Login | Live Chat & Podcast at 1:00PM Eastern on Sunday! |
 Search | |
| |
| Thread Tools |
04-Oct-2008, 09:42 AM
#1 | ||||||
| Regedit/task manager disabled (+HJT log) Hi, Im SuperSonic. I couldnt find much time to type everything in again, so I pasted what I typed in Yahoo Answers some time ago. Heres the story from the beginning:- Yesterday, I took a pen drive from my friend and inserted it in the comp. When I tried to open the pen drive folder, a message came up "Windows cant find the file Axxx.vbs"(xxx was a number) At the same time Symantec AntiVirus popped up, saying it had quarantined 4 files(3 Axxx.vbs and 1 AQxxx.vbs and some registry entries). Then I took the pen drive out and started minding my other work. Then I realized that Task Manager and Regedit were disabled. Then I found that Symantec Antivirus was no longer running. I tried to run it but it won't start(or maybe closing instantly). Then I installed Spybot S&D, but it started for a few seconds, was normal, then quit instantly. Same happened to ESET. Then I tried to boot into Safe Mode, but it kept rebooting while displaying a list of .sys files that were being run. In the process I lost a lot of important files. When restarting, the computer said my user profile was corrupted and created a temp profile. I thought it was a permanent profile, so I Cut-Pasted everything from my original profile to the new profile. Today when I started up, the temp profile was gone, and with it, all the things I'd copied. So, the main problem now is that Firewall,Regedit and Task Manager keep getting disabled, and antivirus stuff refuse to run. Any help would be appreciated. HJT Log:- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:08:21, on 10/4/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe F:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\GM4IE\gm4ie.exe C:\Program Files\iPod\bin\iPodService.exe G:\backup\c\Program Files\Mozilla\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\explorer.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\DOCUME~1\user\LOCALS~1\Temp\winipkbnh.exe C:\DOCUME~1\user\LOCALS~1\Temp\winenwdh.exe E:\games\Audacity\Call of Duty\HiJackThis.exe O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing) O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing) O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com...veXClient1.cab O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.getrightarcade.com/online...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{899F11B0-28F0-452D-8D6D-1CAE6E9E505E}: NameServer = 208.67.222.222 208.67.220.220 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- End of file - 8226 bytes |
| |
07-Oct-2008, 05:02 AM
#2 | |||||
| Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
10-Oct-2008, 03:39 AM
#3 | ||||||
| I don't think that did much, but heres the new HJT log. Also, Ive found two places where the virus keeps resetting registry entries:- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system] HJT Log:- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:54:21 AM, on 10/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe F:\Program Files\iTunes\iTunesHelper.exe F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\GM4IE\gm4ie.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\regedit.exe E:\games\Audacity\Call of Duty\HiJackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing) O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com...veXClient1.cab O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing) O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- End of file - 7994 bytes Oh, and the Combofix log ComboFix 08-10-06.05 - user 2008-10-10 11:39:24.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.436 [GMT 5.5:30] Running from: G:\backup\c\Program Files\Mozilla\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\user\Application Data\rbap550.dll C:\WINDOWS\system32\dao350.dll C:\WINDOWS\system32\h@tkeysh@@k.dll C:\WINDOWS\system32\x64 . ((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 ))))))))))))))))))))))))))))))) . 2009-03-15 16:27 . 2008-10-10 11:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2009-02-07 11:17 . 2009-02-07 11:17 <DIR> d----c--- C:\Program Files\Alcohol Soft 2008-10-10 09:49 . 2008-10-10 09:49 685,056 --a------ C:\WINDOWS\isRS-000.tmp 2008-10-05 11:32 . 2008-10-05 11:46 21,004 --ah-c--- C:\TEMP_BDT.CHA 2008-10-05 10:00 . 2008-10-05 10:00 86,528 --a------ C:\WINDOWS\bnetunin.exe 2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com 2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-10-04 20:41 . 2008-10-04 20:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools 2008-10-04 20:41 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-10-04 20:41 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-10-04 20:41 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-10-04 20:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-10-04 17:51 . 