1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

please need help this virus took out almost all my things on start menu

Discussion in 'Virus & Other Malware Removal' started by ivan00, Oct 14, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    look i don't know what this virus is but its blocked my Task Manager, cleared most of the functions from my Start Menu. on start menu it took out like my control panel and my computer, and my documents that stuff. my all programs too and in my desktop background this big background says anti-spyware system criticial, i want to take that away. every time i turn on my computer it always shows up.It disabled my properties too. i'm really worried because it says it can take my personal information.

    I was going to try the combofix guide but it was to risky so i didn't try it.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:33: VIRUS ALERT!, on 10/14/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Nexon\Mabinogi\npkcmsvc.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
    C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
    O3 - Toolbar: rosqxvmn - {495564FC-20EE-4FD9-AC6B-C25DB4F62CD8} - C:\WINDOWS\rosqxvmn.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - Startup: LnGFloatingToolbar.lnk = C:\Program Files\Launch-n-Go\LnGFloatingToolbar.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Personal Coach.lnk = ?
    O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214243878953
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
    O20 - AppInit_DLLs: ucqrjj.dll
    O21 - SSODL: qrbgltos - {B87E837F-8821-40B8-966F-DE520D010FCE} - C:\WINDOWS\qrbgltos.dll
    O21 - SSODL: ngwstxfd - {CCFA7DDE-8512-4827-9AD0-342118906356} - C:\WINDOWS\ngwstxfd.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

    --
    End of file - 10697 bytes
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please download Malwarebytes' Anti-Malware to your desktop
    from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.

    It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
    If you recieve an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot
     
  3. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    ok i did everything you said and it worked out pretty well thank you. i got my task manager back and everything i was missing. ok heres the log

    Malwarebytes' Anti-Malware 1.29
    Database version: 1280
    Windows 5.1.2600 Service Pack 3

    10/17/2008 4:10:29 PM
    mbam-log-2008-10-17 (16-10-29).txt

    Scan type: Quick Scan
    Objects scanned: 71565
    Time elapsed: 17 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 5
    Registry Keys Infected: 40
    Registry Values Infected: 3
    Registry Data Items Infected: 17
    Folders Infected: 5
    Files Infected: 42

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\fccdedAR.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\upaxpb.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\yayVliIc.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\rosqxvmn.dll (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\grfxbanotxo.dll (Trojan.FakeAlert) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6168610e-b5bb-48ac-b225-45279ac862a3} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{6168610e-b5bb-48ac-b225-45279ac862a3} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{c76574ff-ce88-465b-9e66-becd8ee99302} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c76574ff-ce88-465b-9e66-becd8ee99302} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ec22e79c-7702-4c38-9691-c139d6c359c9} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec22e79c-7702-4c38-9691-c139d6c359c9} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvliic (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\toolbar.tb (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\toolbar.tb.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{b738cdf0-7394-49c3-a3d4-3d5e27f74b15} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{0827a935-57c7-4749-a6f9-fd6c1c7f00ab} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{495564fc-20ee-4fd9-ac6b-c25db4f62cd8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{56d78ecd-00fa-42a3-9c21-6ccf1d5dddea} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{8b3956e5-0070-42c2-baea-9ae8f873524b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cb3d8212-b20f-4803-869d-da04c001e51b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{cc865a9f-e1f4-4b55-a81b-6056b4a43636} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc865a9f-e1f4-4b55-a81b-6056b4a43636} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{9a15b489-1c92-4d6c-8b39-b1576d70321d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{23b2343b-63fb-4df3-8aec-94727539538f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e359a181-6ffa-4ed5-b5bc-adb6efcb8eb7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{b4176e3c-1ef9-4f05-b526-eba44e93d8ec} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\rosqxvmn.bego (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\rosqxvmn.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\LPVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\LPVideo.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ec22e79c-7702-4c38-9691-c139d6c359c9} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{495564fc-20ee-4fd9-ac6b-c25db4f62cd8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fccdedar -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccdedar -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0011903-00106) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\LPVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\fccdedAR.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\RAdedccf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\RAdedccf.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gvokrybq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\qbyrkovg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\qxbykhta.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\athkybxq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\upaxpb.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\yayVliIc.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\amyslnwg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gnsusadj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hkiqwu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jkkhgdBt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\omaqqpci.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\whnecw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ucqrjj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ymcqlaya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll (Adware.Zango) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\87B8X6TJ\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\NAV2RU4Z\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\body.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\capt2.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\red.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\privacy_danger\images\text.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dat (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\LPVideoPlugin\5378.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\rosqxvmn.dll (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\qrbgltos.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\ngwstxfd.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\lomxeqsn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\grfxbanotxo.dll (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\system32\LPVideo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Desktop\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Desktop\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Desktop\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temp\windfr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temp\pwrmgr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    looks like it found and fixed a lot

    lets see what else is left

    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  5. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    ok i did combofix thank you again it brought back some of my programs. heres the log hope there's nothing wrong

    im wondering about this
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. "will it effect all the CD's i try to run?and if it does, oh well to late for that lol"

    i have a question if i ever get any other viruses will i be able to run combofix when i like to?or is it when you guys tell me to?





    ComboFix 08-10-17.01 - HP_Owner 2008-10-18 11:01:10.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.189 [GMT -7:00]
    Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
    C:\WINDOWS\ernm.exe
    C:\WINDOWS\IE4 Error Log.txt
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
    .

    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-17 15:45 . 2008-10-16 20:37 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-17 15:45 . 2008-10-16 20:37 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-14 20:02 . 2008-10-14 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
    2008-10-14 19:59 . 2004-08-07 14:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2008-10-14 19:59 . 2004-08-08 07:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-10-14 19:59 . 2004-08-07 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-10-14 19:59 . 2004-08-07 14:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-10-14 19:59 . 2008-10-14 19:59 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-10-14 18:32 . 2008-10-14 18:32 <DIR> d-------- C:\Program Files\Trend Micro
    2008-10-14 17:40 . 2008-10-18 10:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-10-14 17:39 . 2008-10-14 17:48 <DIR> d-------- C:\Program Files\SpywareBlaster
    2008-10-14 15:36 . 2008-10-14 15:37 94,208 --a------ C:\WINDOWS\ScUnin.exe
    2008-10-14 15:36 . 2008-10-14 15:37 35,382 --a------ C:\WINDOWS\scunin.dat
    2008-10-14 15:36 . 2008-10-14 15:37 967 --a------ C:\WINDOWS\ScUnin.pif
    2008-10-05 20:31 . 2008-10-05 20:31 <DIR> d-------- C:\Program Files\MyRosso
    2008-10-05 20:31 . 2007-03-30 19:49 266,240 --a------ C:\WINDOWS\system32\MyRossoPlugin.dll
    2008-09-21 21:12 . 2008-09-22 15:32 160,216 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-09-21 21:02 . 2008-09-22 15:32 111,928 --a------ C:\WINDOWS\system32\PnkBstrB.exe
    2008-09-21 21:01 . 2008-09-21 21:01 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
    2008-09-21 19:36 . 2008-09-21 20:52 <DIR> d-------- C:\Program Files\WarRock

