data\Motive
2008-03-07 15:50 . 2008-03-07 15:50 <DIR> d-------- C:\WINDOWS\Motive
2008-03-07 15:50 . 2008-03-07 15:50 <DIR> d-------- C:\Program Files\Motive
2008-03-07 15:50 . 2008-03-07 15:50 <DIR> d-------- C:\Program Files\btbb_wcm
2008-03-07 15:50 . 2008-03-07 15:51 <DIR> d-------- C:\Program Files\BT Broadband Desktop Help
2008-03-07 15:50 . 2008-03-07 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-03-03 20:01 . 2008-03-03 20:01 142,848 --------- C:\WINDOWS\system32\IESetting.dll
2008-03-01 09:53 . 2005-11-24 19:51 245,248 --a------ C:\WINDOWS\system32\drivers\rt73.sys
2008-03-01 09:53 . 2006-05-10 21:36 196,608 --a------ C:\WINDOWS\system32\UpdateDriver.exe
2008-03-01 09:53 . 2006-07-20 19:06 525 --a------ C:\WINDOWS\system32\ucuiinfo.ini
2008-02-29 17:00 . 2008-02-29 17:00 <DIR> d-------- C:\WINDOWS\Cache
2008-02-29 17:00 . 2005-12-14 15:10 552,960 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-29 17:00 . 2005-12-14 15:08 159,744 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-29 17:00 . 2005-12-14 15:11 61,440 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-29 17:00 . 2004-03-09 09:39 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe
2008-02-29 16:59 . 1998-07-09 19:41 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2008-02-29 16:59 . 1998-03-04 10:40 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll
2008-02-26 15:24 . 2008-02-26 15:24 <DIR> d-------- C:\Program Files\MGTEK
2008-02-26 15:24 . 2008-02-26 15:24 <DIR> d-------- C:\Program Files\Common Files\MGTEK
2008-02-26 15:22 . 2008-02-26 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MGTEK
2008-02-25 20:06 . 2008-02-25 20:06 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-25 11:45 . 2008-02-25 11:45 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-02-25 11:45 . 2008-02-25 11:45 <DIR> d-------- C:\Program Files\Realtek
2008-02-25 11:45 . 2006-12-14 16:44 85,120 -ra------ C:\WINDOWS\system32\drivers\Rtnicxp.sys
2008-02-25 11:22 . 2008-02-25 11:22 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-25 11:11 . 2008-02-25 11:11 <DIR> d-------- C:\Documents and Settings\New\Application Data\VSRevoGroup
2008-02-24 22:04 . 2008-02-24 22:04 <DIR> d-------- C:\Program Files\PCPal
2008-02-22 05:52 . 2008-02-22 05:52 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\CyberLink
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 12:37 --------- d-----w C:\Documents and Settings\New\Application Data\Free Download Manager
2008-03-21 16:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-21 15:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-03-21 13:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-20 11:44 --------- d-----w C:\Program Files\Yahoo!
2008-03-20 11:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 11:43 --------- d-----w C:\Program Files\CyberLink
2008-03-20 11:25 --------- d-----w C:\Program Files\Java
2008-03-20 10:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-20 08:49 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-18 19:19 --------- d-----w C:\Program Files\Picasa2
2008-03-18 09:15 --------- d-----w C:\Program Files\Desktop Mechanic
2008-03-08 16:46 --------- d-----w C:\Program Files\SpywareGuard
2008-03-08 15:46 --------- d-----w C:\Documents and Settings\New\Application Data\MSNInstaller
2008-03-08 15:42 --------- d-----w C:\Program Files\Marble Arena
2008-03-07 16:30 --------- d-----w C:\Documents and Settings\Guest\Application Data\IEPro
2008-03-07 15:50 --------- d-----w C:\Program Files\Common Files\Motive
2008-03-07 15:47 155,995 ----a-w C:\WINDOWS\java\Packages\KY5BZ933.ZIP
2008-03-06 10:20 --------- d-----w C:\Documents and Settings\New\Application Data\IEPro
2008-03-05 20:10 --------- d-----w C:\Program Files\Rocks'n'Diamonds
2008-03-03 20:01 830,464 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-03 20:01 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-03-03 20:01 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-03-03 19:53 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2008-03-03 19:52 41,984 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-03-03 19:52 17,920 ----a-w C:\WINDOWS\system32\corpol.dll
2008-03-03 19:51 69,120 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-03-03 19:51 69,120 ----a-w C:\WINDOWS\system32\admparse.dll
2008-03-03 19:50 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-03-03 19:50 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-03-03 19:50 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-02-29 16:59 --------- d-----w C:\Program Files\Samsung
2008-02-25 16:25 --------- d-----w C:\Program Files\PCPitstop
2008-02-25 10:41 --------- d-----w C:\Program Files\Free Download Manager
2008-02-25 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 03:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-24 22:05 --------- d--h--w C:\Documents and Settings\New\Application Data\GTek
2008-02-24 11:10 --------- d-----w C:\Program Files\iTunes
2008-02-24 11:09 --------- d-----w C:\Program Files\iPod
2008-02-11 16:21 --------- d-----w C:\Program Files\InkSaver
2008-02-11 14:48 --------- d-----w C:\Program Files\Virgin Broadband
2008-02-08 18:40 --------- d-----w C:\Documents and Settings\Guest\Application Data\Zylom Games
2008-02-08 18:39 --------- d-----w C:\Documents and Settings\Guest\Application Data\Zylom
2008-02-08 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-02-08 18:31 --------- d-----w C:\Documents and Settings\Guest\Application Data\MiniDm
2008-02-08 10:35 --------- d-----w C:\Program Files\IEPro
2008-02-08 10:35 --------- d-----w C:\Documents and Settings\LocalService\Application Data\IEPro