2008-10-04 18:18 <DIR> d-------- C:\Program Files\Unlocker 2008-10-04 17:26 . 2008-10-06 18:50 2,852 --a------ C:\WINDOWS\system32\tmp.reg 2008-10-04 16:48 . 2008-10-04 17:35 <DIR> d--h-c--- C:\SDFix 2008-10-04 14:57 . 2008-10-04 18:19 <DIR> d--h----- C:\Program Files\sb 2008-10-03 17:12 . 2008-03-15 14:23 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4\Application Data\Apple Computer 2008-10-03 17:12 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4 2008-10-03 16:24 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\TEMP 2008-10-03 15:50 . 2008-10-03 15:51 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls 2008-10-02 20:14 . 2008-10-02 20:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\gtk-2.0 2008-10-01 21:35 . 2008-10-01 21:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire Plus 2008-09-28 17:18 . 2008-09-28 17:18 0 --a------ C:\WINDOWS\wt9_1sptlEN.INI 2008-09-25 13:59 . 2008-09-25 14:00 <DIR> d--h-c--- C:\gs 2008-09-25 13:38 . 2008-09-25 13:38 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ironclad Games 2008-09-18 21:17 . 1999-09-11 02:20 25,600 --a------ C:\WINDOWS\system\007.DLL 2008-09-18 21:17 . 1999-09-11 02:20 9,504 --a------ C:\WINDOWS\system\006.DLL 2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\en 2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\bits 2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\l2schemas 2008-09-18 21:03 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-09-18 09:11 . 2008-04-14 05:42 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll 2008-09-18 09:10 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll 2008-09-18 06:11 . 2008-09-18 06:11 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll 2008-09-11 10:44 . 2008-09-12 15:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\MiniDm 2008-09-11 10:43 . 2008-09-11 11:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\IEPro 2008-09-11 10:40 . 2008-09-11 10:42 <DIR> d----c--- C:\Program Files\GM4IE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-10 05:15 --------- dc----w C:\Program Files\Symantec 2008-10-07 11:59 --------- d-----w C:\Documents and Settings\user\Application Data\Xfire 2008-10-06 07:23 --------- dc----w C:\Program Files\Symantec AntiVirus2 2008-10-05 03:57 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS 2008-10-04 15:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-10-04 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-03 12:06 --------- dc----w C:\Program Files\QuickTime 2008-10-02 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\.gaim 2008-09-29 10:19 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire 2008-09-28 11:43 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller 2008-09-15 15:34 --------- d-----w C:\Documents and Settings\user\Application Data\GetRightToGo 2008-09-10 10:19 --------- dc----w C:\Program Files\Java 2008-09-01 10:35 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-01 05:32 --------- d-----w C:\Documents and Settings\user\Application Data\Games 2008-09-01 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield 2008-09-01 05:23 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys 2008-09-01 05:23 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys 2008-09-01 05:18 --------- dc--a-w C:\Program Files\Common Files\InstallShield 2008-09-01 04:45 --------- dc----w C:\Program Files\MSXML 6.0 2008-08-30 13:17 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-08-13 10:41 --------- dc----w C:\Program Files\Common Files\GTK 2008-07-30 12:25 69,409 ----a-w C:\WINDOWS\system32\uninst.exe 2008-07-23 06:49 32,768 ----a-w C:\WINDOWS\system32\asteriskie.exe 2008-07-23 06:48 397,379 ----a-w C:\WINDOWS\system32\paqbonus.exe 2008-07-23 06:48 311,296 ----a-w C:\WINDOWS\system32\winping.exe 2008-07-21 12:12 184,320 ----a-w C:\WINDOWS\freeze.exe 2008-07-18 18:34 664,064 ----a-w C:\WINDOWS\WLXPGSS.SCR 2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 16:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 16:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-01-30 10:43 88 --sha-r C:\WINDOWS\system32\20953AAD62.sys 2008-03-06 06:54 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ------- Sigcheck ------- 2007-10-30 22:23 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 16:14 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 17:21 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 17:29 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2008-06-20 16:15 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys 2004-08-04 02:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys 2007-10-30 22:50 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys 2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS 2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS 2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-05 241080] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] "GM4IE"="C:\Program Files\GM4IE\gm4ie.exe" [2006-07-23 139264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 218512] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 458752] "iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048] "PCTVRemote"="F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-28 139264] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 204800] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 208896] "SkyTel"="SkyTel.EXE" [2006-05-15 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-12-17 C:\WINDOWS\RTHDCPL.EXE] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-28 195584] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.yv12"= yv12vfw.dll "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk] path=C:\Documents and Settings\user\Start Menu\Programs\Startup\LimeWire Turbo Accelerator.lnk backup=C:\WINDOWS\pss\LimeWire Turbo Accelerator.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] --a------ 2008-02-15 12:46 237568 C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 225280 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "C-DillaCdaC11BA"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "E:\\My Web\\new\\3dsmax.exe"= "G:\\backup\\d\\Adobe Photoshop 7.0\\Presets\\Patterns\\PostScript Patterns\\Aphex.exe"= "E:\\Program Files\\Wyzo\\wyzo.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "E:\\My Second Web\\_private\\LimeWire\\LimeWire.exe"= "G:\\backup\\d\\Adobe PageMaker 7.0\\Images\\ua\\game\\bakup\\urbanassault\\Ua.exe"= "E:\\gmax\\downloads\\cc2\\closecombat2\\Cc2.exe"= "E:\\Program Files\\GetRight\\GetRight.exe"= "G:\\backup\\c\\Program Files\\byo\\bin\\byond.exe"= "G:\\backup\\c\\Program Files\\byo\\bin\\dreamseeker.exe"= "E:\\Program Files\\Xfire\\xfire.exe"= "E:\\games\\Audacity\\Call of Duty\\CoDMP.exe"= "E:\\games\\Audacity\\Call of Duty\\CoDMPw0rt.exe"= "E:\\games\\thunder\\thunbrigade\\thunbrig\\Tbrigade.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\FS2.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\incoming\\incoming\\incoming.exe"= "F:\\Program Files\\iTunes\\iTunes.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9_debug.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10_debug-20071007T.exe"= "G:\\backup\\c\\Program Files\\byo\\bin\\dreamdaemon.exe"= "G:\\backup\\c\\Program Files\\wwp\\Worms World Party\\Worms World Party.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10-20071007T.exe"= "G:\\backup\\d\\Corel11\\sse\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"= "C:\\Program Files\\backburner 2\\manager.exe"= "E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\samp-server.exe"= "E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\SA-MP SERVER\\samp-server.exe"= "G:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"= "E:\\games\\kmd.exe"= "E:\\My Second Web\\_private\\LimeWire\\dls\\w3\\Warcraft III.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\igfxtray.exe"= "C:\\WINDOWS\\system32\\userinit.exe"= "C:\\WINDOWS\\system32\\hkcmd.exe"= "C:\\WINDOWS\\system32\\NeroCheck.exe"= "C:\\WINDOWS\\ALCMTR.EXE"= "C:\\Program Files\\QuickTime\\qttask.exe"= "C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"= "C:\\WINDOWS\\RTHDCPL.EXE"= "C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe"= "e:\\my second web\\_private\\limewire\\dls\\w3\\worldedit.exe"= "F:\\Program Files\\Pinnacle\\Pinnacle PCTV\\Remote\\Remoterm.exe"= "C:\\WINDOWS\\system32\\taskmgr.exe"= "C:\\WINDOWS\\system32\\igfxsrvc.exe"= "g:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe"= G:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe "C:\\WINDOWS\\system32\\igfxpers.exe"= "C:\\WINDOWS\\system32\\netsh.exe"= "C:\\Program Files\\GM4IE\\gm4ie.exe"= "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"= "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\OutlookSyncClient.exe"= R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2008-04-17 30720] R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\rnnrl.sys [ ] R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{27b7ea02-1b36-11dd-a576-001bfc1861eb}] \Shell\AutoRun\command - jfvkcsy.bat \Shell\explore\Command - jfvkcsy.bat \Shell\open\Command - jfvkcsy.bat *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-03-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . - - - - ORPHANS REMOVED - - - - WebBrowser-{DA30EFF8-CCC6-4162-A20D-67402A26A215} - (no file) HKCU-Run-WMPNSCFG - C:\Program Files\Windows Media Player\WMPNSCFG.exe HKLM-Run-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe HKLM-Run-UnlockerAssistant - C:\Program Files\Unlocker\UnlockerAssistant.exe MSConfigStartUp-c0 - C:\aidualc3\c0.exe MSConfigStartUp-LimeWire Turbo Accelerator - E:\My Second Web\_private\LimeWire\turbo\LimeWire Turbo Accelerator.exe MSConfigStartUp-TkBellExe - realsched.