love.exe help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
i have something on my computer and it's in my C:/WINDOWS/system32/ folder and it's known as love.exe

it doesn't cause any dampers on my system performance all it does is use alot of Page File.....and RAM.... but i can open up task manager and end the love.exe process and functions return to normal......i've used lavasoft adaware pro...norton internet security...Spy Huter 3 Security Suite.... and uniblue Spy Eraser and Run FULL scans...they picked up some cookies and a few other things but won't remove love.exe.....it's stuck there......i can go into the system 32 folder and delete it and the next time i start up my computer it's right there again and just starts up with my computer again.......someone please help me remove this pain in the neck
 

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
could someone please help me with this...it's starting to affect my system performance and idk what it is ...the process as listed above is love.exe

it's located in
C:/WINDOWS/system32/love.exe
i uninstalled norton 2008 and installed norton 2007 and it picked up stuff in the full system scan that norton 2008 didn't....i updated my uniblue spy eraser and ran a deep scan it picked up the file love.exe and an S.bat file ...both were located in my system32 folder they were removed and i restarted my computer afterwards and they're right there again...norton internet security doesn't pick this up by the way ......can someone please help me
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,020
Click here to download HJTsetup.exe.
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
 

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:04 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\love.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKCU\..\Policies\Explorer\Run: [] C:\WINDOWS\system32\config\sysrestore.exe -s
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avp - GRISOFT, s.r.o. - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10110 bytes
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,020
Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.
 