2008-02-08 10:34 --------- d-----w C:\Program Files\IE7Pro
2008-02-08 10:34 --------- d-----w C:\Documents and Settings\LocalService\Application Data\IE7Pro
2008-02-07 10:45 --------- d-----w C:\Program Files\Secunia
2008-02-07 10:32 --------- d-----w C:\Program Files\QuickTime
2008-02-07 10:28 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 15:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameTap
2008-02-05 15:03 --------- d-----w C:\Program Files\GameTap
2008-02-01 12:55 42,376 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-28 16:09 39,800 ----a-w C:\Documents and Settings\New\Application Data\GDIPFONTCACHEV1.DAT
2008-01-27 12:41 --------- d-----w C:\Program Files\RamBooster 2.0
2008-01-24 16:27 --------- d-----w C:\Documents and Settings\Guest\Application Data\Grisoft
2008-01-23 18:26 --------- d-----w C:\Program Files\Windows Live
2008-01-23 18:25 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-23 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-22 09:18 7,808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys
2008-01-11 11:35 26,112 ----a-w C:\WINDOWS\system32\idndl.dll
2008-01-11 11:35 24,576 ----a-w C:\WINDOWS\system32\nlsdl.dll
2008-01-11 11:35 23,552 ----a-w C:\WINDOWS\system32\normaliz.dll
2007-06-07 19:38 32,176,005 ----a-w C:\Documents and Settings\New\wmyt_win_r1.zip
2007-06-01 13:50 21,342,798 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_06_01_12_37_00_full.dmp.zip
2007-05-31 19:37 21,148,245 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_31_16_52_29_full.dmp.zip
2007-05-24 16:53 8,183,377 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_24_11_40_21_full.dmp.zip
2007-03-03 12:17 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 10:23 1365504]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2007-12-16 20:39 2449455]
"Free Upload Manager"="C:\Program Files\Free Download Manager\fum\fum.exe" [2007-07-29 19:13 253952]
"Free Uploader Oe Integration"="C:\Program Files\Free Download Manager\FUM\fumoei.exe" [2007-06-10 18:02 40960]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2007-11-06 12:33 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"InkSaver"="C:\Program Files\InkSaver\InkSaver.exe" [2007-05-24 10:56 589824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-07 06:59 935936]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 13:34 936960]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-01-22 19:43 67112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-25 11:22 68856]
C:\Documents and Settings\New\Start Menu\Programs\Startup\
Secunia PSI (RC1).lnk - C:\Program Files\Secunia\PSI (RC1)\psi.exe [2008-02-05 10:36:24 610304]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2008-03-07 15:50:04 217088]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^New^Start Menu^Programs^Startup^Birthday reminder check.lnk]
backup=C:\WINDOWS\pss\Birthday reminder check.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 12:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPal]
--a------ 2007-10-24 17:43 522736 C:\Program Files\PCPal\PalAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-02-26 01:23 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
--a------ 2007-12-05 20:49 2895600 C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-25 11:22 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-10-31 10:19 378784 C:\Program Files\TomTom HOME 2\HOMERunner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe"=
R1 myWIFIzone;myWIFIzone Driver;C:\WINDOWS\system32\DRIVERS\myWIFIzone.sys [2005-12-22 21:45]
R2 adunidrv;UniDriver for OneCare;C:\WINDOWS\system32\DRIVERS\adunidrv.sys [2007-09-25 10:43]
R2 advproct;Microsoft Corporation Process Trigger Driver;C:\WINDOWS\system32\DRIVERS\advproct.sys [2007-09-25 12:49]
R2 PCPalSrvHost;PCPalSrvHost;"C:\Program Files\PCPal\PCPalSrvHost.exe" [2007-10-24 17:43]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-01-24 05:11]
R3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-01-22 09:18]
R3 snpstd2;VideoCAM Look;C:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-07-28 11:49]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\OGPlanet\Albatross18\GameGuard\dump_wmimmc.sys []
S3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys []
S3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 09:38:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-21 15:30:07 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-03-02 22:00:00 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 12:38:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-22 12:39:54
ComboFix-quarantined-files.txt 2008-03-22 12:39:50
HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:22, on 22/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PCPal\PCPalSrvHost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\InkSaver\InkSaver.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1177238915-926492609-725345543-501\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Guest')
O4 - HKUS\S-1-5-21-1177238915-926492609-725345543-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-21-1177238915-926492609-725345543-501\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork (User 'Guest')
O4 - HKUS\S-1-5-21-1177238915-926492609-725345543-501\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://virginmedia.oberon-media.com/online/online2/luxor_amun_rising/mjolauncher.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCPalSrvHost - Unknown owner - C:\Program Files\PCPal\PCPalSrvHost.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 11159 bytes
--------------------
A woman worries about the future until she gets a husband.
