Thread: Constant pop-ups virtumonde?
View Single Post
Old 01-16-2008, 06:23 PM   #5 (permalink)
codaclub
Registered User
 
Join Date: Jan 2008
Posts: 11
OS: XP


Re: Constant pop-ups virtumonde?
The first time I ran combofix, I had some strange dialog boxes popped up trying to run some dlls and the computer restarted, but when it came back up, I reran combofix and the log is attached and pasted below:

ComboFix Log:

ComboFix 08-01-17.3 - Codalt 2008-01-17 16:48:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.142 [GMT -8:00]
Running from: C:\Documents and Settings\Codalt\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\egtjhmhv.ini
C:\WINDOWS\system32\eqpwxeln.dll
C:\WINDOWS\system32\fnsfiesy.ini
C:\WINDOWS\system32\gfnwbmis.ini
C:\WINDOWS\system32\ikaeqhut.ini
C:\WINDOWS\system32\k11962346601.exe
C:\WINDOWS\system32\kmhucmuo.ini
C:\WINDOWS\system32\knipcjpb.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\puaryjyw.ini
C:\WINDOWS\system32\pyjidwmr.ini
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\rex2\monidnpr3.exe
C:\WINDOWS\system32\rnacyeyd.ini
C:\WINDOWS\system32\ujvydmyw.ini
C:\WINDOWS\system32\wjvetvva.ini
C:\WINDOWS\system32\yqllwvfd.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR




((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-16 15:54 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-16 15:54 . 2007-11-29 14:45 211 --a------ C:\Boot.bak
2008-01-16 15:51 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 15:21 . 2008-01-14 16:20 <DIR> d-------- C:\VundoFix Backups
2008-01-11 15:57 . 2008-01-14 15:39 15,565 --a------ C:\WINDOWS\BMdb0bcd58.xml
2008-01-11 15:56 . 2008-01-14 15:45 22 --a------ C:\WINDOWS\pskt.ini
2008-01-09 12:43 . 2008-01-09 12:43 <DIR> d-------- C:\Deckard
2008-01-09 12:16 . 2008-01-09 12:16 <DIR> d-------- C:\Documents and Settings\Codalt\.housecall6.6
2008-01-09 11:52 . 2008-01-09 11:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 14:42 . 2008-01-04 14:42 <DIR> d-------- C:\Program Files\MSECache
2008-01-03 16:21 . 2008-01-15 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-03 16:20 . 2008-01-03 16:31 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-03 14:59 . 2008-01-17 16:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-03 14:59 . 2008-01-03 14:59 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 15:30 . 2007-12-18 15:30 <DIR> d-------- C:\Program Files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-28 09:58 --------- d-----w C:\Program Files\McAfee
2007-11-28 09:58 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2007-11-28 09:57 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-28 09:55 --------- d-----w C:\Program Files\Symantec
2007-11-28 09:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-28 09:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 03:10 --------- d-----w C:\Documents and Settings\Codalt\Application Data\Digidesign
2007-11-19 19:40 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Symantec
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2005-08-03 00:46 187,904 --sha-r C:\WINDOWS\Q29kYWx0\asappsrv.dll
2005-08-03 00:58 293,888 --sha-r C:\WINDOWS\Q29kYWx0\command.exe
2005-07-30 00:24 472 --sha-r C:\WINDOWS\Q29kYWx0\kZ64sqUX.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{FD8348AB-D74A-4C76-B2FE-926FF6D7CC40}]
@=MacDrive Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 02:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-09-24 16:00 4861952]
"nwiz"="nwiz.exe" [2003-09-24 16:00 323584 C:\WINDOWS\system32\nwiz.exe]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 15:01 86073]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 10:20 88363 C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-30 18:25 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-30 18:23 614400]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 17:00 126976]
"TPSMain"="TPSMain.exe" [2003-09-04 17:49 274432 C:\WINDOWS\system32\TPSMain.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 09:29 40960]
"TFncKy"="TFncKy.exe" []
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 12:21 159744]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15 271672]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 09:57 179288]
"MDGetStarted.exe"="C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 12:23 139264]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 15:40 1884160]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 09:19 15872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"TFNF5"="TFNF5.exe" [2003-07-18 17:41 73728 C:\WINDOWS\system32\TFNF5.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2005-05-31 01:04 4393096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 08:04 54936]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
00THotkey.exe [2003-04-15 19:01:28]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-09-11 08:23:10]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2006-02-14 23:31 61440 C:\Program Files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\QTTask.exe

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-02-14 23:29]
R0 MDFSYSNT;MacDrive file system driver;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2007-07-31 14:54]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2007-02-28 10:15]
R2 MacDriveService;MacDriveService;"C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe" [2007-05-01 13:55]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 16:38]
S2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys []
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-02-14 22:17]
S3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2006-05-11 09:48]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 08:03]
S4 8241298F;8241298F;C:\WINDOWS\system32\5A98B511.EXE []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ec35b65-96da-11dc-b4f8-00042379d5ac}]
\Shell\Auto\command - E:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 22:43:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-03 18:19:48 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1188753479.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-18 01:04:17 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-18 00:35:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 16:55:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2008-01-17 17:08:29
ComboFix-quarantined-files.txt 2008-01-18 01:08:25
.
2008-01-16 22:51:35 --- E O F ---


~~~~~~~~~~~~~~~~~

Hijack this log

~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:34 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: 00THotkey.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1188148836729
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188521347596
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11141 bytes
Attached Files
File Type: txt ComboFix.txt (11.1 KB, 0 views)
File Type: txt hijackthis.txt (10.9 KB, 0 views)
codaclub is offline