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\s549718h.default\ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nppl3260.dll FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nprjplug.dll FF -: plugin - E:\Program Files\Real\RealOne Player\v2\Netscape6\nprpjplug.dll FF -: plugin - F:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - G:\backup\c\Program Files\Mozilla\plugins\NPGetRt.dll FF -: plugin - G:\backup\c\Program Files\Mozilla\plugins\npnul32.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-10 11:41:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-10 11:44:17 ComboFix-quarantined-files.txt 2008-10-10 06:13:56 Pre-Run: 10,975,522,816 bytes free Post-Run: 10,957,713,408 bytes free 275 --- E O F --- 2008-09-20 02:52:32 Last edited by dvk01; 10-Oct-2008 at 06:03 AM.. |
10-Oct-2008, 06:13 AM
#4 | |||||
| when you reply, please do not use code tags for logs as it makes them unreadable without scrolling all over the place download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save) Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.  This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log. Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. This will create a zip file inside C:\QooBox\ named something like [38]-Submit_2008-01-17@17.50.zip at the end it will pop up an alert & open your browser and ask you to send the zip file please follow those instructions. We need to see the zip file before we can carry on with the fix If there is no pop up alert or open browser then please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies. Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with) Files to submit: the zip file inside C:\QooBox\ created by combofix named something like [38]-Submit_2008-01-17@17.50.zip
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
10-Oct-2008, 12:46 PM
#5 | ||||||
| Uploaded. For your information, GM4IE was an add-on for Internet Explorer and C:\gs folder was created by me. ComboFix log:- ComboFix 08-10-06.05 - user 2008-10-10 20:47:16.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.554 [GMT 5.5:30] Running from: G:\backup\c\Program Files\Mozilla\ComboFix.exe Command switches used :: G:\backup\c\Program Files\Mozilla\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 ))))))))))))))))))))))))))))))) . 2009-03-15 16:27 . 2008-10-10 11:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2009-02-07 11:17 . 2009-02-07 11:17 <DIR> d----c--- C:\Program Files\Alcohol Soft 2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes 2008-10-10 12:24 . 2008-10-10 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-10 12:24 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-10 12:24 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-05 11:32 . 2008-10-05 11:46 21,004 --ah-c--- C:\TEMP_BDT.CHA 2008-10-05 10:00 . 2008-10-05 10:00 86,528 --a------ C:\WINDOWS\bnetunin.exe 2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com 2008-10-04 20:57 . 2008-10-04 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-10-04 20:41 . 2008-10-04 20:41 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools 2008-10-04 20:41 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-10-04 20:41 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-10-04 20:41 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-10-04 20:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-10-04 17:51 . 2008-10-10 13:11 <DIR> d-------- C:\Program Files\Unlocker 2008-10-04 17:26 . 2008-10-06 18:50 2,852 --a------ C:\WINDOWS\system32\tmp.reg 2008-10-04 16:48 . 2008-10-04 17:35 <DIR> d--h-c--- C:\SDFix 2008-10-04 14:57 . 2008-10-04 18:19 <DIR> d--h----- C:\Program Files\sb 2008-10-03 17:12 . 2008-03-15 14:23 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4\Application Data\Apple Computer 2008-10-03 17:12 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\Administrator.USER-08E83726E4 2008-10-03 16:24 . 2008-10-03 17:12 <DIR> d----c--- C:\Documents and Settings\TEMP 2008-10-03 15:50 . 2008-10-03 15:51 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls 2008-10-02 20:14 . 2008-10-02 20:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\gtk-2.0 2008-10-01 21:35 . 2008-10-01 21:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\Xfire Plus 2008-09-28 17:18 . 2008-09-28 17:18 0 --a------ C:\WINDOWS\wt9_1sptlEN.INI 2008-09-25 13:59 . 2008-09-25 14:00 <DIR> d--h-c--- C:\gs 2008-09-25 13:38 . 2008-09-25 13:38 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ironclad Games 2008-09-18 21:17 . 1999-09-11 02:20 25,600 --a------ C:\WINDOWS\system\007.DLL 2008-09-18 21:17 . 1999-09-11 02:20 9,504 --a------ C:\WINDOWS\system\006.DLL 2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\en 2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\system32\bits 2008-09-18 21:06 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\l2schemas 2008-09-18 21:03 . 