Thread: Virus (logs included)
View Single Post
Old 06-09-2008, 06:32 AM   #4 (permalink)
WTFman
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: WinXP Pro


Re: Virus (logs included)
Quote:
Originally Posted by tetonbob View Post
And where did this executable file come from?
Downloaded from a questionable source. Was a dumb mistake especially considering my IT background. I'll blame the alcohol. ;)

Attached is the ComboFix log (log.txt) and a new HijackThis log (hijackthis.log.txt - attachment manager said that the filename without the .txt was invalid... dunno why).

Thanks for your help!


EDIT : At first glance, it appears that the explorer closing issue has either been resolved or greatly reduced (no issues since I ran ComboFix appx 20 minutes ago which is a vast improvement). I'll update with status when I get home from work, but so far... so good!

ComboFix 08-06-08.8 - Nighthawk 2008-06-09 8:11:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2888 [GMT -4:00]
Running from: C:\Download\Virus\ComboFix.exe
Command switches used :: C:\Download\Virus\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqrsqq.dll
C:\WINDOWS\system32\BayGQqru.ini
C:\WINDOWS\system32\BayGQqru.ini2
C:\WINDOWS\system32\byXQGYrR.dll
C:\WINDOWS\system32\GgOVvyay.ini
C:\WINDOWS\system32\GgOVvyay.ini2
C:\WINDOWS\system32\GPXHOUvw.ini
C:\WINDOWS\system32\GPXHOUvw.ini2
C:\WINDOWS\system32\hgiOYJjl.ini
C:\WINDOWS\system32\hgiOYJjl.ini2
C:\WINDOWS\system32\iifFWOGV.dll
C:\WINDOWS\system32\jiRuvGgh.ini
C:\WINDOWS\system32\jiRuvGgh.ini2
C:\WINDOWS\system32\ljJDWNGY.dll
C:\WINDOWS\system32\ljJYOigh.dll
C:\WINDOWS\system32\NqYyJkkj.ini
C:\WINDOWS\system32\NqYyJkkj.ini2
C:\WINDOWS\system32\opAaIRqr.ini
C:\WINDOWS\system32\opAaIRqr.ini2
C:\WINDOWS\system32\qqsrqtwa.ini
C:\WINDOWS\system32\qqsrqtwa.ini2
C:\WINDOWS\system32\rqRIaApo.dll
C:\WINDOWS\system32\rqRKEWPf.dll
C:\WINDOWS\system32\RrYGQXyb.ini
C:\WINDOWS\system32\RrYGQXyb.ini2
C:\WINDOWS\system32\RsDeNXbc.ini
C:\WINDOWS\system32\RsDeNXbc.ini2
C:\WINDOWS\system32\stCfikkj.ini
C:\WINDOWS\system32\stCfikkj.ini2
C:\WINDOWS\system32\urqQGyaB.dll
C:\WINDOWS\system32\uuFLnnmp.ini
C:\WINDOWS\system32\uuFLnnmp.ini2
C:\WINDOWS\system32\VGOWFfii.ini
C:\WINDOWS\system32\VGOWFfii.ini2
C:\WINDOWS\system32\wvUOHXPG.dll
C:\WINDOWS\system32\xxbdfMoq.ini
C:\WINDOWS\system32\xxbdfMoq.ini2
C:\WINDOWS\system32\yayvVOgG.dll
C:\WINDOWS\system32\yayYQGAS.dll
C:\WINDOWS\system32\YGNWDJjl.ini
C:\WINDOWS\system32\YGNWDJjl.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-06 07:15 . 2008-06-06 07:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-06 07:14 . 2008-06-06 07:14 <DIR> d-------- C:\Deckard
2008-06-05 07:09 . 2008-06-05 07:15 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 05:57 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-03 05:56 . 2008-06-04 07:05 <DIR> d-------- C:\Documents and Settings\Rich\Application Data\HouseCall 6.6
2008-06-02 20:14 . 2008-06-02 20:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-06-02 20:11 . 2008-06-02 20:11 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-02 20:09 . 2008-06-02 20:10 153 --a------ C:\WINDOWS\wininit.ini
2008-06-01 12:37 . 2008-06-01 12:37 <DIR> d-------- C:\Documents and Settings\Rich\Application Data\Move Networks
2008-05-31 12:35 . 2008-05-31 12:36 <DIR> d-------- C:\Documents and Settings\Rich\Application Data\ACD Systems
2008-05-31 12:34 . 2008-05-31 12:34 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-31 12:34 . 2008-05-31 12:34 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-31 12:34 . 2008-05-31 12:34 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-31 12:34 . 2008-05-31 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-28 06:45 . 2008-05-28 06:45 99,264 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-05-27 21:23 . 2008-05-27 21:23 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-21 19:10 . 2008-05-21 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\media center programs
2008-05-21 18:03 . 2008-06-04 08:34 <DIR> d-------- C:\Age of Conan
2008-05-21 17:18 . 2008-05-31 00:36 <DIR> d-------- C:\Pictures
2008-05-10 10:20 . 2008-05-10 10:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-10 10:20 . 2008-05-10 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-10 05:13 . 2008-05-10 05:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Funcom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 12:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-09 12:00 --------- d-----w C:\Program Files\mIRC
2008-06-01 21:18 --------- d-----w C:\Documents and Settings\Rich\Application Data\uTorrent
2008-06-01 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-31 16:35 --------- d-----w C:\Program Files\Thumbs6
2008-05-31 13:08 --------- d-----w C:\Program Files\Safari
2008-05-30 11:46 --------- d-----w C:\Program Files\AnyDVD
2008-05-26 01:57 --------- d-----w C:\Program Files\Trillian
2008-05-19 11:31 --------- d-----w C:\Program Files\uTorrent
2008-05-15 00:45 --------- d-----w C:\Documents and Settings\Rich\Application Data\Apple Computer
2008-05-08 01:38 --------- d-----w C:\Program Files\Ad-Aware 2007
2008-05-07 11:46 --------- d-----w C:\Program Files\EPSON Print CD
2008-05-06 00:13 --------- d-----w C:\Program Files\coverXP
2008-05-05 23:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 23:26 --------- d-----w C:\Program Files\EPSON
2008-05-05 11:36 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-05-05 11:36 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-05-04 02:17 17,144 ----a-w C:\Documents and Settings\Rich\Application Data\GDIPFONTCACHEV1.DAT
2008-05-04 02:05 --------- d-----w C:\Program Files\VobBlanker
2008-04-16 14:50 --------- d-----w C:\Program Files\QuickTime
2008-04-16 14:50 --------- d-----w C:\Program Files\iTunes
2008-04-16 14:50 --------- d-----w C:\Program Files\iPod
2008-04-16 14:41 --------- d-----w C:\Program Files\Apple Software Update
.

------- Sigcheck -------

2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-04-20 07:38 340480 b8158e2a6112c0a5ca67bc158fc70218 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2003-03-31 08:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-05-05 07:36 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-05-05 07:36 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8390EDF-2603-4BDD-A9EB-328A4C7AA1BA}]
C:\WINDOWS\system32\jkkJyYqN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\AnyDVD\AnyDVDtray.exe" [2008-05-28 07:10 2120640]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"\\ALLYS\EPSON Stylus Photo R260 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [2006-05-19 04:00 139264]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 05:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 08:44 36864]
"JMB36X Configure"="C:\WINDOWS\System32\JMRaidSetup.exe" [2006-10-30 08:44 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-28 17:52 8531968]
"nwiz"="nwiz.exe" [2007-10-28 17:52 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-28 17:52 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 18:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 20:49 125632]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\Rich\Start Menu\Programs\Startup\
mIRC.lnk - C:\Program Files\mIRC\mirc.exe [2007-11-01 15:57:24 2076672]
Tardis.lnk - C:\Program Files\Tardis2000\Tardis.exe [2007-12-21 23:46:35 291328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Tardis2000\\Tardis.exe"=
"C:\\Games\\UO\\client.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\World Of Warcraft\\WoW-2.3.3.7799-to-2.4.0.8089-enUS-downloader.exe"=
"C:\\World Of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys [2008-01-02 10:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 12:59:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 08:15:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\ALLYS\\EPSON Stylus Photo R260 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBNA.EXE /FU \"C:\\DOCUME~1\\Rich\\LOCALS~1\\Temp\\E_S122.tmp\" /EF \"HKCU\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\SSL VPN Client\Agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-09 8:20:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 12:20:41

Pre-Run: 39,302,840,320 bytes free
Post-Run: 39,290,425,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

219 --- E O F --- 2008-05-28 01:21:09



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:49 AM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AnyDVD\AnyDVDtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mnm.manheim.com/webvpn.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {D8390EDF-2603-4BDD-A9EB-328A4C7AA1BA} - C:\WINDOWS\system32\jkkJyYqN.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\ALLYS\EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\DOCUME~1\Rich\LOCALS~1\Temp\E_S122.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe
O4 - Startup: Tardis.lnk = C:\Program Files\Tardis2000\Tardis.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197915538656
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A75C0A01-6285-4004-BCC9-BCEE1F391774}: NameServer = 205.152.0.20,207.69.188.185
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8520 bytes
Attached Files
File Type: txt log.txt (12.9 KB, 1 views)
File Type: txt hijackthis.log.txt (8.3 KB, 2 views)
Last edited by tetonbob; 06-09-2008 at 06:55 AM.
WTFman is offline