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-18 17:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-10-14 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-10-14 22:41 --------- d-----w C:\Program Files\Starcraft
    2008-10-07 01:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-04 05:48 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\LimeWire
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-09-20 02:27 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\SPORE
    2008-09-18 03:00 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
    2008-09-16 21:49 --------- d-----w C:\Program Files\TheUniversal
    2008-09-14 05:22 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Motive
    2008-09-14 00:49 --------- d-----w C:\Program Files\Follett
    2008-09-14 00:26 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\InstallShield
    2008-09-09 22:31 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\SecuROM
    2008-09-09 22:26 --------- d-----w C:\Program Files\Electronic Arts
    2008-09-07 20:02 --------- d-----w C:\Program Files\BitComet
    2008-09-07 19:49 --------- d-----w C:\Program Files\Sony
    2008-09-07 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
    2008-09-06 20:32 --------- d-----w C:\Program Files\DriftCity
    2008-09-06 20:31 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\NPLUTO Corporation
    2008-09-06 18:53 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\ijjigame
    2008-08-29 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\IJJIGame
    2008-08-18 18:04 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-06-23 20:13 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080624\index.dat
    .

    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE

    ----a-w 1,191,936 2006-03-22 01:30:00 C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe

    ----a-w 180,269 2004-08-07 21:03:31 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

    ----a-w 258,048 2005-03-29 06:13:31 C:\Program Files\Creative\Shared Files\bak\CamTray.exe

    ----a-w 49,152 2004-06-08 01:53:26 C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe

    ----a-w 286,720 2004-04-22 01:28:18 C:\Program Files\iTunes\bak\iTunesHelper.exe
    ----a-w 289,064 2008-07-30 17:47:56 C:\Program Files\iTunes\iTunesHelper.exe

    ----a-w 32,881 2004-08-07 19:36:59 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

    ----a-w 98,304 2004-08-07 21:20:54 C:\Program Files\QuickTime\bak\qttask.exe
    ----a-w 413,696 2008-05-27 17:50:30 C:\Program Files\QuickTime\QTTask.exe

    ----a-w 4,670,704 2007-08-31 00:43:18 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

    ----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
    ----a-w 111,856 2008-10-07 15:23:46 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

    ----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

    ----a-w 179 2007-10-17 00:29:33 C:\WINDOWS\system\bak\hpsysdrv.DAT
    ----a-w 182 2007-10-07 07:50:09 C:\WINDOWS\system\hpsysdrv.DAT

    ----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

    ----a-w 15,360 2004-08-04 19:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
    ----a-w 15,360 2008-04-14 00:12:16 C:\WINDOWS\system32\ctfmon.exe

    ----a-w 118,784 2004-08-20 22:51:14 C:\WINDOWS\system32\bak\hkcmd.exe

    ----a-w 659,456 2004-06-08 01:42:30 C:\WINDOWS\system32\bak\hphmon06.exe

    ----a-w 155,648 2004-08-20 22:55:14 C:\WINDOWS\system32\bak\igfxtray.exe

    ----a-w 81,920 2002-10-16 23:57:10 C:\WINDOWS\system32\bak\ps2.exe

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    2008-07-28 03:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]
    "msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
    "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
    "Search Protection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 51048]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
    "VTTimer"="VTTimer.exe" [N/A]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 C:\WINDOWS\AGRSMMSG.exe]
    "SoundMan"="SOUNDMAN.EXE" [2004-07-01 C:\WINDOWS\SOUNDMAN.EXE]
    "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 C:\WINDOWS\ALCWZRD.EXE]
    "PD0630 STISvc"="P0630Pin.dll" [2005-06-05 C:\WINDOWS\system32\P0630Pin.dll]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe [2007-09-12 2392064]
    Reality Fusion GameCam SE.lnk - C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe [2007-09-29 323584]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=upaxpb.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
    "C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
    "C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
    "C:\\Nexon\\Combat Arms\\NMService.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "23226:TCP"= 23226:TCP:BitComet 23226 TCP
    "23226:UDP"= 23226:UDP:BitComet 23226 UDP
    "9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
    "9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

    R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 149864]
    R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 80528]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 91841]
    S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{855005a4-db7d-11dc-bcad-00112f837802}]
    \Shell\AutoRun\command - K:\Autorun.exe

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder

    2008-10-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

    2008-10-14 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Owner.job
    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\23sxtyw7.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
    FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\BYOND\bin\npbyond.dll
    FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbyond.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
    FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
    FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-18 11:06:58
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-10-18 11:10:13
    ComboFix-quarantined-files.txt 2008-10-18 18:10:10

    Pre-Run: 102,709,972,992 bytes free
    Post-Run: 106,908,860,416 bytes free

    206 --- E O F --- 2008-09-16 21:27:57
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    next

    Download FindAWF by Noahdfear

    save it to desktop & double click it to run it. Select option 1 scan only & post back the log it makes

    No never run combofix unless told to by an authorised helper

    as to autoruns on cds

    The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

    1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

    2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

    Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
    Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

    Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

    Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

    Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. It may also just execute an infection residing on the flash drive, thereby infecting your computer.

    Insert a game cd or software cd, and Windows might automatically begin the installation setup.

    Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc. I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, I will send you via PM the information required to re-enable the autoplay feature should you decide to do so.
     
