1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Issues w/ Network/Internet -- virus related?

Discussion in 'Virus & Other Malware Removal' started by dlello2, Apr 9, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. dlello2

    dlello2 Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    14
    Hey all,

    My problem is this--I am living in an apartment with 3 other guys all of who use the same network to access the internet. A few weeks ago my trend micro alerted
    me that a JAVA_BYTEVER.BK "trojan horse" had been found and that it could not be repaired/quarantined. However, I ran micro and saw that it was in fact in the quarantine folder.

    I assumed that there was not a problem as over the next three weeks things ran smoothly.

    Yesterday during the day the internet stopped working in our apartment. I have no idea if the two things are connected at all (if this could be having an effect on the computers/internets of my roommates on top of my own). I went on to run trend and a few other spyware programs (spyeraser). Trend found a virus that it called "TSPY_NETPASS.B" -- I looked this up and it seems to be some sort of a password searcher for outlook/IE... trend said that it had successfully quarantined the file which had infected a pwtemp folder.

    The rest of the computer seems to be working fine, I have disabled the network connection (which I can re-enable in safe mode (still no access to internet). What if anything can I do and is there a likelihood that this is the cause of the internet problems for my roommates?

    Thank you all very much for your time

    -Dave

    A few additions - perhaps this will help
    I ran the internet explorer Network Diagnostic and it came up with, among other things, the following
    Invalid IP address
    -error - unexpected error from iphlpapi: The pipe is being closed.
    DNS - Not a home user scenario
    warn - Unrecognized WinSock NSP: mdnsNSP
    Error Code: Ox2afc - either gateway or DNS issue
    warn - corrupted IP routing table
    default route missing/invalid
    warn - invalid ARP cache entries
    ARP cache has been flushed

    Also I cannot access the internet even in safe mode with networking--
    I am working with Windows XP
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,695
    Hi and welcome to TSG,

    I see you're running XP but do you have SP2 installed?

    If so, do this (if not, please let me know as the instructions will be different):

    Go to Start - Run - type in cmd and click OK.

    At the command prompt type in:

    netsh winsock reset catalog

    Press enter.

    then type in:

    netsh int ip reset resetlog.txt

    Press enter.

    You will need to reboot afterwards.


    Click here to download HJTsetup.exe.
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. dlello2

    dlello2 Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    14
    Hey thanks a lot for your help thus far. I do have SP2 -- Internet is working in the apartment so I am posting this from the (likely) infected computer. I ran HJT and this is what it came up with.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:44:52 PM, on 4/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\VM303_STI.EXE
    C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\windows\system\Update.exe
    C:\Windows\System32\drivers\setup\manager.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe
    C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\windows\system\Update.exe
    C:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    C:\Program Files\AIM6\aim6.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Windows\System32\drivers\setup\irc\irc.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
    E:\PROGRA~1\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\WINDOWS\Temp\0\Private\Vendor\ProgFiles\ViewBarBHO.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [startup netsend] net send localhost "Hello Dave!"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKLM\..\Run: [manager] "C:\Windows\System32\drivers\setup\manager.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKCU\..\Run: [Stickies] C:\Program Files\Bret Taylor\Stickies\Stickies.exe
    O4 - HKCU\..\Run: [manager] "C:\Windows\System32\drivers\setup\manager.exe"
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
    O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136431801904
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136431792482
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 10565 bytes

    Thanks a lot,
    Dave
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,695
    Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
    • Instead of Windows loading as normal, the Advanced Options Menu should appear
    • Select the first option, to run Windows in Safe Mode, then press Enter
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to the clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  5. dlello2

    dlello2 Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    14
    Here is the report.txt --Thanks

    SDFix: Version 1.170
    Run by Dimension 4500 on Sun 04/13/2008 at 06:05 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\system32\23.tmp - Deleted
    C:\WINDOWS\system32\24.tmp - Deleted
    C:\WINDOWS\system32\11F.tmp - Deleted
    C:\WINDOWS\system\Update.exe - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-13 18:13:37
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools Lite\"
    "h0"=dword:00000000
    "khjeh"=hex:0d,e0,7c,1a,59,49,d1,39,88,68,a8,53,93,76,14,8e,f9,e9,3a,7a,4d,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,3f,a7,50,27,04,77,74,2e,d3,b1,99,cc,01,ff,99,2a,a1,..
    "khjeh"=hex:3a,28,36,c0,ca,dd,89,c6,71,95,1b,e8,01,ea,46,a4,f8,1c,c0,bf,de,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:36,97,3d,2c,8e,42,cf,02,97,ee,43,5a,76,6b,1c,f6,e5,58,c1,db,3f,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:22,dd,89,81,77,13,15,d9,76,56,93,e6,de,69,b2,39,5b,0e,45,54,ed,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools Lite\"
    "h0"=dword:00000000
    "khjeh"=hex:0d,e0,7c,1a,59,49,d1,39,88,68,a8,53,93,76,14,8e,f9,e9,3a,7a,4d,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,3f,a7,50,27,04,77,74,2e,d3,b1,99,cc,01,ff,99,2a,a1,..
    "khjeh"=hex:3a,28,36,c0,ca,dd,89,c6,71,95,1b,e8,01,ea,46,a4,f8,1c,c0,bf,de,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:36,97,3d,2c,8e,42,cf,02,97,ee,43,5a,76,6b,1c,f6,e5,58,c1,db,3f,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:22,dd,89,81,77,13,15,d9,76,56,93,e6,de,69,b2,39,5b,0e,45,54,ed,..
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
    "EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
    "CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
    "s1"=dword:2df9c43f
    "s2"=dword:110480d0
    "h0"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools Lite\"
    "h0"=dword:00000000
    "khjeh"=hex:0d,e0,7c,1a,59,49,d1,39,88,68,a8,53,93,76,14,8e,f9,e9,3a,7a,4d,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,3f,a7,50,27,04,77,74,2e,d3,b1,99,cc,01,ff,99,2a,a1,..
    "khjeh"=hex:3a,28,36,c0,ca,dd,89,c6,71,95,1b,e8,01,ea,46,a4,f8,1c,c0,bf,de,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:36,97,3d,2c,8e,42,cf,02,97,ee,43,5a,76,6b,1c,f6,e5,58,c1,db,3f,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:22,dd,89,81,77,13,15,d9,76,56,93,e6,de,69,b2,39,5b,0e,45,54,ed,..

