Jump to content

SamaraMorgan

Members
  • Content Count

    86
  • Joined

  • Last visited

About SamaraMorgan

  • Rank
    Member

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Previous Fields

  • Teams:
    Nothing Selected
  1. good :) yes that's great, although it doesn't seem to be showing up anymore, but at least I know it can be turned off if it does appear again.thanks so much and I'm sorry for taking up so much of your time.
  2. It just says help, restore & options, but it shows up now. When i clicked on options to close, it said I was closing the Language Bar. SmitFraudFix v2.424 Scan done at 14:03:45.46, Sat 09/26/2009 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix Agent.OMZ.Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» RK »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D1FC933-5824-4729-868D-0E825C98C2F0}: DhcpNameServer=24.25.5.150 24.25.5.149 HKLM\SYSTEM\CCS\Services\Tcpip\..\{BF7DF929-954F-4681-A91E-25367BD09B13}: DhcpNameServer=209.18.47.61 209.18.47.62 HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D1FC933-5824-4729-868D-0E825C98C2F0}: DhcpNameServer=24.25.5.150 24.25.5.149 HKLM\SYSTEM\CS1\Services\Tcpip\..\{BF7DF929-954F-4681-A91E-25367BD09B13}: DhcpNameServer=209.18.47.61 209.18.47.62 HKLM\SYSTEM\CS3\Services\Tcpip\..\{9D1FC933-5824-4729-868D-0E825C98C2F0}: DhcpNameServer=24.25.5.150 24.25.5.149 HKLM\SYSTEM\CS3\Services\Tcpip\..\{BF7DF929-954F-4681-A91E-25367BD09B13}: DhcpNameServer=24.25.5.148 24.25.5.147 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=209.18.47.61 209.18.47.62 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=209.18.47.61 209.18.47.62 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! "System"="" »»»»»»»»»»»»»»»»»»»»»»»» RK.2 »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:21:19 PM, on 9/26/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\zHotkey.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\HijackThis\HijackThis.exe O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216976191806 O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) O23 - Service: CT Device Query service (CTDevice_Srv) - Unknown owner - C:\Program Files\Creative\Shared Files\CTDevSrv.exe (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 11946 bytes
  3. No, it doesn't have a mark or anything. Thank you so much for your tips, especially the firefox add ons; I've bookmarked the post to refer to it later. After I updated everything, the buttons seem to be working now, but I'm not sure what it is that fixed them. Also, I just got a message from spybot, I can't remember what it was but it said it deleted something. I checked the log and this is what it said 9/25/2009 8:44:47 PM Allowed (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry! 9/25/2009 8:44:47 PM Encountered and terminated Smitfraud-C. in C:\WINDOWS\system32\ctfmon.exe! 9/25/2009 8:48:51 PM Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry! 9/25/2009 8:52:39 PM Allowed (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry! 9/25/2009 8:54:55 PM Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry! and something came up next to the taskbar (Language bar?) and now I just have a blank space next to it. it's a microsoft office thing, right? can Office be uninstalled, since I don't use it at all?
  4. I opened the task manager but it's not there. I also went to the site but they don't have my keyboard model #. But it's ok if it can't be fixed, I can live with it, my main concern was the viruses/spyware/etc.
  5. The icons seem to come and go when I restart, they all appeared last time I restarted but now only some show up. and now I have a problem with the buttons for volume/copy/etc. on the keyboard. When the computer starts, a message comes up and says zhotkey has a problem and needs to close. How do I restart it? is this absolutely necessary? I know I have the installation cd, but it's buried away somewhere and I don't think I'll be able to find it soon enough.
  6. yes, I'm sorry, I went back and did the rest in the order you posted. it seems to be ok, the pop ups are gone, but only some of the taskbar icons came back.
  7. I also needed to ask you if any of these viruses or the programs can interfere with the taskbar, because most of the icons have disappeared, including the antivirus/firewall icon, but when I open the task manager I can see that they're there. or is it being caused by something I did?