  7. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    Oh i see i don't mind doing it manually but could you please send it to me anyways. its because my dad and my sister don't know how to do stuff manually their use to the CD's and stuff doing it by themselves and thanx again heres log


    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Sat 10/18/2008
    The current time is: 14:45:18.60


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\HP\KBD\BAK

    02/11/2003 20:02 61,440 KBD.EXE
    1 File(s) 61,440 bytes

    Directory of C:\PROGRA~1\ITUNES\BAK

    04/21/2004 18:28 286,720 iTunesHelper.exe
    1 File(s) 286,720 bytes

    Directory of C:\PROGRA~1\MSNMES~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    08/07/2004 14:20 98,304 qttask.exe
    1 File(s) 98,304 bytes

    Directory of C:\WINDOWS\SMINST\BAK

    04/14/2004 20:43 233,472 RECGUARD.EXE
    1 File(s) 233,472 bytes

    Directory of C:\WINDOWS\SYSTEM\BAK

    10/16/2007 17:29 179 hpsysdrv.DAT
    05/07/1998 16:04 52,736 hpsysdrv.exe
    2 File(s) 52,915 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 12:00 15,360 ctfmon.exe
    08/20/2004 15:51 118,784 hkcmd.exe
    06/07/2004 18:42 659,456 hphmon06.exe
    08/20/2004 15:55 155,648 igfxtray.exe
    10/16/2002 16:57 81,920 ps2.exe
    5 File(s) 1,031,168 bytes

    Directory of C:\PROGRA~1\CANON\MYPRIN~1\BAK

    03/21/2006 18:30 1,191,936 BJMyPrt.exe
    1 File(s) 1,191,936 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\CREATIVE\SHARED~1\BAK

    03/28/2005 23:13 258,048 CamTray.exe
    1 File(s) 258,048 bytes

    Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

    06/07/2004 18:53 49,152 hphupd06.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

    08/30/2007 17:43 4,670,704 YAHOOM~1.EXE
    1 File(s) 4,670,704 bytes

    Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

    06/08/2007 07:59 224,248 SearchProtection.exe
    1 File(s) 224,248 bytes

    Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

    08/07/2004 14:03 180,269 realsched.exe
    1 File(s) 180,269 bytes

    Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

    08/07/2004 12:36 32,881 jusched.exe
    1 File(s) 32,881 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
    289064 Jul 30 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
    286720 Apr 21 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Aug 4 2008 "C:\WINDOWS\Installer\{3DE0053C-FD9A-483E-B7C9-B06E4392206E}\iTunesIco.exe"
    413696 May 27 2008 "C:\Program Files\QuickTime\QTTask.exe"
    98304 Aug 7 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
    233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
    182 Oct 7 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
    179 Oct 16 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
    52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
    15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    118784 Aug 3 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
    118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
    118784 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
    118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\hkcmd.exe"
    118784 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\hkcmd.exe"
    659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
    155648 Aug 3 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
    155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
    155648 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
    155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\igfxtray.exe"
    155648 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\igfxtray.exe"
    81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
    81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
    1191936 Mar 21 2006 "C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe"
    258048 Mar 28 2005 "C:\Program Files\Creative\Shared Files\bak\CamTray.exe"
    49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
    4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
    111856 Oct 7 2008 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    1079792 Apr 21 2008 "C:\Program Files\Google\GoogleToolbarNotifier\swg-3.0.1225.9868\SearchWithGoogleUpdate.exe"
    224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
    180269 Aug 7 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    32881 Aug 7 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"


    end of report
     
  8. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    im back to the start -.- my dumb cousin plays this game called combat arms and on youtube he saw a video. The guy in the video gave a link of a free download. they were suppose to be hacks for the game and instead it was some viruses and i lost half my icons on my desktop AGAIN!. it ain't as bad as last time i didn't lose my task manager only programs in my desktop.anyways i scanned with Malwarebytes' Anti-Malware i removed some things heres the log and my hijackthis log. sorry for all the work man =/. im wondering can i run combofix because when you told me to run combofix all my programs that were missing came back.

    Malwarebytes' Anti-Malware 1.29
    Database version: 1280
    Windows 5.1.2600 Service Pack 3

    10/18/2008 4:22:21 PM
    mbam-log-2008-10-18 (16-22-21).txt

    Scan type: Quick Scan
    Objects scanned: 56502
    Time elapsed: 12 minute(s), 7 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 3
    Registry Keys Infected: 21
    Registry Values Infected: 5
    Registry Data Items Infected: 15
    Folders Infected: 0
    Files Infected: 21

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\qoMccYst.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\qrbgltos.dll (Trojan.Zlob) -> Delete on reboot.
    C:\WINDOWS\ngwstxfd.dll (Trojan.FakeAlert) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{758f6d53-dcc7-4ccf-9080-4b6f9389f641} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomccyst (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{4120c304-624f-4e83-8e27-4024f9e2a9b0} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{0985908e-a25a-4136-8ae1-212784997a77} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{2fce2a1b-54fd-45d4-8993-9998a642a000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{69c9c6ad-8e5c-47f8-8abf-acb45d8b770a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{c4744465-5abd-4bf2-9968-614d826e77e7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{21ef06f5-1ff1-4662-859c-ac1455b8d833} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{9fec9491-3c41-4ab3-add3-8cf089a9963e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{b9ec6dae-6c4e-4487-ac3a-29bc082ea66f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{bf5d7127-12fe-403c-aa5c-07186d84a5ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf5d7127-12fe-403c-aa5c-07186d84a5ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\rosqxvmn.baed (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\rosqxvmn.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{758f6d53-dcc7-4ccf-9080-4b6f9389f641} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qrbgltos (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\100d0817 (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{69c9c6ad-8e5c-47f8-8abf-acb45d8b770a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ngwstxfd (Trojan.FakeAlert) -> Delete on reboot.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0011903-00106) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\qoMccYst.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\qrbgltos.dll (Trojan.Zlob) -> Delete on reboot.
    C:\WINDOWS\system32\awtqrqnN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\pmnKCttU.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\ydqkrxvh.dll (Trojan.Vundo) -> Delete on reboot.
    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\87B8X6TJ\file[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\AEBBUBEH\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\NAV2RU4Z\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\W15X0IBI\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\rosqxvmn.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\ngwstxfd.dll (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\lomxeqsn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\grfxbanomok.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Desktop\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Desktop\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Desktop\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temp\windfr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\HP_Owner\Local Settings\Temp\pwrmgr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:53:59 PM, on 10/18/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Nexon\Mabinogi\npkcmsvc.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: (no name) - {DA5C0A7A-BEF0-4CF5-AF89-23A55E192791} - C:\WINDOWS\system32\pmnKCttU.dll (file missing)
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - Startup: LnGFloatingToolbar.lnk = C:\Program Files\Launch-n-Go\LnGFloatingToolbar.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Personal Coach.lnk = ?
    O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214243878953
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
    O20 - AppInit_DLLs: upaxpb.dll gncygg.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 10615 bytes
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    start FindAWF & select option 2

    copy the contents of the code box below and paste under the line in the white screen that will open in awf