A man never worries about the future until he gets a wife.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28583
Loc: belfast
|
|
that's cleaned up some files, there are still a few need removed, this should get them:-
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
- Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
Picaso
regular
Reg'd: Tue
Posts: 321
Loc: Essex
|
|
SDFix: Version 1.160
Run by New on 23/03/2008 at 11:13
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 12:04:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:99cf824e
"s2"=dword:b46988d9
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:e8,ae,91,da,55,4d,a3,dd,2c,f0,54,ae,ff,58,b2,9d,f4,13,56,f1,8f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:e8,ae,91,da,55,4d,a3,dd,2c,f0,54,ae,ff,58,b2,9d,f4,13,56,f1,8f,..
scanning hidden registry entries ...
source file error: C:\Documents and Settings\New\ntuser.dat
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe"="C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe:*:Enabled:BT Broadband Desktop Help Browser"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 8 Mar 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 3 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 12 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 3 Nov 2006 4,348 A..H. --- "C:\Documents and Settings\New\My Documents\My Music\License Backup\drmv1key.bak"
Fri 3 Nov 2006 20 A..H. --- "C:\Documents and Settings\New\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 3 Nov 2006 400 A.SH. --- "C:\Documents and Settings\New\My Documents\My Music\License Backup\drmv2key.bak"
Thu 27 Sep 2007 7,318 A..H. --- "C:\Documents and Settings\New\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Thu 20 Mar 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch1\lock.tmp"
Thu 20 Mar 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch2\lock.tmp"
Thu 20 Mar 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch3\lock.tmp"
Thu 20 Mar 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch4\lock.tmp"
Thu 20 Mar 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch5\lock.tmp"
Finished!
--------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:52, on 23/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PCPal\PCPalSrvHost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\InkSaver\InkSaver.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://virginmedia.oberon-media.com/online/online2/luxor_amun_rising/mjolauncher.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCPalSrvHost - Unknown owner - C:\Program Files\PCPal\PCPalSrvHost.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 10585 bytes
--------------------
A woman worries about the future until she gets a husband.
A man never worries about the future until he gets a wife.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28583
Loc: belfast
|
|
that looks clean now.
DISABLE SYSTEM RESTORE
To flush out infected restore points.
Then restart your system restore.(same page).then create a new restore point :-
click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.
this is to ensure that if you have to do a system restore in the future that you don't get all the infections reinstalled again.
Then :-
Download and scan with CCleaner - Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
- Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Then select "Cookies"
Move any cookies you wish to retain, e.g. login cookies, in the left-hand window to the right-hand window by highlighting them and clicking the right arrow in the centre.
- Then select the items you wish to clean up.
In the Windows Tab:
• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.
In the Applications Tab:
• Clean all entries in the Mozilla Firefox Section.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.
- Click the "Run Cleaner" button.
- A pop up box will appear advising this process will permanently delete files from your system.
- Click "OK" and it will scan and clean your system.
- Click "exit" when done.
then DEFRAG your C:\ drive.
to help speed up your system.
then let us know how the computer is running.
HOW DID I GET INFECTED
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
Picaso
regular
Reg'd: Tue
Posts: 321
Loc: Essex
|
|
Thank you Bricat - done all the above - will report back after a day or so if all clear, before then if not.
Again a BIG THANKS 
--------------------
A woman worries about the future until she gets a husband.
A man never worries about the future until he gets a wife.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28583
Loc: belfast
|
|
you're welcome, happy to help.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
Picaso
regular
Reg'd: Tue
Posts: 321
Loc: Essex
|
|
Sorry to report but I am stil having problems.
Explorer gives me the occasional "encountered an error - need to shut down" message and Windows Live Care still flags up the AgentByPass trojan.
Apart from taking the nearest chainsaw and ripping the blighter to miniscule components have you any other advice?
--------------------
A woman worries about the future until she gets a husband.
A man never worries about the future until he gets a wife.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28583
Loc: belfast
|
|
does Windows Live Care say where the trojan is ?
Please download and run the KASPERSKY ONLINE SCAN
save the log file and post it back here.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
Picaso
regular
| |
Previous
Index
Next
Threaded
Edit
Reply
Quote