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
Combo Fix LOG

ComboFix 08-05-11.1 - Stephen Matthews 2008-05-11 12:41:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.137 [GMT -7:00]
Running from: C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000017_.tmp.dll
C:\WINDOWS\system32\_000024_.tmp.dll
C:\WINDOWS\system32\_000028_.tmp.dll
C:\WINDOWS\system32\_000029_.tmp.dll
C:\WINDOWS\system32\_000030_.tmp.dll
C:\WINDOWS\system32\_000031_.tmp.dll
C:\WINDOWS\system32\_000032_.tmp.dll
C:\WINDOWS\system32\_000034_.tmp.dll
C:\WINDOWS\system32\_000058_.tmp.dll
C:\WINDOWS\system32\i.txt
C:\WINDOWS\system32\Ultra.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-10 20:42 . 2008-05-10 20:42 <DIR> d----c--- C:\Program Files\Trend Micro
2008-05-10 20:32 . 2008-05-10 20:32 66 --a--c--- C:\WINDOWS\system32\S.BAT
2008-05-07 20:52 . 2008-05-07 20:52 <DIR> d----c--- C:\Program Files\Radmin Viewer 3
2008-05-07 18:32 . 2008-05-07 18:32 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Radmin
2008-05-07 16:57 . 2008-05-10 19:27 <DIR> d----c--- C:\WINDOWS\system32\rserver30
2008-05-06 17:58 . 2008-05-06 17:58 <DIR> d----c--- C:\WINDOWS\Migo Recover Lost Data
2008-05-06 14:20 . 2008-05-06 14:20 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Aurora Web Editor
2008-05-06 10:49 . 2008-05-06 16:05 <DIR> d----c--- C:\Program Files\Multimedia Australia
2008-05-03 21:44 . 2008-05-05 17:55 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-05-03 21:44 . 2008-05-05 17:55 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\SUPERAntiSpyware.com
2008-05-03 12:56 . 2008-05-03 12:56 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-01 21:44 . 2008-05-01 21:44 <DIR> d----c--- C:\Setup
2008-05-01 20:56 . 2008-05-01 20:56 <DIR> d--hsc--- C:\INCINERATE
2008-04-29 14:42 . 2008-04-29 14:42 <DIR> d----c--- C:\Program Files\Speed Gear 5
2008-04-27 20:07 . 2008-04-27 20:40 <DIR> d----c--- C:\Program Files\Norton Internet Security
2008-04-27 20:06 . 2008-04-27 20:35 123,952 --a--c--- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-27 20:06 . 2008-04-27 20:35 60,800 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-27 20:05 . 2008-04-27 20:35 <DIR> d----c--- C:\Program Files\Symantec
2008-04-27 19:15 . 2008-04-27 19:17 <DIR> d----c--- C:\WINDOWS\system32\Adobe
2008-04-26 11:51 . 2008-04-26 11:51 24 --a--c--- C:\WINDOWS\ES_2_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51 24 --a--c--- C:\WINDOWS\ES_1_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51 24 --a--c--- C:\WINDOWS\AM_D0.PRF
2008-04-26 07:45 . 2008-04-26 07:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-04-26 07:45 . 2007-05-03 10:27 47,360 -ra--c--- C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27 46,592 -ra--c--- C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:28 39,552 -ra--c--- C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27 37,248 -ra--c--- C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27 32,000 -ra--c--- C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2008-04-25 21:06 . 2008-04-25 21:06 <DIR> d----c--- C:\Program Files\Google Hacks
2008-04-25 15:12 . 2007-12-24 17:37 138,384 --a--c--- C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-24 21:00 . 2008-04-24 21:00 <DIR> d----c--- C:\Documents and Settings\Administrator.STEPHEN\Application Data\Lavasoft
2008-04-23 18:56 . 2008-04-23 18:56 <DIR> d----c--- C:\Program Files\LimeWire
2008-04-23 17:06 . 2008-04-23 17:06 71 --a--c--- C:\WINDOWS\SpotAuditor.INI
2008-04-22 15:01 . 2008-04-22 15:01 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools Pro
2008-04-22 14:56 . 2007-02-22 09:05 90,112 --a--c--- C:\Progr_.dll
2008-04-22 14:38 . 2008-04-22 14:38 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools
2008-04-22 14:38 . 2008-04-22 14:38 717,296 --a--c--- C:\WINDOWS\system32\drivers\sptd.sys
2008-04-22 04:59 . 2008-04-22 04:59 1,409 --a--c--- C:\WINDOWS\system32\tmp621EE.FOT
2008-04-22 04:59 . 2008-04-22 04:59 24 --a--c--- C:\WINDOWS\AM_D8.PRF
2008-04-22 04:55 . 2008-04-26 11:26 <DIR> d----c--- C:\Program Files\Graffiti Studio 2.0
2008-04-21 22:11 . 2008-04-21 22:11 <DIR> d----c--- C:\WINDOWS\uninstall\F4U KeyGen Maker
2008-04-21 22:11 . 2008-04-21 22:11 <DIR> d----c--- C:\WINDOWS\uninstall
2008-04-21 20:17 . 2008-04-21 20:17 16 --a--c--- C:\WINDOWS\system32\coh.cache
2008-04-20 20:25 . 2008-04-20 20:25 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-20 20:13 . 2008-04-21 21:25 <DIR> d----c--- C:\Program Files\Wireless WEP Key Password Spy
2008-04-18 19:01 . 2008-04-23 10:58 <DIR> d----c--- C:\Program Files\Speeditup Free
2008-04-17 04:49 . 2007-12-19 11:06 172,032 --a--c--- C:\WINDOWS\system32\igfxres.dll
2008-04-17 04:45 . 2008-04-17 04:45 <DIR> d----c--- C:\WINDOWS\OPTIONS
2008-04-17 04:45 . 2008-04-17 04:45 <DIR> d----c--- C:\Program Files\Realtek
2008-04-17 04:43 . 2008-01-31 21:45 53,248 --a--c--- C:\WINDOWS\system32\CSVer.dll
2008-04-17 04:40 . 2008-04-17 04:40 <DIR> d----c--- C:\WINDOWS\system32\ENU
2008-04-17 04:40 . 2007-10-18 15:51 126,976 --a--c--- C:\WINDOWS\system32\Imsmudlg.exe
2008-04-16 22:59 . 2004-06-14 14:56 427,864 --a--c--- C:\WINDOWS\system32\XceedZip.dll
2008-04-16 22:38 . 2008-04-16 22:46 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}
2008-04-14 14:52 . 2008-04-14 14:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-14 14:34 . 2008-04-19 09:21 <DIR> d----c--- C:\Program Files\XoftSpySE
2008-04-13 22:26 . 2008-05-10 20:37 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 12:40 . 2008-04-30 09:24 <DIR> d----c--- C:\WINDOWS\system32\NtmsData
2008-04-11 21:28 . 2007-10-01 16:40 1,526,072 --a--c--- C:\WINDOWS\WRSetup.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 19:43 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2008-05-11 03:32 495,616 -cs---w C:\WINDOWS\system32\love.exe
2008-05-11 02:30 --------- dc----w C:\Program Files\Thinstall.VS
2008-05-09 00:26 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\U3