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
    "C:\\Program Files\\Common Files\\AOL\\1137385451\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1137385451\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
    "C:\\Program Files\\Common Files\\AOL\\1137385451\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1137385451\\ee\\aim6.exe:*:Enabled:AIM"
    "C:\\Program Files\\Common Files\\AOL\\1137449873\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1137449873\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
    "C:\\Program Files\\Common Files\\AOL\\1137449873\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1137449873\\ee\\aim6.exe:*:Enabled:AIM"
    "C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
    "C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aim6.exe:*:Enabled:AIM"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Wed 24 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
    Mon 10 Mar 2008 26,112 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc4858.tmp"
    Tue 12 Feb 2008 24,576 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc52.tmp"
    Wed 26 Mar 2008 28,160 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc5210.tmp"
    Wed 26 Mar 2008 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc5211.tmp"
    Wed 26 Mar 2008 29,696 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc5212.tmp"
    Tue 12 Feb 2008 25,088 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc53.tmp"
    Thu 8 Nov 2007 1,268 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc77.tmp"
    Sun 16 Apr 2006 25,088 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc825.tmp"
    Mon 17 Apr 2006 27,648 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc826.tmp"
    Mon 17 Apr 2006 30,208 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc827.tmp"
    Mon 17 Apr 2006 31,744 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc828.tmp"
    Mon 17 Apr 2006 27,136 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc829.tmp"
    Sun 16 Apr 2006 25,600 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc830.tmp"
    Mon 17 Apr 2006 26,112 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc831.tmp"
    Mon 17 Apr 2006 27,648 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc832.tmp"
    Sun 16 Apr 2006 25,088 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc833.tmp"
    Mon 14 Aug 2006 25,600 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc847.tmp"
    Fri 8 Feb 2008 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc848.tmp"
    Mon 17 Apr 2006 31,744 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc849.tmp"
    Thu 7 Feb 2008 25,600 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc850.tmp"
    Thu 7 Feb 2008 26,624 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc851.tmp"
    Thu 7 Feb 2008 25,088 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc852.tmp"
    Thu 7 Feb 2008 26,112 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc853.tmp"
    Thu 7 Feb 2008 30,208 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc854.tmp"
    Wed 19 Apr 2006 35,840 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc855.tmp"
    Fri 8 Feb 2008 31,232 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc856.tmp"
    Thu 7 Feb 2008 26,112 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc857.tmp"
    Thu 7 Feb 2008 25,088 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc858.tmp"
    Tue 12 Feb 2008 25,088 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc859.tmp"
    Wed 19 Apr 2006 32,256 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc860.tmp"
    Tue 12 Feb 2008 25,600 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc861.tmp"
    Wed 19 Apr 2006 32,768 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc862.tmp"
    Fri 8 Feb 2008 34,816 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc863.tmp"
    Thu 7 Feb 2008 26,624 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc864.tmp"
    Fri 8 Feb 2008 32,256 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc865.tmp"
    Wed 19 Apr 2006 35,840 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc866.tmp"
    Wed 19 Apr 2006 35,328 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc867.tmp"
    Thu 7 Feb 2008 26,112 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc868.tmp"
    Thu 7 Feb 2008 27,648 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc869.tmp"
    Fri 8 Feb 2008 31,744 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc870.tmp"
    Thu 7 Feb 2008 26,112 A..H. --- "C:\RECYCLER\S-1-5-21-583907252-1409082233-682003330-1004\Dc871.tmp"
    Mon 22 Oct 2007 88 ..SHR --- "C:\WINDOWS\system32\98ADE16A7D.sys"
    Mon 22 Oct 2007 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
    Tue 2 Oct 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Thu 27 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT1A.tmp"
    Wed 9 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT16.tmp"
    Mon 31 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT4.tmp"
    Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Dimension 4500\Application Data\U3\temp\Launchpad Removal.exe"

    Finished!
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,695
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.
     
  7. dlello2

    dlello2 Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    14
    Thanks for the reply...

    Here is the combofix log

    ComboFix 08-04-13.3 - Dimension 4500 2008-04-14 12:35:09.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.631 [GMT -5:00]
    Running from: C:\Documents and Settings\Dimension 4500\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
    .

