|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
07-19-2008, 09:13 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 4
OS: xp pro
|
hi guys
ok ive followed the 5 steps and i am unsure what viruses i have ? can u help me in finding them with the names so i can post on here what my virus problems are ? thanks mike Deckard's System Scanner v20071014.68 Run by Administrator on 2008-07-19 16:58:48 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 131: 2008-07-19 15:58:55 UTC - RP131 - Deckard's System Scanner Restore Point 130: 2008-07-19 15:48:36 UTC - RP130 - Installed Windows Internet Explorer 7. 129: 2008-07-19 15:48:25 UTC - RP129 - Installed Windows IDNMitigationAPIs. 128: 2008-07-19 15:48:04 UTC - RP128 - Installed Windows NLSDownlevelMapping. 127: 2008-07-19 13:10:57 UTC - RP127 - System Checkpoint -- First Restore Point -- 1: 2008-07-05 08:13:37 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-07-19 17:00:32 Platform: Windows XP Service Pack 3 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\VirusScan\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\McAfee\VirusScan\mcsysmon.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\Documents and Settings\Administrator\Desktop\dss.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.besttoolbars.net/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: (no name) - {262352ee-3ec8-4f52-ad69-4826a706485c} - C:\WINDOWS\system32\rqRLbaBs.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {3f3a7a0b-e7de-4a4d-887c-c53654a80fbc} - C:\WINDOWS\system32\mojnfcqp.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {be7e4ce1-8cba-44a6-956f-462a667d3286} - C:\WINDOWS\system32\geBuTmND.dll O2 - BHO: Rmn plugin - {d9a7b3b6-1f8a-4cf9-a20c-bdf427dbdb4a} - jzcom32.dll (file missing) O2 - BHO: {8c4ac09d-d9cd-d979-ddb4-9653a6fda9ad} - {da9adf6a-3569-4bdd-979d-dc9dd90ca4c8} - C:\WINDOWS\system32\mgjahe.dll O2 - BHO: (no name) - {e9d62f86-a82d-496a-955f-a137679968f6} - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JLSP49DN\3077ahntdksr[1].dll (file missing) O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [Microsoft Windows Sound] svshost.exe O4 - HKLM\..\Run: [BMf3a3c701] Rundll32.exe "C:\WINDOWS\system32\hcybkxpl.dll",s O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\RunServices: [Microsoft Windows Sound] svshost.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: about://internet (HKCU) O15 - Trusted Zone: http://mcafee.com (HKCU) O15 - Trusted Zone: https://mcafee.com (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1208875785089 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: wbsys.dll O20 - Winlogon Notify: gebutmnd - C:\WINDOWS\system32\geBuTmND.dll O20 - Winlogon Notify: vtUnmJbY - C:\WINDOWS\system32\vtUnmJbY.dll (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: siteadvisor service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe -- End of file - 8165 bytes -- File Associations ----------------------------------------------------------- .bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71 .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%* .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%* .hlp - hlpfile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,23 .ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69 .txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70 -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver> S1 94b55b44 - c:\windows\system32\drivers\94b55b44.sys S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows> S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> S4 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: USB Device Device ID: USB\VID_04B4&PID_8613\5&7D9C4AE&0&6 Manufacturer: Name: USB Device PNP Device ID: USB\VID_04B4&PID_8613\5&7D9C4AE&0&6 Service: -- Scheduled Tasks ------------------------------------------------------------- 2008-07-16 15:50:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2008-07-15 02:02:27 280 --a------ C:\WINDOWS\Tasks\McDefragTask.job 2008-07-07 18:54:29 372 --a------ C:\WINDOWS\Tasks\McQcTask.job -- Files created between 2008-06-19 and 2008-07-19 ----------------------------- 2008-07-19 16:54:48 0 d-------- C:\Documents and Settings\LocalService\Desktop 2008-07-19 