    Code:
    "C:\hp\KBD\bak\KBD.EXE"
    "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
    "C:\WINDOWS\system\bak\hpsysdrv.DAT"
    "C:\WINDOWS\system\bak\hpsysdrv.exe"
    "C:\WINDOWS\system32\bak\hphmon06.exe"
    "C:\WINDOWS\system32\bak\igfxtray.exe"
    "C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe"
    "C:\Program Files\Creative\Shared Files\bak\CamTray.exe"
    "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
    "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
    
    press file/exit & say yes to the prompt that will come up

    a blue box will appear saying searching for bak folders, please wait

    it will eventually say all files restored and a notepad file will open

    post the contents back here

    then run awf again and choose option 4

    then reboot twice

    then

    Delete any existing version of ComboFix you have sitting on your desktop

    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again afterwards before connecting to the net
    --------------------------------------------------------------------
    2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
    • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
    • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  10. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    step 1 :eek:k here's the AWF log i think thats what you mean by saying contents and im about to do the other steps by rebooting twice


    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 2 run successfully

    The current date is: Sun 10/19/2008
    The current time is: 13:46:38.37


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\HP\KBD\BAK

    02/11/2003 08:02 PM 61,440 KBD.EXE
    1 File(s) 61,440 bytes

    Directory of C:\PROGRA~1\ITUNES\BAK

    04/21/2004 06:28 PM 286,720 iTunesHelper.exe
    1 File(s) 286,720 bytes

    Directory of C:\PROGRA~1\MSNMES~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    08/07/2004 02:20 PM 98,304 qttask.exe
    1 File(s) 98,304 bytes

    Directory of C:\WINDOWS\SMINST\BAK

    04/14/2004 08:43 PM 233,472 RECGUARD.EXE
    1 File(s) 233,472 bytes

    Directory of C:\WINDOWS\SYSTEM\BAK

    10/16/2007 05:29 PM 179 hpsysdrv.DAT
    05/07/1998 04:04 PM 52,736 hpsysdrv.exe
    2 File(s) 52,915 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 12:00 PM 15,360 ctfmon.exe
    08/20/2004 03:51 PM 118,784 hkcmd.exe
    06/07/2004 06:42 PM 659,456 hphmon06.exe
    08/20/2004 03:55 PM 155,648 igfxtray.exe
    10/16/2002 04:57 PM 81,920 ps2.exe
    5 File(s) 1,031,168 bytes

    Directory of C:\PROGRA~1\CANON\MYPRIN~1\BAK

    03/21/2006 06:30 PM 1,191,936 BJMyPrt.exe
    1 File(s) 1,191,936 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\CREATIVE\SHARED~1\BAK

    03/28/2005 11:13 PM 258,048 CamTray.exe
    1 File(s) 258,048 bytes

    Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

    06/07/2004 06:53 PM 49,152 hphupd06.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

    08/30/2007 05:43 PM 4,670,704 YAHOOM~1.EXE
    1 File(s) 4,670,704 bytes

    Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

    06/08/2007 07:59 AM 224,248 SearchProtection.exe
    1 File(s) 224,248 bytes

    Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

    08/07/2004 02:03 PM 180,269 realsched.exe
    1 File(s) 180,269 bytes

    Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

    08/07/2004 12:36 PM 32,881 jusched.exe
    1 File(s) 32,881 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
    61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
    289064 Jul 30 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
    286720 Apr 21 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Aug 4 2008 "C:\WINDOWS\Installer\{3DE0053C-FD9A-483E-B7C9-B06E4392206E}\iTunesIco.exe"
    413696 May 27 2008 "C:\Program Files\QuickTime\QTTask.exe"
    98304 Aug 7 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
    233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
    233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
    179 Oct 16 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
    179 Oct 16 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
    52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
    52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
    15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    118784 Aug 3 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
    118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
    118784 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
    118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\hkcmd.exe"
    118784 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\hkcmd.exe"
    659456 Jun 7 2004 "C:\WINDOWS\system32\hphmon06.exe"
    659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
    155648 Aug 20 2004 "C:\WINDOWS\system32\igfxtray.exe"
    155648 Aug 3 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
    155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
    155648 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
    155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\igfxtray.exe"
    155648 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\igfxtray.exe"
    81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
    81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
    1191936 Mar 21 2006 "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe"
    1191936 Mar 21 2006 "C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe"
    258048 Mar 28 2005 "C:\Program Files\Creative\Shared Files\CamTray.exe"
    258048 Mar 28 2005 "C:\Program Files\Creative\Shared Files\bak\CamTray.exe"
    49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
    49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
    4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE"
    4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
    111856 Oct 7 2008 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    1079792 Apr 21 2008 "C:\Program Files\Google\GoogleToolbarNotifier\swg-3.0.1225.9868\SearchWithGoogleUpdate.exe"
    224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
    180269 Aug 7 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    32881 Aug 7 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"


    end of report
     
  11. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    i got my stuff back haha thnx man you saved me again

    hey i have a question whats a good anti-spyware program i could use? i use to have norton but it already expired. so im looking for a new one do you know any i can buy or a free download?

    ComboFix
    08-10-19.01 - HP_Owner 2008-10-19 14:06:05.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.192 [GMT -7:00]
    Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\egsf.exe
    C:\WINDOWS\system32\hvxrkqdy.ini
    C:\WINDOWS\system32\UttCKnmp.ini
    C:\WINDOWS\system32\UttCKnmp.ini2

    .
    ((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
    .