    2008-04-13 21:35 . 2008-04-13 22:27 121 --a------ C:\WINDOWS\bdagent.INI
    2008-04-13 20:36 . 2008-04-13 20:36 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\BitDefender
    2008-04-13 20:34 . 2008-04-13 20:35 <DIR> d-------- C:\Program Files\BitDefender
    2008-04-13 20:34 . 2008-04-13 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
    2008-04-13 20:33 . 2008-04-13 20:35 <DIR> d-------- C:\Program Files\Common Files\BitDefender
    2008-04-13 18:02 . 2008-04-13 18:02 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-04-13 17:46 . 2008-04-13 18:17 <DIR> d-------- C:\SDFix
    2008-04-10 01:30 . 2008-04-10 01:30 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-04-06 22:41 . 2008-04-06 22:41 <DIR> d-------- C:\Program Files\MSECache
    2008-03-30 02:48 . 2008-03-30 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
    2008-03-30 02:47 . 2008-03-30 02:47 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\MSN6
    2008-03-28 14:37 . 2008-04-14 12:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-28 14:37 . 2008-03-28 14:37 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-27 22:15 . 2005-11-10 14:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-03-27 17:52 . 2008-03-27 17:55 <DIR> d-------- C:\Documents and Settings\Dimension 4500\.housecall6.6
    2008-03-27 15:00 . 2008-04-14 12:17 <DIR> d-------- C:\Documents and Settings\Dimension 4500\.rainlendar2
    2008-03-27 14:59 . 2008-03-27 14:59 <DIR> d-------- C:\Program Files\Rainlendar2
    2008-03-26 21:57 . 2008-03-26 21:57 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Zepsoft
    2008-03-26 21:56 . 2008-03-26 21:56 724,992 --a------ C:\WINDOWS\iun6002.exe
    2008-03-26 21:33 . 2008-04-14 02:00 <DIR> d-------- C:\WINDOWS\system32\drivers\setup
    2008-03-26 21:17 . 2008-03-26 21:17 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Bret Taylor
    2008-03-26 21:16 . 2008-03-26 21:16 <DIR> d-------- C:\Program Files\Bret Taylor
    2008-03-26 17:41 . 2008-03-26 17:42 <DIR> d-------- C:\Program Files\Notepad++
    2008-03-26 17:41 . 2008-03-26 17:43 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Notepad++
    2008-03-25 23:05 . 2008-03-25 23:05 <DIR> d-------- C:\Program Files\Daily Alarm Clock
    2008-03-25 16:38 . 2008-03-25 17:14 <DIR> d-------- C:\Program Files\CyPet
    2008-03-24 16:30 . 2008-04-13 17:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-03-24 16:30 . 1998-06-24 00:00 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
    2008-03-24 16:17 . 2008-03-24 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-03-24 11:47 . 2008-03-24 11:47 <DIR> d-------- C:\Program Files\PowerISO
    2008-03-14 01:04 . 2008-03-14 01:04 46,652 --a------ C:\WINDOWS\system32\drivers\scdemu.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-14 17:18 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Skype
    2008-04-14 17:16 --------- d-----w C:\Program Files\Plaxo
    2008-04-13 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
    2008-04-12 21:43 --------- d-----w C:\Program Files\Trend Micro
    2008-04-10 06:40 --------- d-----w C:\Program Files\PeerGuardian2
    2008-04-10 00:08 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-09 23:28 --------- d-----w C:\Program Files\Microsoft Games
    2008-04-08 21:41 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Ruckus Network
    2008-03-27 22:29 --------- d-----w C:\Program Files\Norton SystemWorks
    2008-03-27 00:41 --------- d-----w C:\Program Files\MagicISO
    2008-03-27 00:32 --------- d-----w C:\Program Files\Java
    2008-03-25 22:17 --------- d-----w C:\Program Files\eMusic Download Manager
    2008-03-25 22:15 --------- d-----w C:\Program Files\DOS Applications
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
    2008-03-13 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Uniblue
    2008-03-13 18:33 --------- d-----w C:\Program Files\Uniblue
    2008-03-13 18:33 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Uniblue
    2008-03-06 23:15 --------- d-----w C:\Program Files\iTunes
    2008-03-06 23:11 --------- d-----w C:\Program Files\iPod
    2008-03-06 22:57 --------- d-----w C:\Program Files\QuickTime
    2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-02-25 04:50 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Move Networks
    2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
    2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-02-19 14:36 --------- d-----w C:\Program Files\UltraISO
    2008-02-19 14:34 --------- d-----w C:\Program Files\Common Files\EZB Systems
    2008-02-19 04:29 --------- d-----w C:\Program Files\DAEMON Tools Lite
    2008-02-19 04:20 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2008-02-19 04:20 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\DAEMON Tools
    2008-02-18 15:39 --------- d-----w C:\Program Files\HP
    2008-02-18 15:39 --------- d-----w C:\Program Files\Common Files\HP
    2008-02-18 15:36 --------- d-----w C:\Program Files\Hewlett-Packard
    2008-02-18 15:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
    2008-02-18 15:27 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\HP
    2008-02-17 16:02 --------- d-----w C:\Program Files\VDMSound
    2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-02-11 21:16 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2006-01-05 05:08 32 --sha-w C:\WINDOWS\{00E6FEEF-26C6-4686-984B-6A76DCA22797}.dat
    2006-01-05 05:09 32 --sha-w C:\WINDOWS\{0385268C-A0B1-4A19-B08F-49A2787C24AF}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{11B15A89-F4BB-4E02-95CD-7708CCA17D3F}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{5828B0D3-9AB4-4B81-A498-BD3662AD3475}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{B9C3CC9A-59D9-4F64-A817-7ED9B5B38A74}.dat
    2006-01-05 05:10 32 --sha-w C:\WINDOWS\{E8AC622D-2097-436C-9156-280F29B353D0}.dat
    2007-10-22 23:19 88 --sh--r C:\WINDOWS\system32\98ADE16A7D.sys
    2007-10-22 23:19 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2006-01-05 05:08 32 --sha-w C:\WINDOWS\system32\{42083E56-FAEA-435C-AC8C-EFE0F6FCB6C1}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{45B1A323-01E2-4CC7-8E0C-DB3B0EE41CAB}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{4BC8F67F-C337-482A-89A8-DFF2B15F21FA}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{641EDB02-C5FD-4B37-B302-F8C297827226}.dat
    2006-01-05 05:09 32 --sha-w C:\WINDOWS\system32\{6FD5594F-091C-4C49-A2F1-377F8F13776A}.dat
    2006-01-05 05:10 32 --sha-w C:\WINDOWS\system32\{D134ADB3-D8B1-455D-B836-90A1C8E6EDC0}.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 11:21 153136]
    "PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
    "Windows Updates"="c:\windows\system\Update.exe" [ ]
    "Stickies"="C:\Program Files\Bret Taylor\Stickies\Stickies.exe" [2007-03-14 12:35 335872]
    "manager"="C:\Windows\System32\drivers\setup\manager.exe" [ ]
    "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 05:23 1365504]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-11 16:24 185896]
    "BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-04-30 19:46 49152]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
    "startup netsend"="net send localhost Hello Dave!" []
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
    "Windows Updates"="c:\windows\system\Update.exe" [ ]
    "manager"="C:\Windows\System32\drivers\setup\manager.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
    "HostManager"="C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe" [2006-05-09 19:24 50760]
    "BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
    "BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
    GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2006-01-11 09:21:58 524288]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aolsoftware.exe"=
    "C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aim6.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Ruckus Player\\Ruckus.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
    R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 09:54]
    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
    S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
    S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 07:48]
    S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
    S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc4fddf6-e22e-11db-aca7-0008a11f7b5a}]
    \Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-11 22:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
    - C:\Program Files\Norton SystemWorks\OBC.exe
    "2008-04-04 20:26:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-02-24 21:26:36 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-04-07 01:51:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
    - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-14 12:37:21
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"="c:\\windows\\system\\Update.exe"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"="c:\\windows\\system\\Update.exe"
    .
    Completion time: 2008-04-14 12:38:03
    ComboFix-quarantined-files.txt 2008-04-14 17:37:51

    Pre-Run: 89,300,738,048 bytes free
    Post-Run: 89,295,413,248 bytes free
    .
    2008-04-10 18:30:11 --- E O F ---

    After combofix I ran HJT again and this is the new log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:41:50 PM, on 4/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\VM303_STI.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe
    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
    C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    E:\PROGRA~1\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [startup netsend] net send localhost "Hello Dave!"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKLM\..\Run: [manager] "C:\Windows\System32\drivers\setup\manager.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKCU\..\Run: [Stickies] C:\Program Files\Bret Taylor\Stickies\Stickies.exe
    O4 - HKCU\..\Run: [manager] "C:\Windows\System32\drivers\setup\manager.exe"
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136431801904
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136431792482
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

    --
    End of file - 9589 bytes

    Thanks again,

    Dave
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,695
    Is your version of Windows XP 64-bit?
     
  9. dlello2

    dlello2 Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    14
    It is a 32-bit version of windows
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,695
    Go to Control Panel - Add/Remove programs and remove any of these you see there:

    Viewpoint
    Viewpoint Manager
    Viewpoint Media Player



    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    DirLook::
    C:\WINDOWS\system32\drivers\setup
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"=-
    "manager"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "startup netsend"=-
    "Windows Updates"=-
    "manager"=-
     
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


    Important! This infection steals passwords so you need to create new passwords from a clean computer for logins and any banking or financial transactions you do on-line.
     
  11. dlello2

    dlello2 Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    14
    All of the viewpoint programs have been deleted

    Here is the new combofix log

    ComboFix 08-04-13.3 - Dimension 4500 2008-04-14 17:12:30.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.619 [GMT -5:00]
    Running from: C:\Documents and Settings\Dimension 4500\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Dimension 4500\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
    .