2008-05-08 02:35 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Thinstall
2008-05-07 22:51 --------- dc----w C:\Program Files\FriendBlasterPro
2008-05-06 00:58 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-05-06 00:55 --------- dc----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 21:01 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Registry Help Pro
2008-05-03 20:47 --------- dc----w C:\Program Files\TuneUp Utilities 2008
2008-05-03 20:46 307,968 -c--a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-02 16:18 --------- dc----w C:\Documents and Settings\All Users\Application Data\iolo
2008-04-30 16:27 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\iolo
2008-04-30 16:24 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\LimeWire
2008-04-30 16:24 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 15:02 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 00:14 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-28 03:39 6,596 -csha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-28 03:39 58,912 -csha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-28 03:35 805 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-28 03:35 10,740 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-26 13:54 --------- dc----w C:\Program Files\RegCure
2008-04-24 01:52 --------- dc----w C:\Program Files\Microsoft Money 2006
2008-04-20 20:10 --------- dc----w C:\Program Files\KGB Archiver 2
2008-04-17 22:24 --------- dc----w C:\Program Files\Hewlett-Packard
2008-04-17 11:40 --------- dc----w C:\Program Files\Intel
2008-04-14 04:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-04-12 04:47 --------- dc----w C:\Program Files\Hitman Pro
2008-04-11 06:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 03:57 164 -c--a-w C:\install.dat
2008-04-08 03:42 32,300 -csha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-08 03:42 2,331,424 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-08 01:46 --------- dc----w C:\Program Files\Enigma Software Group
2008-04-07 23:46 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-04-07 21:00 --------- dc----w C:\Program Files\Kaspersky Lab
2008-04-07 05:50 --------- dc----w C:\Program Files\Yahoo!
2008-04-07 02:07 --------- dc----w C:\Program Files\Avant Browser
2008-04-04 03:30 31,938 -c--a-w C:\WINDOWS\system32\tcpipbak.reg
2008-04-03 21:11 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\URSoft
2008-04-03 05:32 --------- dc----w C:\Program Files\Lavasoft
2008-04-03 01:49 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Auslogics
2008-04-03 01:20 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\IconTweaker
2008-04-02 00:22 --------- dc----w C:\Program Files\Dachshund Software
2008-04-01 23:51 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Lavasoft
2008-04-01 23:31 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\AdobeUM
2008-04-01 23:27 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Sonic
2008-04-01 23:27 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Leadertech
2008-04-01 02:53 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\JP Software
2008-03-30 23:11 --------- dc----w C:\Program Files\CBS Software
2008-03-30 05:51 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\acccore
2008-03-30 02:59 --------- dc----w C:\Program Files\AIM6
2008-03-30 02:59 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-30 02:57 --------- dc----w C:\Program Files\Common Files\AOL
2008-03-29 21:50 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\InstallShield
2008-03-25 11:51 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\PC Tools
2008-03-21 11:48 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\BinarySense
2008-03-21 11:36 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\tor
2008-03-21 11:19 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Mask Surf Standard
2008-03-20 18:36 --------- dc----w C:\Documents and Settings\Administrator.STEPHEN\Application Data\Uniblue
2008-03-20 18:06 --------- dc----w C:\Program Files\Uniblue
2008-03-20 17:47 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Uniblue
2008-03-20 09:13 --------- dc----w C:\Program Files\Java
2008-03-19 16:53 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DMCache
2008-03-19 09:47 1,845,248 -c--a-w C:\WINDOWS\system32\win32k.sys
2008-03-15 00:52 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint
2008-03-14 19:54 --------- dc----w C:\Program Files\Microsoft Silverlight
2008-03-14 08:59 --------- dc----w C:\Program Files\Remove on Reboot
2008-03-14 04:47 --------- dc----w C:\Program Files\MySpace
2008-03-13 08:51 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\gtk-2.0
2008-03-13 08:47 --------- dc----w C:\Program Files\PidginPortable
2008-03-13 05:35 --------- dc----w C:\Program Files\Microsoft Works
2008-03-13 04:21 --------- dc-h--w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\yahoo!
2008-03-11 07:48 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DelinvFile
2008-03-11 02:33 --------- dc----w C:\Program Files\Acesoft
2008-03-11 01:40 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\TeamViewer
2008-03-01 13:06 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 20:15 28,416 -c--a-w C:\WINDOWS\system32\uxtuneup.dll
2008-02-23 06:01 675,328 -c--a-w C:\WINDOWS\is-L7F12.exe
2008-02-20 06:51 282,624 -c--a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 -c--a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-04 02:07 2 -cshatr C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 08:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58 458752]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 15:21 135168]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"SQ931STI"="C:\WINDOWS\SQ931STI.EXE" [2007-01-24 14:24 151552]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 22:22 794713]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04 84640]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= love.exe

[HKLM\~\startupfolder\C:^Documents and Settings^Stephen Matthews.STEPHEN^Start Menu^Programs^StartUp^HDDlife.lnk]
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedConnectStartUp]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2008-04-24 08:49]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 06:01]
S3 SQ931;USB 2.0 Video Camera;C:\WINDOWS\system32\Drivers\Capt931a.sys [2007-03-27 17:44]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-03 13:46]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61825c52-ed79-11dc-b43f-0014a5f0bae9}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - RADDRVV3
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 15:49:47 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Stephen Matthews.job"
- C:\PROGRA~1\Norton Internet Security\Norton AntiVirus\Navw32.exe
"2008-04-24 20:17:03 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 12:43:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-11 12:46:32
ComboFix-quarantined-files.txt 2008-05-11 19:46:27

Pre-Run: 32,881,324,032 bytes free
Post-Run: 32,939,630,592 bytes free

255 --- E O F --- 2008-04-28 02:20:07
 

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:59 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\love.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKCU\..\Policies\Explorer\Run: [] C:\WINDOWS\system32\config\sysrestore.exe -s
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avp - GRISOFT, s.r.o. - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9826 bytes
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,020
I just wanted to let you know that I haven't forgotten you but I won't be able to get to that log until tomorrow morning.
 

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
oh don't worry i can wait it's all cool....someone looked at it and i've tried everything i've run scans with norton internet security...nod32.....kaspersky internet security.....spyeraser (uniblue)....Spybot Search and Destroy....XoftSpy SE.....and quite a few online scanners.....and they've picked up nothing but cookies and when i delete this file known as love.exe i get an error saying it's missing ot of my system32 folder....but i can wait no problem....thanks for the help so far...i really appreciate it
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,020
Go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\WINDOWS\is-L7F12.exe


Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\S.BAT
C:\WINDOWS\system32\love.exe
C:\WINDOWS\winstart.bat

Folder::
C:\WINDOWS\uninstall\F4U KeyGen Maker
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Program Files\Enigma Software Group
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint

DirLook::
C:\Setup
C:\INCINERATE
C:\WINDOWS\uninstall
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


but idk where it came from if you want me to delete it i can..
 

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
ComboFix 08-05-11.1 - Stephen Matthews 2008-05-13 20:48:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT -7:00]
Running from: C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\love.exe
C:\WINDOWS\system32\S.BAT
C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1271263650.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-392803713.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1469554372.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\155915928.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\656290609.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1013624820.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-2015586220.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-51377543.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-825612810.swf
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-905540712.mtz
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1806120299.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1879617777.mtz
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1250051772.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-135678801.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-729682611.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1759399190.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1901163955.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\407034558.ini
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-135813659.swf
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1446580733.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1469502972.swf
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1997079084.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\570236374.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\663702647.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\853263198.mts
C:\Program Files\Enigma Software Group
C:\WINDOWS\system32\i.txt
C:\WINDOWS\system32\love.exe
C:\WINDOWS\system32\S.BAT
C:\WINDOWS\uninstall\F4U KeyGen Maker
C:\WINDOWS\uninstall\F4U KeyGen Maker\setup.exe
C:\WINDOWS\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 20:40 . 2008-05-13 20:40 <DIR> d----c--- C:\WINDOWS\LastGood
2008-05-12 20:46 . 2004-03-09 00:00 224,016 --a--c--- C:\WINDOWS\system32\TabCtl32.ocx
2008-05-12 20:46 . 2004-03-09 00:00 132,880 --a--c--- C:\WINDOWS\system32\msinet.ocx
2008-05-12 16:45 . 2007-09-18 15:24 676,224 --a--c--- C:\WINDOWS\system32\OGACheckControl.dll
2008-05-10 20:42 . 2008-05-10 20:42 <DIR> d----c--- C:\Program Files\Trend Micro
2008-05-07 20:52 . 2008-05-07 20:52 <DIR> d----c--- C:\Program Files\Radmin Viewer 3
2008-05-07 18:32 . 2008-05-07 18:32 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Radmin
2008-05-07 16:57 . 2008-05-10 19:27 <DIR> d----c--- C:\WINDOWS\system32\rserver30
2008-05-06 17:58 . 2008-05-06 17:58 <DIR> d----c--- C:\WINDOWS\Migo Recover Lost Data
2008-05-06 14:20 . 2008-05-06 14:20 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Aurora Web Editor
2008-05-06 10:49 . 2008-05-06 16:05 <DIR> d----c--- C:\Program Files\Multimedia Australia
2008-05-03 21:44 . 2008-05-05 17:55 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-05-03 21:44 . 2008-05-05 17:55 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\SUPERAntiSpyware.com
2008-05-03 12:56 . 2008-05-03 12:56 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-01 21:44 . 2008-05-01 21:44 <DIR> d----c--- C:\Setup
2008-05-01 20:56 . 2008-05-01 20:56 <DIR> d--hsc--- C:\INCINERATE
2008-04-29 14:42 . 2008-04-29 14:42 <DIR> d----c--- C:\Program Files\Speed Gear 5
2008-04-27 20:07 . 2008-04-27 20:40 <DIR> d----c--- C:\Program Files\Norton Internet Security
2008-04-27 20:06 . 2008-04-27 20:35 123,952 --a--c--- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-27 20:06 . 2008-04-27 20:35 60,800 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-27 20:05 . 2008-04-27 20:35 <DIR> d----c--- C:\Program Files\Symantec
2008-04-27 19:15 . 2008-04-27 19:17 <DIR> d----c--- C:\WINDOWS\system32\Adobe
2008-04-26 11:51 . 2008-04-26 11:51 24 --a--c--- C:\WINDOWS\ES_2_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51 24 --a--c--- C:\WINDOWS\ES_1_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51 24 --a--c--- C:\WINDOWS\AM_D0.PRF
2008-04-26 07:45 . 2008-04-26 07:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-04-26 07:45 . 2007-05-03 10:27 47,360 -ra--c--- C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27 46,592 -ra--c--- C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:28 39,552 -ra--c--- C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27 37,248 -ra--c--- C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27 32,000 -ra--c--- C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2008-04-25 21:06 . 2008-04-25 21:06 <DIR> d----c--- C:\Program Files\Google Hacks
2008-04-25 15:12 . 2007-12-24 17:37 138,384 --a--c--- C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-24 21:00 . 2008-04-24 21:00 <DIR> d----c--- C:\Documents and Settings\Administrator.STEPHEN\Application Data\Lavasoft
2008-04-23 18:56 . 2008-04-23 18:56 <DIR> d----c--- C:\Program Files\LimeWire
2008-04-23 17:06 . 2008-04-23 17:06 71 --a--c--- C:\WINDOWS\SpotAuditor.INI
2008-04-22 15:01 . 2008-04-22 15:01 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools Pro
2008-04-22 14:56 . 2007-02-22 09:05 90,112 --a--c--- C:\Progr_.dll
2008-04-22 14:38 . 2008-04-22 14:38 <DIR> d----c--- C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools
2008-04-22 14:38 . 2008-04-22 14:38 717,296 --a--c--- C:\WINDOWS\system32\drivers\sptd.sys
2008-04-22 04:59 . 2008-04-22 04:59 1,409 --a--c--- C:\WINDOWS\system32\tmp621EE.FOT
2008-04-22 04:59 . 2008-04-22 04:59 24 --a--c--- C:\WINDOWS\AM_D8.PRF
2008-04-22 04:55 . 2008-04-26 11:26 <DIR> d----c--- C:\Program Files\Graffiti Studio 2.0
2008-04-21 22:11 . 2008-05-13 20:49 <DIR> d----c--- C:\WINDOWS\uninstall
2008-04-21 20:17 . 2008-04-21 20:17 16 --a--c--- C:\WINDOWS\system32\coh.cache
2008-04-20 20:25 . 2008-04-20 20:25 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-20 20:13 . 2008-04-21 21:25 <DIR> d----c--- C:\Program Files\Wireless WEP Key Password Spy
2008-04-18 19:01 . 2008-05-11 22:35 <DIR> d----c--- C:\Program Files\Speeditup Free
2008-04-17 04:49 . 2007-12-19 11:06 172,032 --a--c--- C:\WINDOWS\system32\igfxres.dll
2008-04-17 04:45 . 2008-04-17 04:45 <DIR> d----c--- C:\WINDOWS\OPTIONS
2008-04-17 04:45 . 2008-04-17 04:45 <DIR> d----c--- C:\Program Files\Realtek
2008-04-17 04:43 . 2008-01-31 21:45 53,248 --a--c--- C:\WINDOWS\system32\CSVer.dll
2008-04-17 04:40 . 2008-04-17 04:40 <DIR> d----c--- C:\WINDOWS\system32\ENU
2008-04-17 04:40 . 2007-10-18 15:51 126,976 --a--c--- C:\WINDOWS\system32\Imsmudlg.exe
2008-04-16 22:59 . 2004-06-14 14:56 427,864 --a--c--- C:\WINDOWS\system32\XceedZip.dll
2008-04-16 22:38 . 2008-04-16 22:46 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}
2008-04-14 14:52 . 2008-04-14 14:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-14 14:34 . 2008-04-19 09:21 <DIR> d----c--- C:\Program Files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 02:53 675,328 -c--a-w C:\WINDOWS\is-L7F12.exe
2008-05-14 02:22 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 02:15 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2008-05-13 03:43 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 03:30 73,216 -c--a-w C:\WINDOWS\ST6UNST.EXE
2008-05-13 03:30 249,856 -c----w C:\WINDOWS\Setup1.exe
2008-05-12 04:02 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\LimeWire
2008-05-11 02:30 --------- dc----w C:\Program Files\Thinstall.VS
2008-05-09 00:26 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\U3
2008-05-08 02:35 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Thinstall
2008-05-07 22:51 --------- dc----w C:\Program Files\FriendBlasterPro
2008-05-06 00:58 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-05-06 00:55 --------- dc----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 21:01 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Registry Help Pro
2008-05-03 20:47 --------- dc----w C:\Program Files\TuneUp Utilities 2008
2008-05-03 20:46 307,968 -c--a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-02 16:18 --------- dc----w C:\Documents and Settings\All Users\Application Data\iolo
2008-04-30 16:27 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\iolo
2008-04-30 16:24 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 00:14 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-28 03:39 6,596 -csha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-28 03:39 58,912 -csha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-28 03:35 805 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-28 03:35 10,740 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-26 13:54 --------- dc----w C:\Program Files\RegCure
2008-04-24 01:52 --------- dc----w C:\Program Files\Microsoft Money 2006
2008-04-20 20:10 --------- dc----w C:\Program Files\KGB Archiver 2
2008-04-17 22:24 --------- dc----w C:\Program Files\Hewlett-Packard
2008-04-17 11:40 --------- dc----w C:\Program Files\Intel
2008-04-12 04:47 --------- dc----w C:\Program Files\Hitman Pro
2008-04-11 06:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 03:57 164 -c--a-w C:\install.dat
2008-04-08 03:42 32,300 -csha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-08 03:42 2,331,424 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-07 23:46 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-04-07 21:00 --------- dc----w C:\Program Files\Kaspersky Lab
2008-04-07 05:50 --------- dc----w C:\Program Files\Yahoo!
2008-04-07 02:07 --------- dc----w C:\Program Files\Avant Browser
2008-04-04 03:30 31,938 -c--a-w C:\WINDOWS\system32\tcpipbak.reg
2008-04-03 21:11 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\URSoft
2008-04-03 05:32 --------- dc----w C:\Program Files\Lavasoft
2008-04-03 01:49 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Auslogics
2008-04-03 01:20 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\IconTweaker
2008-04-02 00:22 --------- dc----w C:\Program Files\Dachshund Software
2008-04-01 23:51 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Lavasoft
2008-04-01 23:31 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\AdobeUM
2008-04-01 23:27 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Sonic
2008-04-01 23:27 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Leadertech
2008-04-01 02:53 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\JP Software
2008-03-30 23:11 --------- dc----w C:\Program Files\CBS Software
2008-03-30 05:51 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\acccore
2008-03-30 02:59 --------- dc----w C:\Program Files\AIM6
2008-03-30 02:57 --------- dc----w C:\Program Files\Common Files\AOL
2008-03-29 21:50 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\InstallShield
2008-03-25 11:51 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\PC Tools
2008-03-21 11:48 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\BinarySense
2008-03-21 11:36 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\tor
2008-03-21 11:19 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Mask Surf Standard
2008-03-20 18:36 --------- dc----w C:\Documents and Settings\Administrator.STEPHEN\Application Data\Uniblue
2008-03-20 18:06 --------- dc----w C:\Program Files\Uniblue
2008-03-20 17:47 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Uniblue
2008-03-20 09:13 --------- dc----w C:\Program Files\Java
2008-03-19 16:53 --------- dc----w C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DMCache
2008-03-19 09:47 1,845,248 -c--a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 19:54 --------- dc----w C:\Program Files\Microsoft Silverlight
2008-03-14 08:59 --------- dc----w C:\Program Files\Remove on Reboot
2008-03-14 04:47 --------- dc----w C:\Program Files\MySpace
2008-03-01 13:06 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 20:15 28,416 -c--a-w C:\WINDOWS\system32\uxtuneup.dll
2008-02-20 06:51 282,624 -c--a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 -c--a-w C:\WINDOWS\system32\dnsrslvr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\INCINERATE ----

2008-05-01 21:38 65 ---hsc--- C:\INCINERATE\desktop.ini
2008-05-01 20:58 0 --a--c--- C:\INCINERATE\info.shr

---- Directory of C:\Setup ----

2008-05-01 21:44 4090214 --a--c--- C:\Setup\Setup.exe

---- Directory of C:\WINDOWS\uninstall ----

2008-04-21 22:11 417802 --a--c--- C:\WINDOWS\uninstall\F4U KeyGen Maker\setup.exe


((((((((((((((((((((((((((((( [email protected]_12.46.12.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-11 03:32:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 11:52:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-30 15:00:41 217,864 -c--a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 02:16:17 217,864 -c--a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-04-30 15:01:50 20,240 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-14 02:22:42 20,240 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-30 15:01:50 184,080 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-14 02:22:42 184,080 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-30 15:01:50 217,864 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 02:22:42 217,864 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-30 15:01:50 18,704 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-14 02:22:42 18,704 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-30 15:01:51 35,088 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-14 02:22:42 35,088 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-30 15:01:50 922,384 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-14 02:22:42 922,384 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-30 15:01:51 888,080 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-14 02:22:42 888,080 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-30 15:01:50 1,172,240 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-14 02:22:42 1,172,240 -c--a-r C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 08:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58 458752]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 15:21 135168]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"SQ931STI"="C:\WINDOWS\SQ931STI.EXE" [2007-01-24 14:24 151552]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 22:22 794713]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04 84640]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= love.exe

[HKLM\~\startupfolder\C:^Documents and Settings^Stephen Matthews.STEPHEN^Start Menu^Programs^StartUp^HDDlife.lnk]
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedConnectStartUp]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2008-04-24 08:49]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 06:01]
S3 SQ931;USB 2.0 Video Camera;C:\WINDOWS\system32\Drivers\Capt931a.sys [2007-03-27 17:44]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-03 13:46]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 15:49:47 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Stephen Matthews.job"
- C:\PROGRA~1\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-04-24 20:17:03 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 20:51:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 20:53:49
ComboFix-quarantined-files.txt 2008-05-14 03:53:10
ComboFix2.txt 2008-05-11 19:46:33

Pre-Run: 32,640,311,296 bytes free
Post-Run: 32,675,254,272 bytes free

301 --- E O F --- 2008-04-28 02:20:07
 

bigdaddysjm09

Thread Starter
Joined
Jan 9, 2008
Messages
108
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:44 AM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avp - GRISOFT, s.r.o. - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9718 bytes
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,020
I'd like someone to check that file out so please do this:

Go to the forum here and upload this (these) file(s):

C:\WINDOWS\is-L7F12.exe

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,020
Did you set this policy to stop the infection from running?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er\disallowrun]
"1"= love.exe


Please delete this folder:

C:\WINDOWS\uninstall


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Please run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top