16:54:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-07-19 16:54:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-07-19 16:21:44 0 d-------- C:\ie-spyad_zo 2008-07-19 16:10:42 0 d-------- C:\Program Files\SpywareBlaster 2008-07-19 15:18:55 0 d-------- C:\WINDOWS\LastGood.Tmp 2008-07-19 15:18:03 0 d-------- C:\Program Files\Panda Security 2008-07-19 10:37:42 0 d-------- C:\Program Files\InterActual 2008-07-19 10:23:34 102912 --a------ C:\WINDOWS\system32\mgjahe.dll 2008-07-19 10:23:32 102912 --a------ C:\WINDOWS\system32\txyucxea.dll 2008-07-19 10:20:46 118784 --a------ C:\WINDOWS\system32\mojnfcqp.dll 2008-07-19 09:36:02 118784 --a------ C:\WINDOWS\system32\uslmqjcb.dll 2008-07-17 19:22:57 0 --a------ C:\WINDOWS\system32\miexsjdv.dll 2008-07-17 19:20:09 118784 --a------ C:\WINDOWS\system32\pvjbaxea.dll 2008-07-17 18:02:33 118784 --a------ C:\WINDOWS\system32\rtutvbvs.dll 2008-07-16 18:00:37 0 --a------ C:\WINDOWS\system32\nximzb.dll 2008-07-16 18:00:36 0 --a------ C:\WINDOWS\system32\pafvsmjm.dll 2008-07-16 13:14:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech 2008-07-16 13  09 0 d-------- C:\Program Files\Atari2008-07-15 18:02:26 0 --a------ C:\WINDOWS\system32\ezjvwg.dll 2008-07-15 09:40:40 25600 --a------ C:\WINDOWS\system32\geBuTmND.dll 2008-07-15 07:47:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink 2008-07-12 16:02:46 1 --a------ C:\WINDOWS\system32\rc.dat 2008-07-12 16:02:46 1 --a------ C:\WINDOWS\system32\ps1.dat 2008-07-12 15:23:25 69820 --a------ C:\WINDOWS\system32\drivers\49e156d6.sys 2008-07-12 15:20:47 69820 --a------ C:\WINDOWS\system32\drivers\66686c.sys 2008-07-12 15:20:36 45056 --a------ C:\WINDOWS\system32\jkcom32.dll <Not Verified; Gorosoft inc.; Asdam> 2008-07-12 15:19:44 0 d--hs---- C:\Documents and Settings\LocalService\Application Data\wsnpoem 2008-07-12 15:19:31 0 d--hs---- C:\Documents and Settings\NetworkService\Application Data\wsnpoem 2008-07-12 15:16:38 69820 --a------ C:\WINDOWS\system32\drivers\94b55b44.sys 2008-07-12 15:16:37 0 d--hs---- C:\WINDOWS\system32\wsnpoem 2008-07-12 15:16:30 22383 --a------ C:\WINDOWS\system32\sklh.dat 2008-07-12 15:16:30 45056 --a------ C:\WINDOWS\system32\jzcom32.dll <Not Verified; Gorosoft inc.; Asdam> 2008-07-12 15:16:17 286720 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL> 2008-07-12 15:16:17 143872 --a------ C:\WINDOWS\system32\NCTWMAFile.dll <Not Verified; NCT Company; NCTWMAFile ActiveX DLL> 2008-07-12 15:16:17 168448 --a------ C:\WINDOWS\system32\NCTAudioPlayer.dll <Not Verified; NCT Company; NCTAudioPlayer ActiveX DLL> 2008-07-12 15:16:17 573440 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL> 2008-07-12 15:16:16 491520 --a------ C:\WINDOWS\system32\NCTAudioFile.dll <Not Verified; NCT Company; NCTAudioFile ActiveX DLL> 2008-07-12 15:16:16 120832 --a------ C:\WINDOWS\system32\lame_enc.dll 2008-07-12 10:21:02 0 d-------- C:\Program Files\Common Files\xing shared 2008-07-12 10:20:35 0 d-------- C:\Program Files\Real 2008-07-12 10:20:28 0 d-------- C:\Program Files\Common Files\Real 2008-07-12 10:20:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real 2008-07-11 21:11:42 20480 --a------ C:\WINDOWS\system32\H@tKeysH@@k.DLL 2008-07-11 20:19:42 0 --a------ C:\WINDOWS\PowerReg.dat 2008-07-07 20:29:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\McAfee 2008-07-07 18:55:40 0 d-------- C:\Program Files\SiteAdvisor 2008-07-07 18:55:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor 2008-07-07 18:54:08 0 d-------- C:\Program Files\McAfee.com 2008-07-07 18:54:03 0 d-------- C:\Program Files\Common Files\McAfee 2008-07-07 18:53:53 0 d-------- C:\Program Files\McAfee 2008-07-06 13:02:34 3702 --a------ C:\WINDOWS\system32\msupdte.exe 2008-07-06 13:02:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-05 21:21:05 103424 --a------ C:\WINDOWS\system32\lpfhdy.dll 2008-07-05 21:21:05 103424 --a------ C:\WINDOWS\system32\lhtnlvnp.dll 2008-07-05 09:13:27 606474 --ahs---- C:\WINDOWS\system32\sBabLRqr.ini2 2008-07-05 09:13:24 321024 --a------ C:\WINDOWS\system32\rqRLbaBs.dll -- Find3M Report --------------------------------------------------------------- 2008-07-19 16:04:29 0 d-------- C:\Program Files\DAEMON Tools Pro 2008-07-19 15:03:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus 2008-07-16 15:19:15 