  8. I'm sorry, the scan took a very long time. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, September 21, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, September 22, 2009 01:08:17 Records in database: 2867443 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics: Objects scanned: 137872 Threats found: 4 Infected objects found: 7 Suspicious objects found: 1 Scan duration: 03:35:09 File name / Threat / Threats count C:\Program Files\CA\eTrust PestPatrol\Quarantine\20060318021741.zip Suspicious: Password-protected-EXE 1 C:\QooBox\Quarantine\C\WINDOWS\system32\burolage.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1 C:\QooBox\Quarantine\C\WINDOWS\system32\godobovo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1 C:\QooBox\Quarantine\C\WINDOWS\system32\vizamemu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1 C:\WINDOWS\system32\venijija.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1 C:\_OTM\MovedFiles\09202009_155244\windows\system32\delekuwu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1 C:\_OTM\MovedFiles\09202009_155244\windows\system32\giwovumo.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1 D:\i386\Apps\App17981\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1 Selected area has been scanned. ========== FILES ========== DllUnregisterServer procedure not found in c:\windows\system32\venijija.dll c:\windows\system32\venijija.dll NOT unregistered. c:\windows\system32\venijija.dll moved successfully. ========== COMMANDS ========== OTM by OldTimer - Version 3.0.0.6 log created on 09212009_234930
  9. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/21 19:35 Program Version: Version 1.3.5.0 Windows Version: Windows XP Media Center Edition SP3 ================================================== Drivers ------------------- Name: Image Path: Address: 0xF71FD000 Size: 98304 File Visible: No Signed: - Status: - Name: Image Path: Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: 00000059 Image Path: \Driver\00000059 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF34F0000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7A38000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB8878000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "Vax347b.sys" at address 0xf72a6c58 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xba4df6ea #: 045 Function Name: NtCreatePagingFile Status: Hooked by "Vax347b.sys" at address 0xf729ac70 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\kmxagent.sys" at address 0xf3858fd2 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xba4e040b #: 071 Function Name: NtEnumerateKey Status: Hooked by "Vax347b.sys" at address 0xf729b4fe #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "Vax347b.sys" at address 0xf72a6d50 #: 105 Function Name: NtMakeTemporaryObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xba4e075c #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xba4df64e #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys" at address 0xf7c078ac #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xba4e0130 #: 160 Function Name: NtQueryKey Status: Hooked by "Vax347b.sys" at address 0xf729b51e #: 177 Function Name: NtQueryValueKey Status: Hooked by "Vax347b.sys" at address 0xf72a6ca6 #: 228 Function Name: NtSetInformationProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\kmxagent.sys" at address 0xf3858662 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xba4e0538 #: 241 Function Name: NtSetSystemPowerState Status: Hooked by "Vax347b.sys" at address 0xf72a64f0 #: 247 Function Name: NtSetValueKey Status: Hooked by "sptd.sys" at address 0xf72ded56 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys" at address 0xf7c07812 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x8673e1d8 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ] Process: System Address: 0x8648a990 Size: 11 Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP] Process: System Address: 0x8631b4e0 Size: 463 Object: Hidden Code [Driver: perc2, IRP_MJ_CREATE] Process: System Address: 0x867451d8 Size: 463 Object: Hidden Code [Driver: perc2, IRP_MJ_CLOSE] Process: System Address: 0x867451d8 Size: 463 Object: Hidden Code [Driver: perc2, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867451d8 Size: 463 Object: Hidden Code [Driver: perc2, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867451d8 Size: 463 Object: Hidden Code [Driver: perc2, IRP_MJ_POWER] Process: System Address: 0x867451d8 Size: 463 Object: Hidden Code [Driver: perc2, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867451d8 Size: 463 Object: Hidden Code [Driver: perc2, IRP_MJ_PNP] Process: System Address: 0x867451d8 Size: 463 Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CREATE] Process: System Address: 0x8675a1d8 Size: 463 Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CLOSE] Process: System Address: 0x8675a1d8 Size: 463 Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8675a1d8 Size: 463 Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8675a1d8 Size: 463 Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_POWER] Process: System Address: 0x8675a1d8 Size: 463 Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8675a1d8 Size: 463 Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_PNP] Process: System Address: 0x8675a1d8 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_READ] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP] Process: System Address: 0x863cb7f0 Size: 463 Object: Hidden Code [Driver: cbidf, IRP_MJ_CREATE] Process: System Address: 0x867421d8 Size: 463 Object: Hidden Code [Driver: cbidf, IRP_MJ_CLOSE] Process: System Address: 0x867421d8 Size: 463 Object: Hidden Code [Driver: cbidf, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867421d8 Size: 463 Object: Hidden Code [Driver: cbidf, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867421d8 Size: 463 Object: Hidden Code [Driver: cbidf, IRP_MJ_POWER] Process: System Address: 0x867421d8 Size: 463 Object: Hidden Code [Driver: cbidf, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867421d8 Size: 463 Object: Hidden Code [Driver: cbidf, IRP_MJ_PNP] Process: System Address: 0x867421d8 Size: 463 Object: Hidden Code [Driver: ini910u, IRP_MJ_CREATE] Process: System Address: 0x867541d8 Size: 463 Object: Hidden Code [Driver: ini910u, IRP_MJ_CLOSE] Process: System Address: 0x867541d8 Size: 463 Object: Hidden Code [Driver: ini910u, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867541d8 Size: 463 Object: Hidden Code [Driver: ini910u, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867541d8 Size: 463 Object: Hidden Code [Driver: ini910u, IRP_MJ_POWER] Process: System Address: 0x867541d8 Size: 463 Object: Hidden Code [Driver: ini910u, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867541d8 Size: 463 Object: Hidden Code [Driver: ini910u, IRP_MJ_PNP] Process: System Address: 0x867541d8 Size: 463 Object: Hidden Code [Driver: ql1280, IRP_MJ_CREATE] Process: System Address: 0x867471d8 Size: 463 Object: Hidden Code [Driver: ql1280, IRP_MJ_CLOSE] Process: System Address: 0x867471d8 Size: 463 Object: Hidden Code [Driver: ql1280, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867471d8 Size: 463 Object: Hidden Code [Driver: ql1280, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867471d8 Size: 463 Object: Hidden Code [Driver: ql1280, IRP_MJ_POWER] Process: System Address: 0x867471d8 Size: 463 Object: Hidden Code [Driver: ql1280, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867471d8 Size: 463 Object: Hidden Code [Driver: ql1280, IRP_MJ_PNP] Process: System Address: 0x867471d8 Size: 463 Object: Hidden Code [Driver: asc, IRP_MJ_CREATE] Process: System Address: 0x867581d8 Size: 463 Object: Hidden Code [Driver: asc, IRP_MJ_CLOSE] Process: System Address: 0x867581d8 Size: 463 Object: Hidden Code [Driver: asc, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867581d8 Size: 463 Object: Hidden Code [Driver: asc, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867581d8 Size: 463 Object: Hidden Code [Driver: asc, IRP_MJ_POWER] Process: System Address: 0x867581d8 Size: 463 Object: Hidden Code [Driver: asc, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867581d8 Size: 463 Object: Hidden Code [Driver: asc, IRP_MJ_PNP] Process: System Address: 0x867581d8 Size: 463 Object: Hidden Code [Driver: asc3350p, IRP_MJ_CREATE] Process: System Address: 0x8674d1d8 Size: 463 Object: Hidden Code [Driver: asc3350p, IRP_MJ_CLOSE] Process: System Address: 0x8674d1d8 Size: 463 Object: Hidden Code [Driver: asc3350p, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8674d1d8 Size: 463 Object: Hidden Code [Driver: asc3350p, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8674d1d8 Size: 463 Object: Hidden Code [Driver: asc3350p, IRP_MJ_POWER] Process: System Address: 0x8674d1d8 Size: 463 Object: Hidden Code [Driver: asc3350p, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8674d1d8 Size: 463 Object: Hidden Code [Driver: asc3350p, IRP_MJ_PNP] Process: System Address: 0x8674d1d8 Size: 463 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x863833d0 Size: 99 Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CREATE] Process: System Address: 0x8674c1d8 Size: 463 Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CLOSE] Process: System Address: 0x8674c1d8 Size: 463 Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8674c1d8 Size: 463 Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8674c1d8 Size: 463 Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_POWER] Process: System Address: 0x8674c1d8 Size: 463 Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8674c1d8 Size: 463 Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_PNP] Process: System Address: 0x8674c1d8 Size: 463 Object: Hidden Code [Driver: mraid35x, IRP_MJ_CREATE] Process: System Address: 0x867561d8 Size: 463 Object: Hidden Code [Driver: mraid35x, IRP_MJ_CLOSE] Process: System Address: 0x867561d8 Size: 463 Object: Hidden Code [Driver: mraid35x, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867561d8 Size: 463 Object: Hidden Code [Driver: mraid35x, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867561d8 Size: 463 Object: Hidden Code [Driver: mraid35x, IRP_MJ_POWER] Process: System Address: 0x867561d8 Size: 463 Object: Hidden Code [Driver: mraid35x, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867561d8 Size: 463 Object: Hidden Code [Driver: mraid35x, IRP_MJ_PNP] Process: System Address: 0x867561d8 Size: 463 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_READ] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_POWER] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_PNP] Process: System Address: 0x863837f8 Size: 99 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x865061d8 Size: 463 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x865061d8 Size: 463 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x865061d8 Size: 463 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x865061d8 Size: 463 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x865061d8 Size: 463 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x865061d8 Size: 463 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x865061d8 Size: 463 Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE] Process: System Address: 0x864f0980 Size: 463 Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE] Process: System Address: 0x864f0980 Size: 463 Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x864f0980 Size: 463 Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x864f0980 Size: 463 Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER] Process: System Address: 0x864f0980 Size: 463 Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x864f0980 Size: 463 Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP] Process: System Address: 0x864f0980 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x8675d1d8 Size: 463 Object: Hidden Code [Driver: symc8xx, IRP_MJ_CREATE] Process: System Address: 0x867511d8 Size: 463 Object: Hidden Code [Driver: symc8xx, IRP_MJ_CLOSE] Process: System Address: 0x867511d8 Size: 463 Object: Hidden Code [Driver: symc8xx, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867511d8 Size: 463 Object: Hidden Code [Driver: symc8xx, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867511d8 Size: 463 Object: Hidden Code [Driver: symc8xx, IRP_MJ_POWER] Process: System Address: 0x867511d8 Size: 463 Object: Hidden Code [Driver: symc8xx, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867511d8 Size: 463 Object: Hidden Code [Driver: symc8xx, IRP_MJ_PNP] Process: System Address: 0x867511d8 Size: 463 Object: Hidden Code [Driver: ultra, IRP_MJ_CREATE] Process: System Address: 0x8674b1d8 Size: 463 Object: Hidden Code [Driver: ultra, IRP_MJ_CLOSE] Process: System Address: 0x8674b1d8 Size: 463 Object: Hidden Code [Driver: ultra, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8674b1d8 Size: 463 Object: Hidden Code [Driver: ultra, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8674b1d8 Size: 463 Object: Hidden Code [Driver: ultra, IRP_MJ_POWER] Process: System Address: 0x8674b1d8 Size: 463 Object: Hidden Code [Driver: ultra, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8674b1d8 Size: 463 Object: Hidden Code [Driver: ultra, IRP_MJ_PNP] Process: System Address: 0x8674b1d8 Size: 463 Object: Hidden Code [Driver: aic78u2, IRP_MJ_CREATE] Process: System Address: 0x867521d8 Size: 432 Object: Hidden Code [Driver: aic78u2, IRP_MJ_CLOSE] Process: System Address: 0x867521d8 Size: 432 Object: Hidden Code [Driver: aic78u2, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867521d8 Size: 432 Object: Hidden Code [Driver: aic78u2, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867521d8 Size: 432 Object: Hidden Code [Driver: aic78u2, IRP_MJ_POWER] Process: System Address: 0x867521d8 Size: 432 Object: Hidden Code [Driver: aic78u2, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867521d8 Size: 432 Object: Hidden Code [Driver: aic78u2, IRP_MJ_PNP] Process: System Address: 0x867521d8 Size: 432 Object: Hidden Code [Driver: dac960nt, IRP_MJ_CREATE] Process: System Address: 0x8675b1d8 Size: 463 Object: Hidden Code [Driver: dac960nt, IRP_MJ_CLOSE] Process: System Address: 0x8675b1d8 Size: 463 Object: Hidden Code [Driver: dac960nt, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8675b1d8 Size: 463 Object: Hidden Code [Driver: dac960nt, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8675b1d8 Size: 463 Object: Hidden Code [Driver: dac960nt, IRP_MJ_POWER] Process: System Address: 0x8675b1d8 Size: 463 Object: Hidden Code [Driver: dac960nt, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8675b1d8 Size: 463 Object: Hidden Code [Driver: dac960nt, IRP_MJ_PNP] Process: System Address: 0x8675b1d8 Size: 463 Object: Hidden Code [Driver: adpu160m, IRP_MJ_CREATE] Process: System Address: 0x8674a1d8 Size: 463 Object: Hidden Code [Driver: adpu160m, IRP_MJ_CLOSE] Process: System Address: 0x8674a1d8 Size: 463 Object: Hidden Code [Driver: adpu160m, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8674a1d8 Size: 463 Object: Hidden Code [Driver: adpu160m, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8674a1d8 Size: 463 Object: Hidden Code [Driver: adpu160m, IRP_MJ_POWER] Process: System Address: 0x8674a1d8 Size: 463 Object: Hidden Code [Driver: adpu160m, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8674a1d8 Size: 463 Object: Hidden Code [Driver: adpu160m, IRP_MJ_PNP] Process: System Address: 0x8674a1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x867cb1d8 Size: 463 Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_CLOSE] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_READ] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_WRITE] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_EA] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_EA] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8641f608 Size: 99 Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8641f608 Size: 99 Object: H==EOF==
  10. C:\ComboFix\ folder yes C:\qoobox\quarantined_files.txt <-- is this file present? If so -- please post its contents. 2009-09-21 03:20:57 . 2009-09-21 03:20:57 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-bayujoraz-{372036eb-56dc-40c2-b96e-e728ff4786b5}.reg.dat 2009-09-21 03:20:57 . 2009-09-21 03:20:57 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-risapulak-{1ee4190c-6fbc-4fdb-9c34-8402079914d6}.reg.dat 2009-09-21 03:20:54 . 2009-09-21 03:20:54 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{372036eb-56dc-40c2-b96e-e728ff4786b5}.reg.dat 2009-09-21 03:20:54 . 2009-09-21 03:20:54 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{1ee4190c-6fbc-4fdb-9c34-8402079914d6}.reg.dat 2009-09-21 03:20:43 . 2009-09-21 03:20:43 129 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-pibevopanu.reg.dat 2009-09-21 03:20:42 . 2009-09-21 03:20:42 150 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-torivekov.reg.dat 2009-09-21 03:20:39 . 2009-09-21 03:20:39 181 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-eTrustPPAP.reg.dat 2009-09-21 03:20:31 . 2009-09-21 03:20:31 351 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{fa733037-a79d-4684-970c-39f0ce907b83}.reg.dat 2009-09-21 03:11:58 . 2004-09-13 16:15:24 53 ----a-w- C:\Qoobox\Quarantine\D\Autorun.inf.vir 2009-09-21 03:04:33 . 2009-09-21 03:04:33 9,455 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-09-21 02:49:26 . 2009-09-21 02:49:26 51 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-06-20 20:28:09 . 2009-06-20 20:28:09 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\godobovo.dll.vir 2009-06-20 20:28:09 . 2009-06-20 20:28:09 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\burolage.dll.vir 2009-06-20 20:28:09 . 2009-06-20 20:28:09 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\vizamemu.dll.vir 2009-06-20 20:27:33 . 2009-09-20 20:27:36 91,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jonefede.dll.vir 2009-06-20 20:27:33 . 2009-09-20 20:27:34 39,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\kovuduhi.dll.vir 2009-06-18 23:58:02 . 2009-09-18 23:58:03 39,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wewefove.dll.vir 2007-02-18 08:00:11 . 1997-07-19 22:01:14 60,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SYSINFO.OCX.vir 2006-12-11 23:42:20 . 2009-05-28 04:18:43 5,244 ----a-w- C:\Qoobox\Quarantine\C\Documents.vir 2006-04-26 14:14:30 . 2006-03-21 03:23:12 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir 2006-03-18 02:21:43 . 2006-03-18 02:21:43 208,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\PATCH.EXE.vir 2005-10-30 06:08:50 . 2005-09-14 18:38:00 69,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ALCMTR.EXE.vir 2004-12-07 21:07:08 . 2004-12-07 21:07:08 32 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\bdcore.dll.vir 2004-12-07 21:07:08 . 2004-12-07 21:07:08 32 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\libfn.dll.vir 2002-12-12 00:39:08 . 2002-12-12 00:39:08 10,995,712 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\WMEncoder.msi.vir How about c:\Combofix\combofix.txt <-- is it here? C:\qoobox\ComboFix2.txt C:\qoobox\ComboFix3.txt no
  11. I think I did something wrong on the second step of your previous post because I didn't get any log and I got an error when it restarted. Should I continue with the next steps?
  12. http://www.virustotal.com/analisis/1ae91ec...e7a0-1253565715 Antivirus Version Last Update Result a-squared 4.5.0.24 2009.09.21 Trojan.Vundo!IK AhnLab-V3 5.0.0.2 2009.09.21 - AntiVir 7.9.1.23 2009.09.21 - Antiy-AVL 2.0.3.7 2009.09.21 - Authentium 5.1.2.4 2009.09.21 - Avast 4.8.1351.0 2009.09.21 - AVG 8.5.0.412 2009.09.21 - BitDefender 7.2 2009.09.21 - CAT-QuickHeal 10.00 2009.09.21 Win32.Trojan-Downloader.Agent.bqxc.6 ClamAV 0.94.1 2009.09.21 - Comodo 2395 2009.09.21 - DrWeb 5.0.0.12182 2009.09.21 - eSafe 7.0.17.0 2009.09.21 Suspicious File eTrust-Vet 31.6.6750 2009.09.21 - F-Prot 4.5.1.85 2009.09.21 - F-Secure 8.0.14470.0 2009.09.21 AdWare.Win32.Virtumonde.balk Fortinet 3.120.0.0 2009.09.21 - GData 19 2009.09.21 - Ikarus T3.1.1.72.0 2009.09.21 Trojan.Vundo Jiangmin 11.0.800 2009.09.21 - K7AntiVirus 7.10.850 2009.09.21 - Kaspersky 7.0.0.125 2009.09.21 not-a-virus:AdWare.Win32.Virtumonde.balk McAfee 5748 2009.09.21 Vundo.gen.bp McAfee+Artemis 5748 2009.09.21 Vundo.gen.bp McAfee-GW-Edition 6.8.5 2009.09.21 Heuristic.LooksLike.Trojan.Dldr.Agent.A Microsoft 1.5005 2009.09.21 - NOD32 4445 2009.09.21 a variant of Win32/Kryptik.AOD Norman 6.01.09 None.. - nProtect 2009.1.8.0 2009.09.21 - Panda 10.0.2.2 2009.09.21 Suspicious file PCTools 4.4.2.0 2009.09.20 - Prevx 3.0 2009.09.21 - Rising 21.48.04.00 2009.09.21 - Sophos 4.45.0 2009.09.21 - Sunbelt 3.2.1858.2 2009.09.21 - Symantec 1.4.4.12 2009.09.21 - TheHacker 6.5.0.2.014 2009.09.21 - TrendMicro 8.950.0.1094 2009.09.21 TROJ_VUNDO.HGO VBA32 3.12.10.10 2009.09.21 - ViRobot 2009.9.21.1945 2009.09.21 - VirusBuster 4.6.5.0 2009.09.21 Trojan.Vundo.Gen!Pac.39 Additional information File size: 50688 bytes MD5...: 5cde4986f4414dfe2b37880ed79a5a22 SHA1..: a607c1fcd711cb811bb393c30c3d3600357f644f SHA256: 1ae91ecb352033c3768f966104582e6a70e5784efd2abb8d08cda000d55ae7a0 ssdeep: 768:90+rEGXizHznM6nEhmOwDHEXUw38AEJOdRI1T3RQiZfD2BWRqkHJxPJNUQWb 9tZ1:KPGSLzzn3OfUw38FWQND20rbUQWnHocJ PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x3400 timedatestamp.....: 0x40370b38 (Sat Feb 21 07:39:36 2004) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .pcode 0x1000 0x3000 0x2600 6.27 cb92efca7c8654e17171ef4bab2fff21 .datau 0x4000 0x1000 0x600 1.75 d4a868bb1cc70c4a0116d8ae582d61d8 .rdata 0x5000 0x3000 0x2400 7.87 d3c66961b76c3495483253ed5d0efd43 0x8000 0x3000 0x2400 7.91 552615918542e092c858ff57f3d25898 .reloc 0xb000 0x3000 0x2400 7.92 686ff43cac10afcc55cb62db549eb780 .text 0xe000 0x11000 0x2a00 7.92 c12153f8da53f2bc8f3909777498e479 ( 2 imports ) > WINMM.dll: mmioWrite, mmioRead, mmioDescend, mmioSetInfo > USER32.dll: BringWindowToTop, LoadBitmapA, LoadIconA, DispatchMessageW, TranslateMessage ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Dynamic Link Library (generic) (55.5%) Clipper DOS Executable (14.7%) Generic Win/DOS Executable (14.6%) DOS Executable Generic (14.6%) VXD Driver (0.2%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned
  13. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:28:34 PM, on 9/20/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\zHotkey.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216976191806 O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) O23 - Service: CT Device Query service (CTDevice_Srv) - Unknown owner - C:\Program Files\Creative\Shared Files\CTDevSrv.exe (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Owner\My Documents\martha\icons\mine\naomi.png -- End of file - 13217 bytes
  14. I got this when the computer restarted Error loading c:\windows\system32\jonefede.dll The specified module could not be found. Error loading burolage.dll The specified module could not be found. ComboFix 09-09-18.02 - Owner 09/20/2009 22:56.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.287 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents c:\recycler\S-1-5-21-4148369516-415066616-1619009671-500 c:\recycler\S-1-5-21-978212947-2910239951-2351460783-500 c:\windows\ALCMTR.EXE c:\windows\Downloaded Program Files\bdcore.dll c:\windows\Downloaded Program Files\libfn.dll c:\windows\Installer\WMEncoder.msi c:\windows\kb913800.exe c:\windows\patch.exe c:\windows\system32\burolage.dll c:\windows\system32\godobovo.dll c:\windows\system32\jonefede.dll c:\windows\system32\kovuduhi.dll c:\windows\system32\SYSInfo.ocx c:\windows\system32\vizamemu.dll c:\windows\system32\wewefove.dll D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 ))))))))))))))))))))))))))))))) . 