2008-09-18 21:06 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-09-18 09:11 . 2008-04-14 05:42 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll 2008-09-18 09:10 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll 2008-09-18 06:11 . 2008-09-18 06:11 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll 2008-09-11 10:44 . 2008-09-12 15:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\MiniDm 2008-09-11 10:43 . 2008-09-11 11:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\IEPro 2008-09-11 10:40 . 2008-10-10 20:46 <DIR> d----c--- C:\Program Files\GM4IE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-10 05:15 --------- dc----w C:\Program Files\Symantec 2008-10-07 11:59 --------- d-----w C:\Documents and Settings\user\Application Data\Xfire 2008-10-06 07:23 --------- dc----w C:\Program Files\Symantec AntiVirus2 2008-10-05 03:57 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS 2008-10-04 15:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-10-04 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-03 12:06 --------- dc----w C:\Program Files\QuickTime 2008-10-02 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\.gaim 2008-09-29 10:19 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire 2008-09-28 11:43 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller 2008-09-15 15:34 --------- d-----w C:\Documents and Settings\user\Application Data\GetRightToGo 2008-09-10 10:19 --------- dc----w C:\Program Files\Java 2008-09-01 10:35 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-01 05:32 --------- d-----w C:\Documents and Settings\user\Application Data\Games 2008-09-01 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield 2008-09-01 05:23 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys 2008-09-01 05:23 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys 2008-09-01 05:18 --------- dc--a-w C:\Program Files\Common Files\InstallShield 2008-09-01 04:45 --------- dc----w C:\Program Files\MSXML 6.0 2008-08-30 13:17 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-08-13 10:41 --------- dc----w C:\Program Files\Common Files\GTK 2008-07-30 12:25 69,409 ----a-w C:\WINDOWS\system32\uninst.exe 2008-07-23 06:49 32,768 ----a-w C:\WINDOWS\system32\asteriskie.exe 2008-07-23 06:48 397,379 ----a-w C:\WINDOWS\system32\paqbonus.exe 2008-07-23 06:48 311,296 ----a-w C:\WINDOWS\system32\winping.exe 2008-07-21 12:12 184,320 ----a-w C:\WINDOWS\freeze.exe 2008-07-18 18:34 664,064 ----a-w C:\WINDOWS\WLXPGSS.SCR 2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 16:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 16:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-01-30 10:43 88 --sha-r C:\WINDOWS\system32\20953AAD62.sys 2008-03-06 06:54 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\Documents and Settings\user\Application Data\dxdlls ---- 2007-11-23 08:14 1708 --ah----- C:\Documents and Settings\user\Application Data\dxdlls\ActMon.ini 2007-11-22 19:06 58880 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapde.dll 2007-11-22 19:05 620032 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapd.exe 2007-11-22 19:05 33280 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdb.dll 2007-11-22 19:05 30208 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdd.dll 2007-11-22 19:05 199680 --ahs---- C:\Documents and Settings\user\Application Data\dxdlls\imapdc.dll ---- Directory of C:\gs ---- 2008-09-25 13:56 804 --ah-c--- C:\gs\main\datasource\textures\effects.lnk ---- Directory of C:\Program Files\GM4IE ---- 2006-07-23 14:02 139264 --a------ C:\Program Files\GM4IE\gm4ie.exe ------- Sigcheck ------- 2007-10-30 22:23 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 16:14 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 17:21 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 17:29 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2008-06-20 16:15 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys 2004-08-04 02:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys 2007-10-30 22:50 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys 2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS 2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS 2008-10-05 09:27 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((( snapshot@2008-10-10_11.42.34.57 ))))))))))))))))))))))))))))))))))))))))) . - 2008-10-10 03:53:45 64,886 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-10-10 15:06:50 64,886 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-10-10 03:53:45 409,856 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-10-10 15:06:50 409,856 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-05 241080] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] "GM4IE"="C:\Program