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-07-12 10:21:02 0 d-------- C:\Program Files\Common Files 2008-07-10 22:27:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-07-03 07:50:48 0 d-------- C:\Program Files\Azureus 2008-06-20 14:40:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer 2008-06-14 19:42:03 0 d-------- C:\Program Files\NAMCO BANDAI Games 2008-06-12 23:25:45 0 d-------- C:\Program Files\LucasArts 2008-06-11 17:34:48 0 d-------- C:\Program Files\Java 2008-06-08 21:31:55 0 d-------- C:\Program Files\LimeWire 2008-06-06 23:44:24 0 d-------- C:\Program Files\DivX 2008-05-31 00:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2008-05-31 00:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-31 00:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-31 00:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-31 00:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2008-05-27 14:57:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help 2008-05-27 14:49:11 0 d-------- C:\Program Files\Hewlett-Packard 2008-05-22 23:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2008-05-22 23:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2008-05-22 23:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2008-05-22 23:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2008-05-20 19:09:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun 2008-05-13 16:29:50 6172 --a----c- C:\WINDOWS\system32\d3d9caps.dat 2008-04-24 08:45:56 1692 --a----c- C:\WINDOWS\mozver.dat 2008-04-22 23:14:43 0 -rahs---- C:\MSDOS.SYS 2008-04-22 23:14:43 0 -rahs---- C:\IO.SYS 2008-04-22 23:14:43 0 --a------ C:\CONFIG.SYS 2008-04-22 23:14:43 0 --a------ C:\AUTOEXEC.BAT 2008-04-22 23:11:12 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat 2008-04-22 16:20:42 0 --a----c- C:\WINDOWS\nsreg.dat 2008-04-22 15:55:31 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{262352ee-3ec8-4f52-ad69-4826a706485c}] 05/07/2008 09:13 321024 --a------ C:\WINDOWS\system32\rqRLbaBs.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3f3a7a0b-e7de-4a4d-887c-c53654a80fbc}] 19/07/2008 10:20 118784 --a------ C:\WINDOWS\system32\mojnfcqp.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be7e4ce1-8cba-44a6-956f-462a667d3286}] 15/07/2008 09:40 25600 --a------ C:\WINDOWS\system32\geBuTmND.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d9a7b3b6-1f8a-4cf9-a20c-bdf427dbdb4a}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da9adf6a-3569-4bdd-979d-dc9dd90ca4c8}] 19/07/2008 10:23 102912 --a------ C:\WINDOWS\system32\mgjahe.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9d62f86-a82d-496a-955f-a137679968f6}] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JLSP49DN\3077ahntdksr[1].dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/03/2006 17:16] "nwiz"="nwiz.exe" [17/03/2006 17:16 C:\WINDOWS\system32\nwiz.exe] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [01/11/2007 19:12] "Microsoft Windows Sound"="svshost.exe" [] "BMf3a3c701"="C:\WINDOWS\system32\hcybkxpl.dll" [] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [24/07/2006 21:28] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "Microsoft Windows Sound"=svshost.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{BE7E4CE1-8CBA-44A6-956F-462A667D3286}"= C:\WINDOWS\system32\geBuTmND.dll [15/07/2008 09:40 25600] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] C:\WINDOWS\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebutmnd] geBuTmND.dll 15/07/2008 09:40 25600 C:\WINDOWS\system32\geBuTmND.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnmJbY] vtUnmJbY.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] C:\Program Files\AlienGUIse\fastload.dll 20/12/2001 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=wbsys.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRLbaBs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk] backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0072891215454304mcinstcleanup] C:\WINDOWS\TEMP\007289~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf3a3c701] Rundll32.exe "C:\WINDOWS\system32\hcybkxpl.dll",s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey] mHotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f090f49d] rundll32.exe "C:\WINDOWS\system32\dofnjhku.dll",b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft] lass.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update] qwnuroc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Sound] svshost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mjc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Nero BackItUp Scheduler 3"=2 (0x2) "iPod Service"=3 (0x3) "idsvc"=3 (0x3) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] eapsvcs eaphost dot3svc dot3svc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs napagent hkmsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f99e7fc-113c-11dd-a241-000b6b4d14f0}] AutoRun\command- K:\VMC_PBStarter.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f99e7fd-113c-11dd-a241-000b6b4d14f0}] autorun\command- F:\VMC_PBStarter.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5dcffe3-1096-11dd-a239-000b6b4d14f0}] AutoRun\command- K:\VMC_PBStarter.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5dcffe4-1096-11dd-a239-000b6b4d14f0}] autorun\command- F:\VMC_PBStarter.exe *Newly Created Service* - PAVBOOT -- Hosts ----------------------------------------------------------------------- 127.0.0.1 microsoft.com -- End of Deckard's System Scanner: finished at 2008-07-19 17:01:23 ------------ Ok this is whats happening to my laptop, In msconfig i keep getting svshost and random dll's files for example "iomhhflb" and "sqhkbmdd" also "qwnuroc" and lots lots more. These dll's files keep coming up and if i untick them in msconfig it then tells me i cannot untick as i am not the administrator but i am the administrator ?? I have mcafee and i use the shredder to remove these dll's but they keep coming up everytime i restart, in different names. These problems these things are doing is not loading up internet pages, (i have IE and firefox) Once i have shredded these files and restart my IE and firefox run normally but not for long though. I feel that when i keep shredding these dll's it causing more harm, ive noticed run errors and slow computer. Every other day i do a "sfc /scannow" with oem disc to try and keep my files in tact. I would love to find a fix for this if you guys can really help me, a format is something i dont wanna do but if i have no choice. thank you Last edited by amateur : 07-20-2008 at 04:09 AM. Reason: to retain 0-reply status |
|
     
|
|
07-22-2008, 04:22 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 2,653
OS: XP
|
Re: how do i know what viruses i have ?
Hello and welcome to TSF
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please Do Not Attach logs to your posts unless you are advised to do so. ======== Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. ========= P2P P2P - I see you have P2P software Azureus Vuze and LimeWire 4.18.2 installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections. References for the risk of these programs are Here, Here and Here. ========== Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:SDFix) Please then reboot your computer in Safe Mode by doing the following :
=========== Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed.  Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. ============ Please download HijackThis to your desktop Alternate link This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. ============ Logs Required Report.txt C:\Combofix.txt Hijackthis Log
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.  Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
07-22-2008, 11:04 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 4
OS: xp pro
|
Re: how do i know what viruses i have ?
hi there
thanks for getting back to me. as requested here are the 3 files. report .txt SDFix: Version 1.207 Run by Administrator on 22/07/2008 at 18:24 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name : 49e156d6 66686c Path : \SystemRoot\System32\drivers\49e156d6.sys \SystemRoot\System32\drivers\66686c.sys 49e156d6 - Deleted 66686c - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\geBuTmND.dll - Deleted C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\removalfile.bat - Deleted C:\WINDOWS\system32\alog.txt - Deleted C:\WINDOWS\system32\h@tkeysh@@k.dll - Deleted C:\WINDOWS\system32\jkcom32.dll - Deleted C:\WINDOWS\system32\jzcom32.dll - Deleted C:\WINDOWS\system32\msupdte.exe - Deleted C:\WINDOWS\system32\ps1.dat - Deleted C:\WINDOWS\system32\rc.dat - Deleted C:\WINDOWS\system32\sklh.dat - Deleted C:\WINDOWS\system32\drivers\49e156d6.sys - Deleted C:\WINDOWS\system32\drivers\66686c.sys - Deleted C:\WINDOWS\system32\wsnpoem\video.dll - Deleted C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll - Deleted C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll - Deleted C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-22 18:30:15 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "p0"="C:\Program Files\DAEMON Tools Pro\" "h0"=dword:00000000 "hdf12"=hex:84,e1,9a,a4,a2,36,3b,c7,1d,6f,d3,50,26,32,b0,50,c9,2d,af,c3,e1,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] "a0"=hex:20,01,00,00,be,fd,de,ef,8d,24,ce,1c,2a,68,c2,2a,3e,57,b1,c3,30,.. "hdf12"=hex:3e,cf,34,17,d1,1f,9e,54,3b,cb,b1,42,57,ac,2c,1a,af,13,f0,a1,4a,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] "hdf12"=hex:fb,09,b9,de,a6,fe,f0,e3,e3,f5,d1,af,64,24,42,8d,13,61,2f,ac,6d,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002] "a0"=hex:20,01,00,00,c9,e0,dd,ef,46,ec,5f,41,a9,46,78,e3,f6,ad,36,ca,fc,.. "hdf12"=hex:c8,04,af,e4,1a,5f,ad,8c,17,4d,ba,99,c8,bf,4e,43,ff,9c,4e,7e,c1,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0] "hdf12"=hex:cf,9b,76,3b,5c,7e,83,81,d0,e2,73,d4,01,e4,fc,a1,c2,1e,45,c8,2f,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "p0"="C:\Program Files\DAEMON Tools Pro\" "h0"=dword:00000000 "hdf12"=hex:84,e1,9a,a4,a2,36,3b,c7,1d,6f,d3,50,26,32,b0,50,c9,2d,af,c3,e1,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] "a0"=hex:20,01,00,00,be,fd,de,ef,8d,24,ce,1c,2a,68,c2,2a,3e,57,b1,c3,30,.. "hdf12"=hex:3e,cf,34,17,d1,1f,9e,54,3b,cb,b1,42,57,ac,2c,1a,af,13,f0,a1,4a,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] "hdf12"=hex:de,a0,ad,23,ee,07,88,f8,f9,23,74,94,61,52,51,19,34,9a,7f,7d,73,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002] "a0"=hex:20,01,00,00,c9,e0,dd,ef,46,ec,5f,41,a9,46,78,e3,f6,ad,36,ca,fc,.. "hdf12"=hex:c8,04,af,e4,1a,5f,ad,8c,17,4d,ba,99,c8,bf,4e,43,ff,9c,4e,7e,c1,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0] "hdf12"=hex:cf,9b,76,3b,5c,7e,83,81,d0,e2,73,d4,01,e4,fc,a1,c2,1e,45,c8,2f,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] "p0"="C:\Program Files\DAEMON Tools Pro\" "h0"=dword:00000000 "hdf12"=hex:84,e1,9a,a4,a2,36,3b,c7,1d,6f,d3,50,26,32,b0,50,c9,2d,af,c3,e1,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] "a0"=hex:20,01,00,00,be,fd,de,ef,8d,24,ce,1c,2a,68,c2,2a,3e,57,b1,c3,30,.. "hdf12"=hex:3e,cf,34,17,d1,1f,9e,54,3b,cb,b1,42,57,ac,2c,1a,af,13,f0,a1,4a,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] "hdf12"=hex:fb,09,b9,de,a6,fe,f0,e3,e3,f5,d1,af,64,24,42,8d,13,61,2f,ac,6d,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002] "a0"=hex:20,01,00,00,c9,e0,dd,ef,46,ec,5f,41,a9,46,78,e3,f6,ad,36,ca,fc,.. "hdf12"=hex:c8,04,af,e4,1a,5f,ad,8c,17,4d,ba,99,c8,bf,4e,43,ff,9c,4e,7e,c1,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0] "hdf12"=hex:cf,9b,76,3b,5c,7e,83,81,d0,e2,73,d4,01,e4,fc,a1,c2,1e,45,c8,2f,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\WINDOWS\\system32\\lass.exe"="C:\\WINDOWS\\system32\\lass.exe:*:Disabled:lass" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0" "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Tue 22 Apr 2008 166,912 A..H. --- "C:\Program Files\eMPIA\Setup.exe" Sun 4 May 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 7 Jul 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak" Mon 7 Jul 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak" Fri 25 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 21 Jul 2004 40,960 A..H. --- "C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Installer\Setup.exe" Finished! Last edited by a_beast33 : 07-22-2008 at 11:25 AM. Reason: trying to add attachments, hijackthis.log and combofix.txt, saying invalid file and upload error. |
|
|
|
|
07-22-2008, 02:55 PM
|
#5 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 2,653
OS: XP
|
Re: how do i know what viruses i have ?
In my previous post i said:
Quote:
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
|
07-23-2008, 06:43 AM
|
#6 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 4
OS: xp pro
|
Re: how do i know what viruses i have ?