2009-09-20 19:52 . 2009-09-20 19:52 -------- d-----w- C:\_OTM 2009-09-09 17:39 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2009-08-25 02:36 . 2009-08-25 02:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-21 03:08 . 2008-09-05 02:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7 2009-09-21 03:08 . 2008-09-05 02:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6 2009-09-21 03:08 . 2008-09-05 02:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5 2009-09-21 03:08 . 2008-09-05 02:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4 2009-09-21 03:08 . 2008-09-05 02:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3 2009-09-21 03:08 . 2008-09-05 02:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2 2009-09-21 03:08 . 2008-09-05 02:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1 2009-09-21 03:08 . 2008-09-05 02:55 383418 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0 2009-09-20 20:28 . 2009-06-20 20:27 50688 --sha-w- c:\windows\system32\venijija.dll 2009-09-18 23:59 . 2005-10-30 06:04 -------- d-----w- c:\program files\Google 2009-09-18 11:50 . 2008-12-10 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-17 03:55 . 2006-03-16 08:07 4452 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat 2009-09-14 03:25 . 2006-12-31 01:24 -------- d-----w- c:\program files\StepMania 2009-09-10 21:06 . 2008-07-25 09:22 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-10 18:54 . 2008-12-10 12:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2008-12-10 12:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-20 15:11 . 2005-01-10 01:26 168752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-20 15:09 . 2009-08-20 15:08 -------- d-----w- c:\program files\QuickTime 2009-08-20 15:08 . 2007-03-06 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-08-20 15:03 . 2009-08-20 15:03 -------- d-----w- c:\program files\Apple Software Update 2009-08-20 15:03 . 2009-08-20 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-08-11 18:51 . 2006-02-15 04:22 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-05 09:01 . 2005-01-09 23:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2005-01-09 23:47 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2005-01-09 23:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-06-26 16:50 . 2005-01-09 23:48 666624 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2005-01-09 23:48 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-25 08:25 . 2005-01-09 23:48 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2005-01-09 23:48 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2005-01-09 23:48 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2005-01-09 23:48 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-25 08:25 . 2005-01-09 23:48 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2005-01-09 23:48 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-24 11:18 . 2005-01-09 23:48 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2008-12-10 15:13 . 2008-08-19 21:54 5632 --sha-w- c:\program files\Thumbs.db 2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2005-05-13 21:12 . 2005-05-13 21:12 217073 --sha-r- c:\windows\meta4.exe 2005-10-24 15:13 . 2005-10-24 15:13 66560 --sha-r- c:\windows\MOTA113.exe 2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll 2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll 2006-05-03 10:06 . 2007-01-14 00:26 163328 --sh--r- c:\windows\system32\flvDX.dll 2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\i420vfw.dll 2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe 2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016] "cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-30 177392] "QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-09-05 14088] "CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-07-30 230664] "cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-09-05 1193200] "capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-09-05 173296] "capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-09-05 259312] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952] "CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2005-05-03 543232] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-22 90112] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-10-30 