    2008-10-19 13:46 . 2004-06-07 18:42 659,456 --a------ C:\WINDOWS\system32\hphmon06.exe
    2008-10-19 13:46 . 2004-08-20 15:55 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
    2008-10-19 13:46 . 1998-05-07 16:04 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
    2008-10-19 13:29 . 2008-10-19 13:36 30 --a------ C:\Documents and Settings\HP_Owner\jagex_runescape_preferences.dat
    2008-10-19 11:08 . 2008-10-19 11:08 <DIR> d-------- C:\Program Files\Follett
    2008-10-19 10:48 . 2008-10-19 10:48 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InstallShield
    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-17 15:45 . 2008-10-16 20:37 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-17 15:45 . 2008-10-16 20:37 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-14 20:02 . 2008-10-14 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
    2008-10-14 19:59 . 2004-08-07 14:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2008-10-14 19:59 . 2004-08-08 07:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-10-14 19:59 . 2004-08-07 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-10-14 19:59 . 2004-08-07 14:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-10-14 19:59 . 2008-10-14 19:59 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-10-14 18:32 . 2008-10-14 18:32 <DIR> d-------- C:\Program Files\Trend Micro
    2008-10-14 17:40 . 2008-10-19 14:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-10-14 17:39 . 2008-10-18 17:50 <DIR> d-------- C:\Program Files\SpywareBlaster
    2008-10-05 20:31 . 2008-10-05 20:31 <DIR> d-------- C:\Program Files\MyRosso
    2008-10-05 20:31 . 2007-03-30 19:49 266,240 --a------ C:\WINDOWS\system32\MyRossoPlugin.dll
    2008-09-21 21:12 . 2008-09-22 15:32 160,216 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-09-21 21:02 . 2008-09-22 15:32 111,928 --a------ C:\WINDOWS\system32\PnkBstrB.exe
    2008-09-21 21:01 . 2008-09-21 21:01 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
    2008-09-21 19:36 . 2008-10-18 11:30 <DIR> d-------- C:\Program Files\WarRock

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-19 18:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-10-19 17:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-19 00:32 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\LimeWire
    2008-10-18 23:33 --------- d-----w C:\Program Files\Starcraft
    2008-10-14 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-09-20 02:27 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\SPORE
    2008-09-18 03:00 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
    2008-09-16 21:49 --------- d-----w C:\Program Files\TheUniversal
    2008-09-14 05:22 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Motive
    2008-09-09 22:31 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\SecuROM
    2008-09-09 22:26 --------- d-----w C:\Program Files\Electronic Arts
    2008-09-07 20:02 --------- d-----w C:\Program Files\BitComet
    2008-09-07 19:49 --------- d-----w C:\Program Files\Sony
    2008-09-07 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
    2008-09-06 20:32 --------- d-----w C:\Program Files\DriftCity
    2008-09-06 20:31 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\NPLUTO Corporation
    2008-09-06 18:53 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\ijjigame
    2008-08-29 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\IJJIGame
    2008-06-23 20:13 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080624\index.dat
    .

    ((((((((((((((((((((((((((((( [email protected]_11.09.42.07 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-10-19 20:30:56 100,888 ----a-w C:\WINDOWS\.jagex_cache_32\loginapplet\cache--1999123318.dat
    + 2008-10-19 20:35:56 315,392 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\jogl.dll
    + 2008-10-19 20:35:56 20,480 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\jogl_awt.dll
    + 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
    + 2004-04-15 03:43:46 233,472 ----a-w C:\WINDOWS\SMINST\RECGUARD.EXE
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE
    ----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\KBD.EXE

    ----a-w 1,191,936 2006-03-22 01:30:00 C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe
    ----a-w 1,191,936 2006-03-22 01:30:00 C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

    ----a-w 180,269 2004-08-07 21:03:31 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

    ----a-w 258,048 2005-03-29 06:13:31 C:\Program Files\Creative\Shared Files\bak\CamTray.exe
    ----a-w 258,048 2005-03-29 06:13:31 C:\Program Files\Creative\Shared Files\CamTray.exe

    ----a-w 49,152 2004-06-08 01:53:26 C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe
    ----a-w 49,152 2004-06-08 01:53:26 C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

    ----a-w 286,720 2004-04-22 01:28:18 C:\Program Files\iTunes\bak\iTunesHelper.exe
    ----a-w 289,064 2008-07-30 17:47:56 C:\Program Files\iTunes\iTunesHelper.exe

    ----a-w 32,881 2004-08-07 19:36:59 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

    ----a-w 98,304 2004-08-07 21:20:54 C:\Program Files\QuickTime\bak\qttask.exe
    ----a-w 413,696 2008-05-27 17:50:30 C:\Program Files\QuickTime\QTTask.exe

    ----a-w 4,670,704 2007-08-31 00:43:18 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE
    ----a-w 4,670,704 2007-08-31 00:43:18 C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE

    ----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
    ----a-w 111,856 2008-10-07 15:23:46 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

    ----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
    ----a-w 233,472 2004-04-15 03:43:46 C:\WINDOWS\SMINST\RECGUARD.EXE

    ----a-w 179 2007-10-17 00:29:33 C:\WINDOWS\system\bak\hpsysdrv.DAT
    ----a-w 179 2007-10-17 00:29:33 C:\WINDOWS\system\hpsysdrv.DAT

    ----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
    ----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\hpsysdrv.exe

    ----a-w 15,360 2004-08-04 19:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
    ----a-w 15,360 2008-04-14 00:12:16 C:\WINDOWS\system32\ctfmon.exe

    ----a-w 118,784 2004-08-20 22:51:14 C:\WINDOWS\system32\bak\hkcmd.exe

    ----a-w 659,456 2004-06-08 01:42:30 C:\WINDOWS\system32\bak\hphmon06.exe
    ----a-w 659,456 2004-06-08 01:42:30 C:\WINDOWS\system32\hphmon06.exe

    ----a-w 155,648 2004-08-20 22:55:14 C:\WINDOWS\system32\bak\igfxtray.exe
    ----a-w 155,648 2004-08-20 22:55:14 C:\WINDOWS\system32\igfxtray.exe

    ----a-w 81,920 2002-10-16 23:57:10 C:\WINDOWS\system32\bak\ps2.exe

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    2008-07-28 03:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]
    "msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
    "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
    "Search Protection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 51048]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
    "VTTimer"="VTTimer.exe" [N/A]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 C:\WINDOWS\AGRSMMSG.exe]
    "SoundMan"="SOUNDMAN.EXE" [2004-07-01 C:\WINDOWS\SOUNDMAN.EXE]
    "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 C:\WINDOWS\ALCWZRD.EXE]
    "PD0630 STISvc"="P0630Pin.dll" [2005-06-05 C:\WINDOWS\system32\P0630Pin.dll]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe [2007-09-12 2392064]
    Reality Fusion GameCam SE.lnk - C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe [2007-09-29 323584]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=upaxpb.dll gncygg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
    "C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
    "C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
    "C:\\Nexon\\Combat Arms\\NMService.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "23226:TCP"= 23226:TCP:BitComet 23226 TCP
    "23226:UDP"= 23226:UDP:BitComet 23226 UDP
    "9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
    "9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