Files\GM4IE\gm4ie.exe" [2006-07-23 139264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 218512] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 458752] "iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 340776] "PCTVRemote"="F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-28 139264] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 204800] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 208896] "SkyTel"="SkyTel.EXE" [2006-05-15 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-12-17 C:\WINDOWS\RTHDCPL.EXE] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-28 195584] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.yv12"= yv12vfw.dll "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk] path=C:\Documents and Settings\user\Start Menu\Programs\Startup\LimeWire Turbo Accelerator.lnk backup=C:\WINDOWS\pss\LimeWire Turbo Accelerator.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] --a------ 2008-02-15 12:46 237568 C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 225280 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "C-DillaCdaC11BA"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "E:\\My Web\\new\\3dsmax.exe"= "G:\\backup\\d\\Adobe Photoshop 7.0\\Presets\\Patterns\\PostScript Patterns\\Aphex.exe"= "E:\\Program Files\\Wyzo\\wyzo.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "E:\\My Second Web\\_private\\LimeWire\\LimeWire.exe"= "G:\\backup\\d\\Adobe PageMaker 7.0\\Images\\ua\\game\\bakup\\urbanassault\\Ua.exe"= "E:\\gmax\\downloads\\cc2\\closecombat2\\Cc2.exe"= "E:\\Program Files\\GetRight\\GetRight.exe"= "G:\\backup\\c\\Program Files\\byo\\bin\\byond.exe"= "G:\\backup\\c\\Program Files\\byo\\bin\\dreamseeker.exe"= "E:\\Program Files\\Xfire\\xfire.exe"= "E:\\games\\Audacity\\Call of Duty\\CoDMP.exe"= "E:\\games\\Audacity\\Call of Duty\\CoDMPw0rt.exe"= "E:\\games\\thunder\\thunbrigade\\thunbrig\\Tbrigade.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\FS2.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\incoming\\incoming\\incoming.exe"= "F:\\Program Files\\iTunes\\iTunes.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_9_debug.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10_debug-20071007T.exe"= "G:\\backup\\c\\Program Files\\byo\\bin\\dreamdaemon.exe"= "G:\\backup\\c\\Program Files\\wwp\\Worms World Party\\Worms World Party.exe"= "G:\\backup\\c\\Program Files\\Freespace\\Freespace\\fs2_open_3_6_10-20071007T.exe"= "G:\\backup\\d\\Corel11\\sse\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"= "C:\\Program Files\\backburner 2\\manager.exe"= "E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\samp-server.exe"= "E:\\My Second Web\\_private\\LimeWire\\dls\\gta.sa\\GTA San Andreas\\samp022server.win32\\SA-MP SERVER\\samp-server.exe"= "G:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"= "E:\\games\\kmd.exe"= "E:\\My Second Web\\_private\\LimeWire\\dls\\w3\\Warcraft III.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\igfxtray.exe"= "C:\\WINDOWS\\system32\\userinit.exe"= "C:\\WINDOWS\\system32\\hkcmd.exe"= "C:\\WINDOWS\\system32\\NeroCheck.exe"= "C:\\WINDOWS\\ALCMTR.EXE"= "C:\\Program Files\\QuickTime\\qttask.exe"= "C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"= "C:\\WINDOWS\\RTHDCPL.EXE"= "C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe"= "e:\\my second web\\_private\\limewire\\dls\\w3\\worldedit.exe"= "F:\\Program Files\\Pinnacle\\Pinnacle PCTV\\Remote\\Remoterm.exe"= "C:\\WINDOWS\\system32\\taskmgr.exe"= "C:\\WINDOWS\\system32\\igfxsrvc.exe"= "g:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe"= G:\\backup\\c\\Program Files\\Spyware Doctor\\pctsTray.exe "C:\\WINDOWS\\system32\\igfxpers.exe"= "C:\\WINDOWS\\system32\\netsh.exe"= "C:\\Program Files\\GM4IE\\gm4ie.exe"= "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"= "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\OutlookSyncClient.exe"= R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2008-04-17 30720] R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\rnnrl.sys [ ] R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{27b7ea02-1b36-11dd-a576-001bfc1861eb}] \Shell\AutoRun\command - jfvkcsy.bat \Shell\explore\Command - jfvkcsy.bat \Shell\open\Command - jfvkcsy.bat . Contents of the 'Scheduled Tasks' folder 2008-03-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-10 20:48:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-10 20:50:29 ComboFix-quarantined-files.txt 2008-10-10 06:13:56 Pre-Run: 10,761,494,528 bytes free Post-Run: 10,742,996,992 bytes free 270 --- E O F --- 2008-09-20 02:52:32 HJT:- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:14:30 PM, on 10/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\GM4IE\gm4ie.exe C:\WINDOWS\explorer.exe G:\backup\c\Program Files\Mozilla\firefox.exe e:\my second web\_private\limewire\dls\w3\worldedit.exe E:\games\Audacity\Call of Duty\HiJackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing) O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com...veXClient1.cab O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{899F11B0-28F0-452D-8D6D-1CAE6E9E505E}: NameServer = 218.248.240.208 218.248.240.79 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing) O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- End of file - 7865 bytes |