sorry i must of miss read what you have requested. thank you for your patience. ComboFix 08-07-21.2 - Administrator 2008-07-22 18:46:29.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1643 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\LocalService\Application Data\wsnpoem C:\Documents and Settings\NetworkService\Application Data\wsnpoem C:\WINDOWS\BMf3a3c701.txt C:\WINDOWS\pskt.ini C:\WINDOWS\system32\aplvbfgu.dll C:\WINDOWS\system32\blfhhmoi.ini C:\WINDOWS\system32\dlsqumqg.ini C:\WINDOWS\system32\dpltkxgu.ini C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\iifgGWqR.dll C:\WINDOWS\system32\iomhhflb.dll C:\WINDOWS\system32\joufdxqt.ini C:\WINDOWS\system32\jtsnteqr.ini C:\WINDOWS\system32\kcvjsonm.ini C:\WINDOWS\system32\kyupwuwh.ini C:\WINDOWS\system32\lhtnlvnp.dll C:\WINDOWS\system32\lpfhdy.dll C:\WINDOWS\system32\mcrafiko.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mgjahe.dll C:\WINDOWS\system32\mojnfcqp.dll C:\WINDOWS\system32\ntbuytnr.ini C:\WINDOWS\system32\omfxfl.dll C:\WINDOWS\system32\oomhomdy.ini C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pefwhdid.ini C:\WINDOWS\system32\pvjbaxea.dll C:\WINDOWS\system32\qxdkfe.dll C:\WINDOWS\system32\rqRLbaBs.dll C:\WINDOWS\system32\rtutvbvs.dll C:\WINDOWS\system32\sBabLRqr.ini C:\WINDOWS\system32\sBabLRqr.ini2 C:\WINDOWS\system32\txyucxea.dll C:\WINDOWS\system32\ugfbvlpa.ini C:\WINDOWS\system32\ukhjnfod.ini C:\WINDOWS\system32\unrpjxgd.dll C:\WINDOWS\system32\uslmqjcb.dll C:\WINDOWS\system32\wjoehcjj.dll C:\WINDOWS\system32\wnjocohc.ini C:\WINDOWS\system32\wojyokih.ini C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\wsnpoem C:\WINDOWS\system32\wsnpoem\video.dll.cla C:\WINDOWS\system32\xgeexpxv.dll C:\WINDOWS\system32\ybrmgxhn.ini C:\WINDOWS\system32\ydjcjndi.dll C:\WINDOWS\system32\ylqprhmj.dll C:\WINDOWS\system32\zgjltr.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 ))))))))))))))))))))))))))))))) . 2008-07-22 18:21 . 2008-07-22 18:21 <DIR> d-------- C:\WINDOWS\ERUNT 2008-07-22 18:18 . 2008-07-22 18:32 <DIR> d-------- C:\SDFix 2008-07-21 22:18 . 2008-07-21 22:18 <DIR> d-------- C:\Program Files\iPod 2008-07-21 22:17 . 2008-07-21 22:36 <DIR> d-------- C:\Program Files\Bonjour 2008-07-21 17:31 . 2008-07-21 17:33 43,581 --ahs---- C:\WINDOWS\system32\cxctwcot.ini 2008-07-21 17:10 . 2008-07-21 18:28 168 --a------ C:\WINDOWS\system32\temp_0000_85-24.aok 2008-07-21 17:09 . 2008-07-21 18:28 169 --a------ C:\WINDOWS\system32\test.aok 2008-07-21 17:08 . 2008-07-21 17:09 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter 2008-07-19 18:20 . 2008-07-19 18:20 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor 2008-07-19 16:58 . 2008-07-19 16:58 <DIR> d-------- C:\Deckard 2008-07-19 16:54 . 2008-07-20 11:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-07-19 16:54 . 2008-07-19 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-07-19 16:21 . 2008-07-19 16:21 <DIR> d-------- C:\ie-spyad_zo 2008-07-19 16:10 . 2008-07-19 16:11 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-07-19 15:19 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-07-19 15:18 . 2008-07-19 15:18 <DIR> d-------- C:\Program Files\Panda Security 2008-07-19 10:48 . 2008-07-19 10:48 0 --a------ C:\WINDOWS\iPlayer.INI 2008-07-19 10:37 . 2008-07-19 15:07 <DIR> d-------- C:\Program Files\InterActual 2008-07-16 13:14 . 2008-07-16 13:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech 2008-07-16 13:06 . 2008-07-16 13:06 <DIR> d-------- C:\Program Files\Atari 2008-07-15 07:47 . 2008-07-15 07:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink 2008-07-12 15:56 . 2008-04-14 01:12 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll 2008-07-12 15:56 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe 2008-07-12 15:56 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll 2008-07-12 15:56 . 2008-04-14 01:12 18,944 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll 2008-07-12 15:56 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe 2008-07-12 15:55 . 2004-08-03 22:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys 2008-07-12 15:55 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe 2008-07-12 15:55 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys 2008-07-12 15:55 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys 2008-07-12 15:55 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys 2008-07-12 15:55 . 2008-04-13 19:36 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys 2008-07-12 15:55 . 