    R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 149864]
    R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 80528]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 91841]
    S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{855005a4-db7d-11dc-bcad-00112f837802}]
    \Shell\AutoRun\command - K:\Autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85ceeb8a-09c2-11dd-bd04-00112f837802}]
    \Shell\AutoRun\command - K:\autorun.exe

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder

    2008-10-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

    2008-10-14 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Owner.job
    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{DA5C0A7A-BEF0-4CF5-AF89-23A55E192791} - C:\WINDOWS\system32\pmnKCttU.dll


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\23sxtyw7.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
    FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\BYOND\bin\npbyond.dll
    FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbyond.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
    FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
    FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-19 14:12:56
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\savedump.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-19 14:17:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-19 21:16:54
    ComboFix2.txt 2008-10-18 18:10:14

    Pre-Run: 107,582,734,336 bytes free
    Post-Run: 107,753,168,896 bytes free

    242 --- E O F --- 2008-09-16 21:27:57
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     

    Attached Files:

  13. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:28:16 PM, on 10/20/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Nexon\Mabinogi\npkcmsvc.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
    C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - Startup: LnGFloatingToolbar.lnk = C:\Program Files\Launch-n-Go\LnGFloatingToolbar.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Personal Coach.lnk = ?
    O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214243878953
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 10263 bytes
     
  14. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    ComboFix 08-10-19.01 - HP_Owner 2008-10-20 19:18:36.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.202 [GMT -7:00]
    Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\hp\KBD\bak
    C:\hp\KBD\bak\KBD.EXE
    C:\Program Files\Canon\MyPrinter\bak
    C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe
    C:\Program Files\Common Files\Real\Update_OB\bak
    C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
    C:\Program Files\Creative\Shared Files\bak
    C:\Program Files\Creative\Shared Files\bak\CamTray.exe
    C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak
    C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe
    C:\Program Files\iTunes\bak
    C:\Program Files\iTunes\bak\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\bak
    C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
    C:\Program Files\QuickTime\bak
    C:\Program Files\QuickTime\bak\qttask.exe
    C:\Program Files\Yahoo!\Messenger\bak
    C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE
    C:\Program Files\Yahoo!\Search Protection\bak
    C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
    C:\WINDOWS\SMINST\bak
    C:\WINDOWS\SMINST\bak\RECGUARD.EXE
    C:\WINDOWS\system\bak
    C:\WINDOWS\system\bak\hpsysdrv.DAT
    C:\WINDOWS\system\bak\hpsysdrv.exe
    C:\WINDOWS\system32\bak
    C:\WINDOWS\system32\bak\ctfmon.exe
    C:\WINDOWS\system32\bak\hkcmd.exe
    C:\WINDOWS\system32\bak\hphmon06.exe
    C:\WINDOWS\system32\bak\igfxtray.exe
    C:\WINDOWS\system32\bak\ps2.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
    .

    2008-10-19 13:46 . 2004-06-07 18:42 659,456 --a------ C:\WINDOWS\system32\hphmon06.exe
    2008-10-19 13:46 . 2004-08-20 15:55 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
    2008-10-19 13:46 . 1998-05-07 16:04 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
    2008-10-19 13:29 . 2008-10-19 13:36 30 --a------ C:\Documents and Settings\HP_Owner\jagex_runescape_preferences.dat
    2008-10-19 11:08 . 2008-10-19 11:08 <DIR> d-------- C:\Program Files\Follett
    2008-10-19 10:48 . 2008-10-19 10:48 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InstallShield
    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
    2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-17 15:45 . 2008-10-16 20:37 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-17 15:45 . 2008-10-16 20:37 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-14 20:02 . 2008-10-14 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
    2008-10-14 19:59 . 2004-08-07 14:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2008-10-14 19:59 . 2004-08-08 07:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-10-14 19:59 . 2004-08-07 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-10-14 19:59 . 2004-08-07 14:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-10-14 19:59 . 2008-10-14 19:59 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-10-14 18:32 . 2008-10-14 18:32 <DIR> d-------- C:\Program Files\Trend Micro
    2008-10-14 17:40 . 2008-10-20 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-10-14 17:39 . 2008-10-18 17:50 <DIR> d-------- C:\Program Files\SpywareBlaster
    2008-10-14 14:07 . 2008-09-08 03:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
    2008-10-14 14:05 . 2008-08-14 03:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
    2008-10-14 14:05 . 2008-08-14 03:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
    2008-10-14 14:05 . 2008-08-14 02:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
    2008-10-14 14:05 . 2008-08-14 02:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
    2008-10-14 14:05 . 2008-09-15 05:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
    2008-10-05 20:31 . 2008-10-05 20:31 <DIR> d-------- C:\Program Files\MyRosso
    2008-10-05 20:31 . 2007-03-30 19:49 266,240 --a------ C:\WINDOWS\system32\MyRossoPlugin.dll
    2008-09-21 21:12 . 2008-09-22 15:32 160,216 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-09-21 21:02 . 2008-09-22 15:32 111,928 --a------ C:\WINDOWS\system32\PnkBstrB.exe
    2008-09-21 21:01 . 2008-09-21 21:01 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
    2008-09-21 19:36 . 2008-10-18 11:30 <DIR> d-------- C:\Program Files\WarRock

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-21 02:19 --------- d-----w C:\Program Files\QuickTime
    2008-10-21 02:19 --------- d-----w C:\Program Files\iTunes
    2008-10-20 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-10-20 05:09 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\LimeWire
    2008-10-19 18:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-10-19 17:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-18 23:33 --------- d-----w C:\Program Files\Starcraft
    2008-10-14 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-09-29 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-09-20 02:27 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\SPORE
    2008-09-18 03:00 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
    2008-09-16 21:49 --------- d-----w C:\Program Files\TheUniversal
    2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-09-14 05:22 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Motive
    2008-09-09 22:31 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-09-09 22:31 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\SecuROM
    2008-09-09 22:26 --------- d-----w C:\Program Files\Electronic Arts
    2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
    2008-09-07 20:02 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
    2008-09-07 20:02 --------- d-----w C:\Program Files\BitComet
    2008-09-07 19:49 --------- d-----w C:\Program Files\Sony
    2008-09-07 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
    2008-09-06 20:32 --------- d-----w C:\Program Files\DriftCity
    2008-09-06 20:31 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\NPLUTO Corporation
    2008-09-06 18:53 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\ijjigame
    2008-08-29 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\IJJIGame
    2008-08-27 21:03 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll
    2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
    2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
    2008-06-23 20:13 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080624\index.dat
    .