10-Oct-2008, 02:49 PM
#6 | |||||
| This is effectively unfixable the files contained sality.aa which is a file infector virus which infcts ALL .exe files on the computer including the antivirus & every other security tool taht is run it is also a keylogger that will have stolen all your personal & private information including all passwords & logins to everywhere, including any online banking you do I do not consider it safe or effective to attempt any fixes & the only way is to format the computer & start from scratch
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
11-Oct-2008, 05:16 AM
#7 | ||||||
| Knew something like this was coming... Anyway, do you know of any software that keeps the task manager enabled continuously(similiar to the virus which disables the task manager after short periods of time)? That will do, as I cant afford a complete reformat. |
11-Oct-2008, 05:44 AM
#8 | |||||
| You HAVE to do a format & there is nothing that stops it EVERY file on that computer will be infected All you can try is an online scan several times to see if it can disinfect any of the files but be warned, often the scanners will delete infected system files try this one http://www.bitdefender.com/scan8/
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
13-Oct-2008, 01:01 AM
#9 | ||||||
| Maybe you spoke too soon...While searching the Net for sality.aa, I found a page that said a software called CA Antivirus can fix sality.aa. So I downloaded that software and run it. After about half an hour, the infection was no more. Everything was completely cleaned! So this problem is solved, thank you very much for informing me about the virus name. |
13-Oct-2008, 05:04 PM
#10 | |||||
| If you believe that, then you believe in father Christmas Sality cannot ever be 100% guaranteed to be disinfected or repaired becasue it attacks the antivirus as soon as it is installed in over 100 case of sality I have never seen a complete satisfactory safe fix that I would ever depend on
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
14-Oct-2008, 01:28 AM
#11 | ||||||
| I don't see what you mean, but all the symptoms I had are gone(at least for now). It did attack all antivirus, but it perhaps didn't detect CA Antivirus. If you want, you can see a HJT log right now:- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:51:11 AM, on 10/14/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe F:\Program Files\iTunes\iTunesHelper.exe F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\GM4IE\gm4ie.exe C:\Program Files\iPod\bin\iPodService.exe E:\PROGRA~1\Wyzo\wyzo.exe G:\backup\c\Program Files\Mozilla\firefox.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe E:\Program Files\Xfire\xfire.exe E:\games\Audacity\Call of Duty\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PCTVRemote] F:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [GM4IE] C:\Program Files\GM4IE\gm4ie.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRdownload.htm O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing) O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll (file missing) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com...veXClient1.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - g:\backup\c\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe -- End of file - 8521 bytes Last edited by SuperSonic_ht; 14-Oct-2008 at 01:58 AM.. Reason: Safe mode problem solved |
14-Oct-2008, 04:47 AM
#12 | |||||
| If you are happy & feel,it is solved that is fine be aware it might well come back do a scan here to see what else is still infected * Run Kaspersky online virus scan Kaspersky Online Scanner. After the updates have downloaded, click on the "Scan Settings" button. Choose the "Extended database" for the scan. Under "Please select a target to scan", click "My Computer". When the scan is finished, Save the results from the scan! Note: You have to use Internet Explorer to do the online scan. Post a new HiJackThis log along with the results from Kaspersky scan Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from you can make your mind up after seeing the results
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
|
| Tags |
disabled, manager, regedit, task  |
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -4. The time now is 04:08 PM. Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved. |  |
Facebook
Twitter
TechGuy.tv
TSG Mobile