2008-04-14 01:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll 2008-07-12 15:53 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys 2008-07-12 15:52 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll 2008-07-12 15:51 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys 2008-07-12 15:50 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys 2008-07-12 15:49 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll 2008-07-12 15:48 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll 2008-07-12 15:47 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll 2008-07-12 15:46 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys 2008-07-12 15:45 . 2001-08-17 14:04 173,696 --a--c--- C:\WINDOWS\system32\dllcache\philcam2.sys 2008-07-12 15:44 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys 2008-07-12 15:43 . 2008-04-13 19:31 2,065,792 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-07-12 15:42 . 2001-08-17 12:11 128,000 --a--c--- C:\WINDOWS\system32\dllcache\n100325.sys 2008-07-12 15:41 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys 2008-07-12 15:40 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys 2008-07-12 15:39 . 2008-04-14 01:12 151,552 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe 2008-07-12 15:38 . 2008-04-14 01:11 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll 2008-07-12 15:37 . 2001-08-17 13:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys 2008-07-12 15:36 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll 2008-07-12 15:35 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys 2008-07-12 15:34 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys 2008-07-12 15:33 . 2001-08-17 22:36 419,357 --a--c--- C:\WINDOWS\system32\dllcache\dgconfig.dll 2008-07-12 15:32 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys 2008-07-12 15:31 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys 2008-07-12 15:30 . 2008-04-13 20:27 2,188,928 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-07-12 15:16 . 2003-03-26 06:59 573,440 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll 2008-07-12 15:16 . 2002-12-03 03:02 491,520 --a------ C:\WINDOWS\system32\NCTAudioFile.dll 2008-07-12 15:16 . 2003-03-25 15:08 286,720 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll 2008-07-12 15:16 . 2002-12-03 03:07 168,448 --a------ C:\WINDOWS\system32\NCTAudioPlayer.dll 2008-07-12 15:16 . 2002-12-03 03:11 143,872 --a------ C:\WINDOWS\system32\NCTWMAFile.dll 2008-07-12 15:16 . 2002-03-19 07:18 120,832 --a------ C:\WINDOWS\system32\lame_enc.dll 2008-07-12 15:16 . 2008-07-17 19:11 69,820 --a------ C:\WINDOWS\system32\drivers\94b55b44.sys 2008-07-12 10:21 . 2008-07-12 10:21 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-07-12 10:20 . 2008-07-12 10:20 <DIR> d-------- C:\Program Files\Real 2008-07-12 10:20 . 2008-07-12 10:20 <DIR> d-------- C:\Program Files\Common Files\Real 2008-07-11 20:19 . 2008-07-11 20:19 0 --a------ C:\WINDOWS\PowerReg.dat 2008-07-08 09:18 . 2008-07-21 16:17 110,446 --a------ C:\WINDOWS\BMf3a3c701.xml 2008-07-07 20:29 . 2008-07-07 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee 2008-07-07 19:09 . 2008-07-22 18:48 9,436 --a------ C:\WINDOWS\system32\Config.MPF 2008-07-07 18:55 . 2008-07-20 11:07 <DIR> d-------- C:\Program Files\SiteAdvisor 2008-07-07 18:55 . 2008-07-19 16:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor 2008-07-07 18:54 . 2008-07-07 18:54 <DIR> d-------- C:\Program Files\McAfee.com 2008-07-07 18:54 . 2008-07-07 19:11 <DIR> d-------- C:\Program Files\Common Files\McAfee 2008-07-07 18:54 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-07-07 18:54 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-07-07 18:54 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-07-07 18:54 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-07-07 18:54 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-07-07 18:54 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-07-07 18:53 . 2008-07-07 20:28 <DIR> d-------- C:\Program Files\McAfee 2008-07-06 13:02 . 2008-07-19 16:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-05 15:17 . 2008-07-05 15:17 298,533 --a------ C:\temp.arc . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-22 13:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer 2008-07-22 06:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus 2008-07-21 21:19 --------- d-----w C:\Program Files\iTunes 2008-07-21 21:17 --------- d-----w C:\Program Files\QuickTime 2008-07-19 15:04 --------- d-----w C:\Program Files\DAEMON Tools Pro 2008-07-16 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-13 16:34 361,344 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS 2008-07-10 21:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-07-10 08:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys 2008-07-07 17:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-07-03 06:50 --------- d-----w C:\Program Files\Azureus 2008-06-14 18:42 --------- d-----w C:\Program Files\NAMCO BANDAI Games 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-12 22:25 --------- d-----w C:\Program Files\LucasArts 2008-06-11 19:33 361,344 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL 2008-06-11 16:34 --------- d-----w C:\Program Files\Java 2008-06-08 20:31 --------- d-----w C:\Program Files\LimeWire 2008-06-06 22:44 --------- d-----w C:\Program Files\DivX 2008-06-04 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-27 13:49 --------- d-----w C:\Program Files\Hewlett-Packard 2008-04-23 13:49 14,642 -c--a-w C:\WINDOWS\E220AutoRunLog.tmp . ------- Sigcheck ------- 2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys 2004-08-04 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS 2008-07-13 17:34 361344 68f06fe0021b01e670af37b8c5964fdf C:\WINDOWS\system32\dllcache\TCPIP.SYS 2008-07-13 17:34 361344 68f06fe0021b01e670af37b8c5964fdf C:\WINDOWS\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-17 17:16 7561216] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992] "nwiz"="nwiz.exe" [2006-03-17 17:16 1519616 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk] backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mjc HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a--c--- 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\applesyncnotifier] --a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-14 01:12 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent] --a------ 2007-09-06 14:08 136136 C:\Program Files\DAEMON Tools Pro\DTProAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-14 01:12 1695232 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-09-04 16:40 6856704 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a--c--- 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a--c--- 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\raidtool] -ra------ 2005-06-20 11:53 1056768 C:\Program Files\VIA\RAID\raid_tool.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\siteadvisor] --a------ 2006-07-24 21:28 35992 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-07-12 10:20 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] --a------ 2008-04-02 09:49 1885464 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey] --a--c--- 2001-12-26 01:12 472576 C:\WINDOWS\mHotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] -r------- 2005-09-22 09:42 90112 C:\WINDOWS\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Nero BackItUp Scheduler 3"=2 (0x2) "iPod Service"=3 (0x3) "idsvc"=3 (0x3) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "14102:TCP"= 14102:TCP:BitComet 14102 TCP "14102:UDP"= 14102:UDP:BitComet 14102 UDP R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R3 HSFHWVIA;HSFHWVIA;C:\WINDOWS\system32\DRIVERS\HSFHWVIA.sys [2005-10-24 04:21] S1 94b55b44;94b55b44;C:\WINDOWS\system32\drivers\94b55b44.sys [2008-07-17 19:11] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f99e7fc-113c-11dd-a241-000b6b4d14f0}] \Shell\AutoRun\command - K:\VMC_PBStarter.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f99e7fd-113c-11dd-a241-000b6b4d14f0}] \shell\autorun\command - F:\VMC_PBStarter.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5dcffe3-1096-11dd-a239-000b6b4d14f0}] \Shell\AutoRun\command - K:\VMC_PBStarter.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5dcffe4-1096-11dd-a239-000b6b4d14f0}] \shell\autorun\command - F:\VMC_PBStarter.exe . Contents of the 'Scheduled Tasks' folder "2008-07-16 14:50:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-07-15 01:02:27 C:\WINDOWS\Tasks\McDefragTask.job" - C:\WINDOWS\system32\defrag.exe "2008-07-07 17:54:29 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe.4158 0 . - - - - ORPHANS REMOVED - - - - Notify-vtUnmJbY - vtUnmJbY.dll MSConfigStartUp-0072891215454304mcinstcleanup - C:\WINDOWS\TEMP\007289~1.EXE MSConfigStartUp-BMf3a3c701 - C:\WINDOWS\system32\kwhfilak.dll MSConfigStartUp-f090f49d - C:\WINDOWS\system32\tocwtcxc.dll MSConfigStartUp-Microsoft WinUpdate - C:\WINDOWS\system32\msupdte.exe MSConfigStartUp-Microsoft - lass.exe MSConfigStartUp-Microsoft Update - qwnuroc.exe MSConfigStartUp-Microsoft Windows Sound - svshost.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1;*.local O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-22 18:49:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe . ************************************************************************** . Completion time: 2008-07-22 18:52:33 - machine was rebooted [Administrator] ComboFix-quarantined-files.txt 2008-07-22 17:52:29 Pre-Run: 67,038,969,856 bytes free Post-Run: 67,003,121,664 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 338 --- E O F --- 2008-05-05 11:56:42 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:55:44, on 22/07/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menui |