    ((((((((((((((((((((((((((((( [email protected]_11.09.42.07 )))))))))))))))))))))))))))))))))))))))))
     
  15. ivan00

    ivan00 Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    54
    COMBOFIX PART2
    .
    + 2008-08-26 09:08:35 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\advpack.dll
    + 2008-08-26 09:08:36 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtmsft.dll
    + 2008-08-26 09:08:36 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtrans.dll
    + 2008-08-26 09:08:36 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\extmgr.dll
    + 2008-08-26 09:08:36 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\icardie.dll
    + 2008-08-25 08:43:21 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ie4uinit.exe
    + 2008-08-26 09:08:36 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieakeng.dll
    + 2008-08-26 09:08:36 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieaksie.dll
    + 2008-08-23 05:54:50 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieakui.dll
    + 2007-07-01 03:31:33 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dat
    + 2008-08-26 09:08:36 380,928 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dll
    + 2008-08-26 09:08:37 388,608 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iedkcs32.dll
    + 2008-10-03 17:26:50 6,068,224 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieframe.dll
    + 2008-08-26 09:08:39 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iernonce.dll
    + 2008-08-26 09:08:39 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iertutil.dll
    + 2008-08-25 08:43:21 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieudinit.exe
    + 2008-08-23 05:56:16 635,848 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
    + 2008-08-26 09:08:40 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\jsproxy.dll
    + 2008-08-26 09:08:40 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msfeeds.dll
    + 2008-08-26 09:08:40 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msfeedsbs.dll
    + 2008-08-26 09:08:43 3,594,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
    + 2008-08-26 09:08:43 477,696 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mshtmled.dll
    + 2008-08-26 09:08:44 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msrating.dll
    + 2008-08-26 09:08:44 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mstime.dll
    + 2008-08-26 09:08:44 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\occache.dll
    + 2008-08-26 09:08:44 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\pngfilt.dll
    + 2008-08-26 09:08:44 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\url.dll
    + 2008-08-26 09:08:45 1,162,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\urlmon.dll
    + 2008-08-26 09:08:45 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\webcheck.dll
    + 2008-08-26 09:08:45 827,904 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
    + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\spmsg.dll
    + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\spuninst.exe
    + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\spcustom.dll
    + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe
    + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\updspapi.dll
    + 2008-10-19 20:30:56 100,888 ----a-w C:\WINDOWS\.jagex_cache_32\loginapplet\cache--1999123318.dat
    + 2008-10-19 20:35:56 315,392 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\jogl.dll
    + 2008-10-19 20:35:56 20,480 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\jogl_awt.dll
    + 2008-08-14 10:09:26 2,145,280 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
    + 2008-08-14 09:33:16 2,066,048 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
    + 2008-08-14 09:33:16 2,023,936 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
    + 2008-08-14 10:11:02 2,189,184 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
    + 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
    + 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\advpack.dll
    + 2008-06-23 16:57:27 347,136 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtmsft.dll
    + 2008-06-23 16:57:27 214,528 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtrans.dll
    + 2008-06-23 16:57:27 133,120 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\extmgr.dll
    + 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\icardie.dll
    + 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ie4uinit.exe
    + 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakeng.dll
    + 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieaksie.dll
    + 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakui.dll
    + 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieapfltr.dll
    + 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iedkcs32.dll
    + 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieframe.dll
    + 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iernonce.dll
    + 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iertutil.dll
    + 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieudinit.exe
    + 2008-06-23 09:20:52 625,664 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe
    + 2008-06-23 16:57:35 27,648 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\jsproxy.dll
    + 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeeds.dll
    + 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeedsbs.dll
    + 2008-06-24 17:57:40 3,592,192 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtml.dll
    + 2008-06-23 16:57:39 477,696 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtmled.dll
    + 2008-06-23 16:57:39 193,024 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msrating.dll
    + 2008-06-23 16:57:40 671,232 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mstime.dll
    + 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\occache.dll
    + 2008-06-23 16:57:40 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\pngfilt.dll
    + 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe
    + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\updspapi.dll
    + 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\url.dll
    + 2008-06-23 16:57:40 1,159,680 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\urlmon.dll
    + 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\webcheck.dll
    + 2008-06-23 16:57:41 826,368 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\wininet.dll
    - 2008-09-10 22:38:03 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    + 2008-10-20 23:13:44 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    - 2008-09-10 22:38:03 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2008-10-20 23:13:41 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    - 2008-09-10 22:38:03 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2008-10-20 23:13:44 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    - 2008-09-10 22:38:03 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    + 2008-10-20 23:13:48 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2008-09-10 22:38:03 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2008-10-20 23:13:48 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    - 2008-09-10 22:38:04 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2008-10-20 23:13:54 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    - 2008-09-10 22:38:03 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    + 2008-10-20 23:13:43 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2008-09-10 22:38:04 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2008-10-20 23:13:54 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    - 2008-09-10 22:38:03 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    + 2008-10-20 23:13:40 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    - 2008-09-10 22:38:03 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    + 2008-10-20 23:13:37 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    + 2004-04-15 03:43:46 233,472 ----a-w C:\WINDOWS\SMINST\RECGUARD.EXE
    - 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
    + 2008-08-26 07:24:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
    - 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
    + 2008-08-26 07:24:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
    - 2008-06-20 11:40:08 138,496 -c----w C:\WINDOWS\system32\dllcache\afd.sys
    + 2008-08-14 10:04:36 138,496 -c----w C:\WINDOWS\system32\dllcache\afd.sys
    - 2008-06-23 16:57:27 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    + 2008-08-26 07:24:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    - 2008-06-23 16:57:27 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
    + 2008-08-26 07:24:28 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
    - 2008-06-23 16:57:27 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
    + 2008-08-26 07:24:28 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
    - 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
    + 2008-08-26 07:24:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
    - 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    + 2008-08-25 08:37:59 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    - 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
    + 2008-08-26 07:24:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
    - 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
    + 2008-08-26 07:24:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
    - 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
    + 2008-08-23 05:54:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