    2008-04-13 21:35 . 2008-04-13 22:27 121 --a------ C:\WINDOWS\bdagent.INI
    2008-04-13 20:36 . 2008-04-13 20:36 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\BitDefender
    2008-04-13 20:34 . 2008-04-13 20:35 <DIR> d-------- C:\Program Files\BitDefender
    2008-04-13 20:34 . 2008-04-13 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
    2008-04-13 20:33 . 2008-04-13 20:35 <DIR> d-------- C:\Program Files\Common Files\BitDefender
    2008-04-13 18:02 . 2008-04-13 18:02 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-04-13 17:46 . 2008-04-13 18:17 <DIR> d-------- C:\SDFix
    2008-04-10 01:30 . 2008-04-10 01:30 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-04-06 22:41 . 2008-04-06 22:41 <DIR> d-------- C:\Program Files\MSECache
    2008-03-30 02:48 . 2008-03-30 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
    2008-03-30 02:47 . 2008-03-30 02:47 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\MSN6
    2008-03-28 14:37 . 2008-04-14 12:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-28 14:37 . 2008-03-28 14:37 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-27 22:15 . 2005-11-10 14:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-03-27 17:52 . 2008-03-27 17:55 <DIR> d-------- C:\Documents and Settings\Dimension 4500\.housecall6.6
    2008-03-27 15:00 . 2008-04-14 12:17 <DIR> d-------- C:\Documents and Settings\Dimension 4500\.rainlendar2
    2008-03-27 14:59 . 2008-03-27 14:59 <DIR> d-------- C:\Program Files\Rainlendar2
    2008-03-26 21:57 . 2008-03-26 21:57 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Zepsoft
    2008-03-26 21:56 . 2008-03-26 21:56 724,992 --a------ C:\WINDOWS\iun6002.exe
    2008-03-26 21:33 . 2008-04-14 02:00 <DIR> d-------- C:\WINDOWS\system32\drivers\setup
    2008-03-26 21:17 . 2008-03-26 21:17 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Bret Taylor
    2008-03-26 21:16 . 2008-03-26 21:16 <DIR> d-------- C:\Program Files\Bret Taylor
    2008-03-26 17:41 . 2008-03-26 17:42 <DIR> d-------- C:\Program Files\Notepad++
    2008-03-26 17:41 . 2008-03-26 17:43 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Notepad++
    2008-03-25 23:05 . 2008-03-25 23:05 <DIR> d-------- C:\Program Files\Daily Alarm Clock
    2008-03-25 16:38 . 2008-03-25 17:14 <DIR> d-------- C:\Program Files\CyPet
    2008-03-24 16:30 . 2008-04-13 17:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-03-24 16:30 . 1998-06-24 00:00 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
    2008-03-24 16:17 . 2008-03-24 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-03-24 11:47 . 2008-03-24 11:47 <DIR> d-------- C:\Program Files\PowerISO
    2008-03-14 01:04 . 2008-03-14 01:04 46,652 --a------ C:\WINDOWS\system32\drivers\scdemu.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-14 22:11 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Skype
    2008-04-14 22:09 --------- d-----w C:\Program Files\Viewpoint
    2008-04-14 22:09 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint
    2008-04-14 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-04-14 17:16 --------- d-----w C:\Program Files\Plaxo
    2008-04-13 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
    2008-04-12 21:43 --------- d-----w C:\Program Files\Trend Micro
    2008-04-10 06:40 --------- d-----w C:\Program Files\PeerGuardian2
    2008-04-10 00:08 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-09 23:28 --------- d-----w C:\Program Files\Microsoft Games
    2008-04-08 21:41 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Ruckus Network
    2008-03-27 22:29 --------- d-----w C:\Program Files\Norton SystemWorks
    2008-03-27 00:41 --------- d-----w C:\Program Files\MagicISO
    2008-03-27 00:32 --------- d-----w C:\Program Files\Java
    2008-03-25 22:17 --------- d-----w C:\Program Files\eMusic Download Manager
    2008-03-25 22:15 --------- d-----w C:\Program Files\DOS Applications
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
    2008-03-13 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Uniblue
    2008-03-13 18:33 --------- d-----w C:\Program Files\Uniblue
    2008-03-13 18:33 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Uniblue
    2008-03-06 23:15 --------- d-----w C:\Program Files\iTunes
    2008-03-06 23:11 --------- d-----w C:\Program Files\iPod
    2008-03-06 22:57 --------- d-----w C:\Program Files\QuickTime
    2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-02-25 04:50 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Move Networks
    2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
    2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-02-19 14:36 --------- d-----w C:\Program Files\UltraISO
    2008-02-19 14:34 --------- d-----w C:\Program Files\Common Files\EZB Systems
    2008-02-19 04:29 --------- d-----w C:\Program Files\DAEMON Tools Lite
    2008-02-19 04:20 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2008-02-19 04:20 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\DAEMON Tools
    2008-02-18 15:39 --------- d-----w C:\Program Files\HP
    2008-02-18 15:39 --------- d-----w C:\Program Files\Common Files\HP
    2008-02-18 15:36 --------- d-----w C:\Program Files\Hewlett-Packard
    2008-02-18 15:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
    2008-02-18 15:27 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\HP
    2008-02-17 16:02 --------- d-----w C:\Program Files\VDMSound
    2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-02-11 21:16 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2006-01-05 05:08 32 --sha-w C:\WINDOWS\{00E6FEEF-26C6-4686-984B-6A76DCA22797}.dat
    2006-01-05 05:09 32 --sha-w C:\WINDOWS\{0385268C-A0B1-4A19-B08F-49A2787C24AF}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{11B15A89-F4BB-4E02-95CD-7708CCA17D3F}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{5828B0D3-9AB4-4B81-A498-BD3662AD3475}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{B9C3CC9A-59D9-4F64-A817-7ED9B5B38A74}.dat
    2006-01-05 05:10 32 --sha-w C:\WINDOWS\{E8AC622D-2097-436C-9156-280F29B353D0}.dat
    2007-10-22 23:19 88 --sh--r C:\WINDOWS\system32\98ADE16A7D.sys
    2007-10-22 23:19 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2006-01-05 05:08 32 --sha-w C:\WINDOWS\system32\{42083E56-FAEA-435C-AC8C-EFE0F6FCB6C1}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{45B1A323-01E2-4CC7-8E0C-DB3B0EE41CAB}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{4BC8F67F-C337-482A-89A8-DFF2B15F21FA}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{641EDB02-C5FD-4B37-B302-F8C297827226}.dat
    2006-01-05 05:09 32 --sha-w C:\WINDOWS\system32\{6FD5594F-091C-4C49-A2F1-377F8F13776A}.dat
    2006-01-05 05:10 32 --sha-w C:\WINDOWS\system32\{D134ADB3-D8B1-455D-B836-90A1C8E6EDC0}.dat
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ---- Directory of C:\WINDOWS\system32\drivers\setup ----

    2008-04-14 02:00 227 --a------ C:\WINDOWS\system32\drivers\setup\servers.txt
    2008-04-14 00:30 174342 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\test8.exe
    2008-04-13 23:00 162515 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\dlr6.exe
    2008-04-13 16:44 154856 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\m2.exe
    2008-04-08 08:56 163310 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\dlr5.exe
    2008-04-08 06:26 149622 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\m1.exe
    2008-04-08 02:25 173852 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\test7.exe
    2008-04-08 01:25 82063 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\pwtemp1.exe
    2008-04-07 12:23 159698 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\dlr4.exe
    2008-04-06 23:52 173864 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\test6.exe
    2008-04-06 21:51 6 --a------ C:\WINDOWS\system32\drivers\setup\irc\server.txt
    2008-04-04 12:29 155886 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\dlr1.exe
    2008-04-04 11:58 173182 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\test4.exe
    2008-04-03 01:54 638976 --a------ C:\WINDOWS\system32\drivers\setup\downloader\files\rob2.exe
    2007-09-05 03:15 305 --a------ C:\WINDOWS\system32\drivers\setup\cmd.txt
    2007-07-29 21:37 24576 --a------ C:\WINDOWS\system32\drivers\setup\hosts\hostsmon.exe
    2007-07-06 05:04 632 --a------ C:\WINDOWS\system32\drivers\setup\startup.reg
    2007-07-06 04:08 21 --a------ C:\WINDOWS\system32\drivers\setup\hosts\server.txt
    2007-07-04 23:23 40960 --a------ C:\WINDOWS\system32\drivers\setup\downloader\downloader.exe
    1998-06-24 00:00 108336 --a------ C:\WINDOWS\system32\drivers\setup\mswinsck.ocx


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 11:21 153136]
    "PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
    "Windows Updates"="c:\windows\system\Update.exe" [ ]
    "Stickies"="C:\Program Files\Bret Taylor\Stickies\Stickies.exe" [2007-03-14 12:35 335872]
    "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 05:23 1365504]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
    "Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-12-07 10:42 9479448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-11 16:24 185896]
    "BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-04-30 19:46 49152]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
    "Windows Updates"="c:\windows\system\Update.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
    "HostManager"="C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe" [2006-05-09 19:24 50760]
    "BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
    "BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
    GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2006-01-11 09:21:58 524288]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aolsoftware.exe"=
    "C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aim6.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Ruckus Player\\Ruckus.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 09:54]
    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
    S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
    S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 07:48]
    S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
    S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc4fddf6-e22e-11db-aca7-0008a11f7b5a}]
    \Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-11 22:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
    - C:\Program Files\Norton SystemWorks\OBC.exe
    "2008-04-14 22:03:20 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-02-24 21:26:36 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-04-07 01:51:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
    - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-14 17:14:31
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"="c:\\windows\\system\\Update.exe"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"="c:\\windows\\system\\Update.exe"
    .
    Completion time: 2008-04-14 17:15:06
    ComboFix-quarantined-files.txt 2008-04-14 22:14:56
    ComboFix2.txt 2008-04-14 17:38:04

    Pre-Run: 91,611,750,400 bytes free
    Post-Run: 91,642,146,816 bytes free
    .
    2008-04-10 18:30:11 --- E O F ---

    Here is the new HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:18:45 PM, on 4/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\VM303_STI.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe
    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
    C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\WINDOWS\explorer.exe
    E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKCU\..\Run: [Stickies] C:\Program Files\Bret Taylor\Stickies\Stickies.exe
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136431801904
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136431792482
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

    --
    End of file - 8917 bytes


    -Dave

    ps- I used this computer for most all of my online financial dealings:
    2 online banking accounts, 2 paypal accounts, and a few sights for online bill payment (AT&T).
    I have checked these and it appears that they have not been tampered with--you would recommend that I still access them from a different computer and change the passwords? Is there anything else I should do to make sure they are secure?
    Thanks again for your help
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,695
    Yes, I definitely recommend you change all passwords. You could also contact those financial institutions to get them to watch for suspicious activity.

    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    Folder::
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint
    C:\WINDOWS\system32\drivers\setup
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"=-
     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"=-
     
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     
  13. dlello2

    dlello2 Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    14
    COMBOFIX LOG

    ComboFix 08-04-13.3 - Dimension 4500 2008-04-15 14:34:32.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.596 [GMT -5:00]
    Running from: C:\Documents and Settings\Dimension 4500\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Dimension 4500\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1324369662.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1510592702.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1627719655.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-229496160.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-405317999.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-725440902.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-735583800.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1745690438.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\358953496.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\456817750.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\617478198.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1017321819.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1510502644.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-2073163128.mzv
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-299397824.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-588947290.mtz
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-873313396.mtz
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-916845981.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1054459834.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1076943612.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1224228534.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1300140075.mtz
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1624992797.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1991437604.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\663127232.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-130594357.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1679681788.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1859761695.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\333454497.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\407034558.ini
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\697383590.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-1054858782.gif
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-1381594637.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-1850579979.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-192973655.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-280947783.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-299097121.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-359462623.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-392772276.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1086973273.mzv
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1099791092.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1586664009.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\170927699.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1770026168.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\358953575.mtz
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\512883148.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\602720530.swf
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\806738442.mts
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
    C:\Documents and Settings\Dimension 4500\Application Data\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
    C:\WINDOWS\system32\drivers\setup
    C:\WINDOWS\system32\drivers\setup\cmd.txt
    C:\WINDOWS\system32\drivers\setup\downloader\downloader.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\dlr1.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\dlr4.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\dlr5.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\dlr6.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\m1.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\m2.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\pwtemp1.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\rob2.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\test4.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\test6.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\test7.exe
    C:\WINDOWS\system32\drivers\setup\downloader\files\test8.exe
    C:\WINDOWS\system32\drivers\setup\hosts\hostsmon.exe
    C:\WINDOWS\system32\drivers\setup\hosts\server.txt
    C:\WINDOWS\system32\drivers\setup\irc\server.txt
    C:\WINDOWS\system32\drivers\setup\mswinsck.ocx
    C:\WINDOWS\system32\drivers\setup\servers.txt
    C:\WINDOWS\system32\drivers\setup\startup.reg

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
    .

    2008-04-13 21:35 . 2008-04-14 23:54 121 --a------ C:\WINDOWS\bdagent.INI
    2008-04-13 20:36 . 2008-04-13 20:36 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\BitDefender
    2008-04-13 20:34 . 2008-04-13 20:35 <DIR> d-------- C:\Program Files\BitDefender
    2008-04-13 20:34 . 2008-04-13 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
    2008-04-13 20:33 . 2008-04-13 20:35 <DIR> d-------- C:\Program Files\Common Files\BitDefender
    2008-04-13 18:02 . 2008-04-13 18:02 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-04-13 17:46 . 2008-04-13 18:17 <DIR> d-------- C:\SDFix
    2008-04-10 01:30 . 2008-04-10 01:30 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-04-06 22:41 . 2008-04-06 22:41 <DIR> d-------- C:\Program Files\MSECache
    2008-03-30 02:48 . 2008-03-30 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
    2008-03-30 02:47 . 2008-03-30 02:47 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\MSN6
    2008-03-28 14:37 . 2008-04-15 08:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-28 14:37 . 2008-03-28 14:37 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-27 22:15 . 2005-11-10 14:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
    2008-03-27 17:52 . 2008-03-27 17:55 <DIR> d-------- C:\Documents and Settings\Dimension 4500\.housecall6.6
    2008-03-27 15:00 . 2008-04-15 08:34 <DIR> d-------- C:\Documents and Settings\Dimension 4500\.rainlendar2
    2008-03-27 14:59 . 2008-03-27 14:59 <DIR> d-------- C:\Program Files\Rainlendar2
    2008-03-26 21:57 . 2008-03-26 21:57 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Zepsoft
    2008-03-26 21:56 . 2008-03-26 21:56 724,992 --a------ C:\WINDOWS\iun6002.exe
    2008-03-26 21:17 . 2008-03-26 21:17 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Bret Taylor
    2008-03-26 21:16 . 2008-03-26 21:16 <DIR> d-------- C:\Program Files\Bret Taylor
    2008-03-26 17:41 . 2008-03-26 17:42 <DIR> d-------- C:\Program Files\Notepad++
    2008-03-26 17:41 . 2008-03-26 17:43 <DIR> d-------- C:\Documents and Settings\Dimension 4500\Application Data\Notepad++
    2008-03-25 23:05 . 2008-03-25 23:05 <DIR> d-------- C:\Program Files\Daily Alarm Clock
    2008-03-25 16:38 . 2008-03-25 17:14 <DIR> d-------- C:\Program Files\CyPet
    2008-03-24 16:30 . 2008-04-13 17:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-03-24 16:30 . 1998-06-24 00:00 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
    2008-03-24 16:17 . 2008-03-24 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-03-24 11:47 . 2008-03-24 11:47 <DIR> d-------- C:\Program Files\PowerISO

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-15 13:34 --------- d-----w C:\Program Files\Plaxo
    2008-04-15 13:34 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Skype
    2008-04-14 22:09 --------- d-----w C:\Program Files\Viewpoint
    2008-04-14 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-04-13 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
    2008-04-12 21:43 --------- d-----w C:\Program Files\Trend Micro
    2008-04-10 06:40 --------- d-----w C:\Program Files\PeerGuardian2
    2008-04-10 00:08 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-09 23:28 --------- d-----w C:\Program Files\Microsoft Games
    2008-04-08 21:41 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Ruckus Network
    2008-03-27 22:29 --------- d-----w C:\Program Files\Norton SystemWorks
    2008-03-27 00:41 --------- d-----w C:\Program Files\MagicISO
    2008-03-27 00:32 --------- d-----w C:\Program Files\Java
    2008-03-25 22:17 --------- d-----w C:\Program Files\eMusic Download Manager
    2008-03-25 22:15 --------- d-----w C:\Program Files\DOS Applications
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
    2008-03-14 06:04 46,652 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
    2008-03-13 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Uniblue
    2008-03-13 18:33 --------- d-----w C:\Program Files\Uniblue
    2008-03-13 18:33 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Uniblue
    2008-03-06 23:15 --------- d-----w C:\Program Files\iTunes
    2008-03-06 23:11 --------- d-----w C:\Program Files\iPod
    2008-03-06 22:57 --------- d-----w C:\Program Files\QuickTime
    2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-02-25 04:50 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\Move Networks
    2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
    2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-02-19 14:36 --------- d-----w C:\Program Files\UltraISO
    2008-02-19 14:34 --------- d-----w C:\Program Files\Common Files\EZB Systems
    2008-02-19 04:29 --------- d-----w C:\Program Files\DAEMON Tools Lite
    2008-02-19 04:20 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2008-02-19 04:20 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\DAEMON Tools
    2008-02-18 15:39 --------- d-----w C:\Program Files\HP
    2008-02-18 15:39 --------- d-----w C:\Program Files\Common Files\HP
    2008-02-18 15:36 --------- d-----w C:\Program Files\Hewlett-Packard
    2008-02-18 15:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
    2008-02-18 15:27 --------- d-----w C:\Documents and Settings\Dimension 4500\Application Data\HP
    2008-02-17 16:02 --------- d-----w C:\Program Files\VDMSound
    2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-02-11 21:16 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2006-01-05 05:08 32 --sha-w C:\WINDOWS\{00E6FEEF-26C6-4686-984B-6A76DCA22797}.dat
    2006-01-05 05:09 32 --sha-w C:\WINDOWS\{0385268C-A0B1-4A19-B08F-49A2787C24AF}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{11B15A89-F4BB-4E02-95CD-7708CCA17D3F}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{5828B0D3-9AB4-4B81-A498-BD3662AD3475}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\{B9C3CC9A-59D9-4F64-A817-7ED9B5B38A74}.dat
    2006-01-05 05:10 32 --sha-w C:\WINDOWS\{E8AC622D-2097-436C-9156-280F29B353D0}.dat
    2007-10-22 23:19 88 --sh--r C:\WINDOWS\system32\98ADE16A7D.sys
    2007-10-22 23:19 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2006-01-05 05:08 32 --sha-w C:\WINDOWS\system32\{42083E56-FAEA-435C-AC8C-EFE0F6FCB6C1}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{45B1A323-01E2-4CC7-8E0C-DB3B0EE41CAB}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{4BC8F67F-C337-482A-89A8-DFF2B15F21FA}.dat
    2006-01-05 05:07 32 --sha-w C:\WINDOWS\system32\{641EDB02-C5FD-4B37-B302-F8C297827226}.dat
    2006-01-05 05:09 32 --sha-w C:\WINDOWS\system32\{6FD5594F-091C-4C49-A2F1-377F8F13776A}.dat
    2006-01-05 05:10 32 --sha-w C:\WINDOWS\system32\{D134ADB3-D8B1-455D-B836-90A1C8E6EDC0}.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2008-04-14_12.37.41.40 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-04-14 17:16:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-04-15 13:33:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 11:21 153136]
    "PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
    "Windows Updates"="c:\windows\system\Update.exe" [ ]
    "Stickies"="C:\Program Files\Bret Taylor\Stickies\Stickies.exe" [2007-03-14 12:35 335872]
    "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 05:23 1365504]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
    "Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-12-07 10:42 9479448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-11 16:24 185896]
    "BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-04-30 19:46 49152]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
    "Windows Updates"="c:\windows\system\Update.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
    "HostManager"="C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe" [2006-05-09 19:24 50760]
    "BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
    "BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
    GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2006-01-11 09:21:58 524288]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aolsoftware.exe"=
    "C:\\Program Files\\Common Files\\AOL\\1139354471\\ee\\aim6.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Ruckus Player\\Ruckus.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 09:54]
    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
    S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
    S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 07:48]
    S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
    S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc4fddf6-e22e-11db-aca7-0008a11f7b5a}]
    \Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

    *Newly Created Service* - PGFILTER
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-11 22:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
    - C:\Program Files\Norton SystemWorks\OBC.exe
    "2008-04-14 22:03:20 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-02-24 21:26:36 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    "2008-04-07 01:51:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
    - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-15 14:36:43
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"="c:\\windows\\system\\Update.exe"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Updates"="c:\\windows\\system\\Update.exe"

    [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\pgfilter]
    "ImagePath"="\??\C:\Program Files\PeerGuardian2\pgfilter.sys"
    .
    Completion time: 2008-04-15 14:37:14
    ComboFix-quarantined-files.txt 2008-04-15 19:37:05
    ComboFix2.txt 2008-04-14 22:15:07
    ComboFix3.txt 2008-04-14 17:38:04

    Pre-Run: 91,734,552,576 bytes free
    Post-Run: 91,713,363,968 bytes free
    .
    2008-04-10 18:30:11 --- E O F ---


    -Dave

    ps- hjt log in the next reply (no many characters)
     
  14. dlello2

    dlello2 Thread Starter

    Joined:
    Apr 9, 2008
    Messages:
    14
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:42:10 PM, on 4/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\VM303_STI.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe
    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
    C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139354471\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKCU\..\Run: [Stickies] C:\Program Files\Bret Taylor\Stickies\Stickies.exe
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136431801904
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136431792482
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

    --
    End of file - 8918 bytes

    -Thanks,

    Dave
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,695
    In addition to BitDefender, I see entries for Trend and Panda. You should remove all components of the others as they may conflict and cause problems.

    For a firewall, you can get the free ZoneAlarm.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
    O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
    O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe



    Reboot and post a new HijackThis log please.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/701971