1742384] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= c:\documents and settings\Owner\My Documents\martha\icons\mine\naomi.png FriendlyName= [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2007-05-18 17:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL TopSpeedMonitor"=2 (0x2) "AOL ACS"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Easy Share\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504] R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584] R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216] R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648] R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/30/2009 7:09 PM 24652] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816] R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/25/2008 3:57 AM 20160] . Contents of the 'Scheduled Tasks' folder 2009-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-08-31 c:\windows\Tasks\CAAntiSpywareScan_Daily as Owner at 2 00 AM.job - c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm LSP: c:\windows\system32\VetRedir.dll Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\772bf7jo.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.awesomestart.com/supernatural/ FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\772bf7jo.default\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}\components\mpint.dll FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. - - - - ORPHANS REMOVED - - - - BHO-{fa733037-a79d-4684-970c-39f0ce907b83} - vizamemu.dll HKLM-Run-eTrustPPAP - c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe HKLM-Run-torivekov - c:\windows\system32\jonefede.dll HKLM-Run-pibevopanu - burolage.dll SharedTaskScheduler-{1ee4190c-6fbc-4fdb-9c34-8402079914d6} - c:\windows\system32\delekuwu.dll SharedTaskScheduler-{372036eb-56dc-40c2-b96e-e728ff4786b5} - c:\windows\system32\jonefede.dll SSODL-risapulak-{1ee4190c-6fbc-4fdb-9c34-8402079914d6} - c:\windows\system32\delekuwu.dll SSODL-bayujoraz-{372036eb-56dc-40c2-b96e-e728ff4786b5} - c:\windows\system32\jonefede.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-20 23:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1743264906-2534342135-677812697-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{37EA7398-A1A2-C444-6E8D-38B9A6044E02}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) c:\windows\system32\UmxWnp.Dll c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll - - - - - - - > 'lsass.exe'(876) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(4044) c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe c:\windows\system32\searchindexer.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\ehome\mcrdsvc.exe c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe c:\windows\system32\wscntfy.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\system32\dllhost.exe c:\windows\system32\searchprotocolhost.exe c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe c:\program files\CA\CA Internet Security Suite\ccprovsp.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\program files\AIM6\aolsoftware.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe c:\windows\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2009-09-21 23:23 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-21 03:23 ComboFix2.txt 2006-12-14 16:47 Pre-Run: 85,953,232,896 bytes free Post-Run: 85,114,163,200 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 316 --- E O F --- 2009-09-10 09:18
  15. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:25:38 PM, on 9/20/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dllhost.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\zHotkey.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216976191806 O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab O20 - AppInit_DLLs: c:\windows\system32\delekuwu.dll,giwovumo.dll O21 - SSODL: risapulak - {1ee4190c-6fbc-4fdb-9c34-8402079914d6} - c:\windows\system32\delekuwu.dll (file missing) O22 - SharedTaskScheduler: gahurihor - {1ee4190c-6fbc-4fdb-9c34-8402079914d6} - c:\windows\system32\delekuwu.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) O23 - Service: CT Device Query service (CTDevice_Srv) - Unknown owner - C:\Program Files\Creative\Shared Files\CTDevSrv.exe (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Owner\My Documents\martha\icons\mine\naomi.png -- End of file - 13557 bytes
×
×
  • Create New...