    - 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    + 2008-08-26 07:24:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    - 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    + 2008-08-26 07:24:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    - 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
    + 2008-10-03 17:41:15 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
    - 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
    + 2008-08-26 07:24:29 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
    - 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
    + 2008-08-26 07:24:29 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
    - 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
    + 2008-08-25 08:38:00 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
    - 2008-06-23 09:20:52 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
    + 2008-08-23 05:56:15 635,848 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
    - 2008-06-23 16:57:35 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
    + 2008-08-26 07:24:30 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
    - 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
    + 2008-08-26 07:24:30 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
    - 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    + 2008-08-26 07:24:30 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    - 2008-06-24 17:57:40 3,592,192 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
    + 2008-08-27 08:24:32 3,593,216 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
    - 2008-06-23 16:57:39 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
    + 2008-08-26 07:24:30 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
    - 2008-06-23 16:57:39 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
    + 2008-08-26 07:24:30 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
    - 2008-06-23 16:57:40 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
    + 2008-08-26 07:24:30 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
    - 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
    + 2008-08-26 07:24:30 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
    - 2008-06-23 16:57:40 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    + 2008-08-26 07:24:30 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    - 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
    + 2008-08-26 07:24:30 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
    - 2008-06-23 16:57:40 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
    + 2008-08-26 07:24:31 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
    - 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
    + 2008-08-26 07:24:31 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
    - 2008-06-23 16:57:41 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
    + 2008-08-26 07:24:31 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
    - 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    + 2008-08-14 10:04:36 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    - 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
    + 2008-08-26 07:24:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
    - 2008-06-23 16:57:27 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
    + 2008-08-26 07:24:28 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
    - 2008-06-23 16:57:27 133,120 ------w C:\WINDOWS\system32\extmgr.dll
    + 2008-08-26 07:24:28 133,120 ------w C:\WINDOWS\system32\extmgr.dll
    - 2008-07-31 05:29:14 168,304 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2008-10-20 22:43:16 168,304 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    - 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
    + 2008-08-26 07:24:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
    - 2008-06-23 09:20:25 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
    + 2008-08-25 08:37:59 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
    - 2008-06-23 16:57:29 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
    + 2008-08-26 07:24:28 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
    - 2008-06-23 16:57:29 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
    + 2008-08-26 07:24:28 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
    - 2008-06-21 05:23:54 161,792 ------w C:\WINDOWS\system32\ieakui.dll
    + 2008-08-23 05:54:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll
    - 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
    + 2008-08-26 07:24:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
    - 2008-06-23 16:57:29 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
    + 2008-08-26 07:24:29 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
    - 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
    + 2008-10-03 17:41:15 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
    - 2008-06-23 16:57:33 44,544 ------w C:\WINDOWS\system32\iernonce.dll
    + 2008-08-26 07:24:29 44,544 ------w C:\WINDOWS\system32\iernonce.dll
    - 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
    + 2008-08-26 07:24:29 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
    - 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
    + 2008-08-25 08:38:00 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
    - 2008-06-23 16:57:35 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
    + 2008-08-26 07:24:30 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
    - 2008-08-26 20:28:12 16,208,504 ----a-w C:\WINDOWS\system32\MRT.exe
    + 2008-10-07 19:19:40 16,721,856 ----a-w C:\WINDOWS\system32\MRT.exe
    - 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
    + 2008-08-26 07:24:30 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
    - 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
    + 2008-08-26 07:24:30 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
    - 2008-06-24 17:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
    + 2008-08-27 08:24:32 3,593,216 ----a-w C:\WINDOWS\system32\mshtml.dll
    - 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
    + 2008-08-26 07:24:30 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
    - 2008-06-23 16:57:39 193,024 ------w C:\WINDOWS\system32\msrating.dll
    + 2008-08-26 07:24:30 193,024 ------w C:\WINDOWS\system32\msrating.dll
    - 2008-06-23 16:57:40 671,232 ------w C:\WINDOWS\system32\mstime.dll
    + 2008-08-26 07:24:30 671,232 ------w C:\WINDOWS\system32\mstime.dll
    - 2008-06-23 16:57:40 102,912 ------w C:\WINDOWS\system32\occache.dll
    + 2008-08-26 07:24:30 102,912 ------w C:\WINDOWS\system32\occache.dll
    - 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
    + 2008-08-26 07:24:30 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
    - 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
    - 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll
    + 2008-08-26 07:24:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
    - 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
    + 2008-08-26 07:24:31 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
    - 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
    + 2008-08-26 07:24:31 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    2008-07-28 03:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]
    "msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
    "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
    "Search Protection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 51048]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 C:\WINDOWS\AGRSMMSG.exe]
    "SoundMan"="SOUNDMAN.EXE" [2004-07-01 C:\WINDOWS\SOUNDMAN.EXE]
    "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 C:\WINDOWS\ALCWZRD.EXE]
    "PD0630 STISvc"="P0630Pin.dll" [2005-06-05 C:\WINDOWS\system32\P0630Pin.dll]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe [2007-09-12 2392064]
    Reality Fusion GameCam SE.lnk - C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe [2007-09-29 323584]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
    "C:\\Program Files\\SightSpeed\\SightSpeed.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
    "C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
    "C:\\Nexon\\Combat Arms\\NMService.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "23226:TCP"= 23226:TCP:BitComet 23226 TCP
    "23226:UDP"= 23226:UDP:BitComet 23226 UDP
    "9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
    "9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

    R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 149864]
    R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 80528]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 91841]
    S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

    *Newly Created Service* - CATCHME
    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder

    2008-10-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

    2008-10-14 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Owner.job
    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-VTTimer - VTTimer.exe



    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-20 19:21:47
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-10-20 19:23:21
    ComboFix-quarantined-files.txt 2008-10-21 02:23:17
    ComboFix2.txt 2008-10-19 21:17:06
    ComboFix3.txt 2008-10-18 18:10:14

    Pre-Run: 107,290,669,056 bytes free
    Post-Run: 107,273,846,784 bytes free

    430 --- E O F --- 2008-10-20 23:20:11
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/759250

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice