Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected System

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected System

Unread postby lazyjesus » April 17th, 2008, 12:48 pm

Hi I have a quite seriously infected system.
I have no control panel, my desktop backround has been changed, programs are running constantly, and I can't even install spybot...
....Help!
(And of course, Thanks In Advance)

My Hijackthis file:

Deckard's System Scanner v20071014.68
Run by guy on 2008-04-17 19:00:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
88: 2008-04-17 16:00:56 UTC - RP1318 - Deckard's System Scanner Restore Point
87: 2008-04-16 21:42:51 UTC - RP1317 - Restore Operation
86: 2008-04-15 22:13:48 UTC - RP1316 - System Checkpoint
85: 2008-04-14 03:15:11 UTC - RP1315 - System Checkpoint
84: 2008-04-13 02:28:39 UTC - RP1314 - System Checkpoint


-- First Restore Point --
1: 2008-01-18 15:43:27 UTC - RP1231 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.61 GiB (less than 15%) free.


-- HijackThis (run as guy.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03:59, on 17/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Barak013\Barak013_L2TP\fts.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
C:\WINDOWS\TEMP\win72.exe
C:\Program Files\cjb\cjb.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\cjb\cjb7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.exe
c:\program files\mcafee\msc\mcuimgr.exe
c:\program files\mcafee\msc\mcshell.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\guy\Desktop\dss.exe
C:\WINDOWS\system32\mshearts.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\guy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - C:\Program Files\TrustIn Contextual\trustincontext.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\he-il\msntb.dll
O2 - BHO: (no name) - {D288EC64-298A-3F18-5BF0-0824F86062A0} - C:\Program Files\drvi\upbdamvhuo.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\he-il\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [%FP%Barak013 L2TP fts.exe] "C:\Program Files\Barak013\Barak013_L2TP\fts.exe"
O4 - HKLM\..\Run: [Virtual PDF Printer] C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win72.exe
O4 - HKLM\..\Run: [cbj] C:\Program Files\cjb\cjb.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [cjb] C:\Program Files\cjb\cjb7.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKLM\..\Policies\Explorer\Run: [F6vFwLfsTU] C:\WINDOWS\fwpyhmxg.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\guy\Start Menu\Programs\Poker.com\Poker.com.lnk (HKCU)
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://hb2.bankleumi.co.il/Premium/dow ... fxIEAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52 ... scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)
O21 - SSODL: KbdService - {793b612a-2711-4c3b-af92-6da8f7369bcb} - C:\WINDOWS\Installer\{793b612a-2711-4c3b-af92-6da8f7369bcb}\KbdService.dll
O21 - SSODL: zip - {c304f30f-fcb5-49dc-8906-f65cec679092} - C:\WINDOWS\Installer\{c304f30f-fcb5-49dc-8906-f65cec679092}\zip.dll
O21 - SSODL: CDSetup - {66913b9a-6dd7-43ed-aadb-f2a121429107} - C:\WINDOWS\Installer\{66913b9a-6dd7-43ed-aadb-f2a121429107}\CDSetup.dll
O21 - SSODL: CheckBoot - {4216babd-e74b-4eba-94b5-84c3fd8b0359} - C:\WINDOWS\Installer\{4216babd-e74b-4eba-94b5-84c3fd8b0359}\CheckBoot.dll
O21 - SSODL: WinRunOnce - {60b3c4f6-fd89-4884-9973-e54295f9a3a4} - C:\WINDOWS\Installer\{60b3c4f6-fd89-4884-9973-e54295f9a3a4}\WinRunOnce.dll
O21 - SSODL: SrvVolume - {b60c4cd1-a1bd-4af9-ac8d-0cdfd99c96c6} - C:\WINDOWS\Installer\{b60c4cd1-a1bd-4af9-ac8d-0cdfd99c96c6}\SrvVolume.dll
O21 - SSODL: SrvKernel - {6d0c7515-b27a-477d-82bb-6651b8e7370f} - C:\WINDOWS\Installer\{6d0c7515-b27a-477d-82bb-6651b8e7370f}\SrvKernel.dll
O21 - SSODL: ChkUnknown - {1557603e-f66c-4bf7-b27e-e8eaebbf915e} - C:\WINDOWS\Installer\{1557603e-f66c-4bf7-b27e-e8eaebbf915e}\ChkUnknown.dll
O21 - SSODL: SetupSys - {5c46c749-7968-48e6-bc59-93f9c44f776c} - C:\WINDOWS\Installer\{5c46c749-7968-48e6-bc59-93f9c44f776c}\SetupSys.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\system32\MRobeService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

--
End of file - 14239 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NPPTNT - c:\windows\system32\npptnt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
R2 ScsiAccess - c:\program files\photodex\proshowgold\scsiaccess.exe

S2 SvcProc (System Startup Service ) - c:\windows\svcproc.exe (file missing)
S3 MrobeService - "c:\windows\system32\mrobeservice.exe" (file missing)
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-13 18:00:03 404 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2008-04-01 01:00:06 348 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-03-15 02:45:02 346 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 18:36:31 19968 --a------ C:\Program Files\tmp138531.exe
2008-04-17 18:36:27 19968 --a------ C:\Program Files\tmp137343.exe
2008-04-17 18:26:45 0 d-------- C:\Program Files\Trend Micro
2008-04-17 16:49:59 33280 --a------ C:\WINDOWS\xkrwfsxm.exe
2008-04-17 02:49:44 16652 --a------ C:\Program Files\tmp5593312.exe
2008-04-17 01:19:30 19968 --a------ C:\Program Files\tmp180234.exe
2008-04-16 05:09:59 19968 --a------ C:\Program Files\tmp11014968.exe
2008-04-16 05:09:59 19968 --a------ C:\Program Files\tmp11014921.exe
2008-04-16 03:39:29 143872 --a------ C:\Program Files\tmp5582250.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 08:17:59 19968 --a------ C:\Program Files\tmp25639515.exe
2008-04-13 07:15:21 16540 --a------ C:\Program Files\tmp21870421.exe
2008-04-13 04:14:15 19968 --a------ C:\Program Files\tmp11014812.exe
2008-04-12 06:09:15 16604 --a------ C:\Program Files\tmp90234953.exe
2008-04-12 05:00:58 10240 --a------ C:\Program Files\tmp86148843.exe
2008-04-12 05:00:48 10240 --a------ C:\Program Files\tmp86139000.exe
2008-04-12 05:00:05 10240 --a------ C:\Program Files\tmp86085062.exe
2008-04-12 00:11:43 19968 --a------ C:\Program Files\tmp68794203.exe
2008-04-11 23:01:46 10240 --a------ C:\Program Files\tmp64597093.exe
2008-04-11 23:01:08 10240 --a------ C:\Program Files\tmp64559234.exe
2008-04-11 23:00:56 10240 --a------ C:\Program Files\tmp64547187.exe
2008-04-11 23:00:43 10240 --a------ C:\Program Files\tmp64534359.exe
2008-04-11 23:00:31 10240 --a------ C:\Program Files\tmp64522171.exe
2008-04-11 23:00:07 10240 --a------ C:\Program Files\tmp64498156.exe
2008-04-11 16:02:42 10240 --a------ C:\Program Files\tmp39444968.exe
2008-04-11 08:39:21 19968 --a------ C:\Program Files\tmp12852250.exe
2008-04-11 08:39:20 19968 --a------ C:\Program Files\tmp12851328.exe
2008-04-11 05:38:46 143872 --a------ C:\Program Files\tmp1986781.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-09 13:59:39 9728 --a------ C:\Program Files\tmp38987046.exe
2008-04-09 10:59:07 9728 --a------ C:\Program Files\tmp28121515.exe
2008-04-09 07:03:35 143872 --a------ C:\Program Files\tmp14030968.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-09 07:03:21 19968 --a------ C:\Program Files\tmp14017093.exe
2008-04-09 05:33:04 19968 --a------ C:\Program Files\tmp8600109.exe
2008-04-09 05:33:02 19968 --a------ C:\Program Files\tmp8597921.exe
2008-04-09 05:32:56 19968 --a------ C:\Program Files\tmp8592234.exe
2008-04-09 04:02:55 9728 --a------ C:\Program Files\tmp3146000.exe
2008-04-08 19:49:50 0 d-------- C:\Program Files\iSecurity
2008-04-08 18:46:18 16608 --a------ C:\Program Files\tmp713234.exe
2008-03-17 23:28:44 16556 --a------ C:\Program Files\tmp90658078.exe


-- Find3M Report ---------------------------------------------------------------

2050-08-14 11:12:02 18944 --a------ C:\WINDOWS\system32\wowfx.dll
2008-04-17 18:35:39 0 d-------- C:\Documents and Settings\guy\Application Data\SiteAdvisor
2008-04-17 16:18:38 2024 --a------ C:\WINDOWS\mozver.dat
2008-04-11 18:00:00 0 d-------- C:\Program Files\Norton Security Scan
2008-04-11 16:02:42 0 d-------- C:\Program Files\cjb
2008-04-11 05:13:45 0 d-------- C:\Program Files\Java
2008-04-08 18:59:21 0 d-------- C:\Documents and Settings\guy\Application Data\Adobe
2008-03-28 07:56:52 0 d-------- C:\Program Files\Poker.com
2008-03-14 13:38:45 16472 --a------ C:\Program Files\tmp78090890.exe
2008-03-13 11:42:40 13508 --a------ C:\Program Files\tmp31423890.exe
2008-03-13 11:42:33 16464 --a------ C:\Program Files\tmp31415765.exe
2008-03-12 09:50:50 16584 --a------ C:\Program Files\tmp6573093.exe
2008-03-11 08:45:29 13452 --a------ C:\Program Files\tmp15508921.exe
2008-03-11 08:44:26 16496 --a------ C:\Program Files\tmp15445562.exe
2008-03-10 08:05:45 13444 --a------ C:\Program Files\tmp24601453.exe
2008-03-10 07:57:54 16500 --a------ C:\Program Files\tmp24129921.exe
2008-03-09 07:21:37 13504 --a------ C:\Program Files\tmp10521765.exe
2008-03-08 06:55:15 13456 --a------ C:\Program Files\tmp262775468.exe
2008-03-08 06:29:13 16436 --a------ C:\Program Files\tmp261212656.exe
2008-03-07 06:52:36 13364 --a------ C:\Program Files\tmp176215765.exe
2008-03-07 06:21:56 16540 --a------ C:\Program Files\tmp174376296.exe
2008-03-06 15:25:46 9216 --a------ C:\Program Files\tmp120605953.exe
2008-03-06 06:24:42 13388 --a------ C:\Program Files\tmp88141906.exe
2008-03-06 06:17:40 16596 --a------ C:\Program Files\tmp87719000.exe
2008-03-06 04:03:02 0 d-------- C:\Program Files\IE Extensions
2008-03-05 05:57:13 16576 --a------ C:\Program Files\tmp90546.exe
2008-02-20 04:26:14 15872 --a------ C:\Program Files\tmp98304703.exe
2008-02-20 04:26:14 15872 --a------ C:\Program Files\tmp98304640.exe
2008-02-19 01:10:25 0 d-------- C:\Program Files\nghabxli
2008-02-17 05:50:31 10240 --a------ C:\Program Files\tmp94713734.exe <Not Verified; NoName Corp.; NNC module>
2008-02-16 05:44:50 10240 --a------ C:\Program Files\tmp7973234.exe <Not Verified; NoName Corp.; NNC module>
2008-02-15 05:32:02 12288 --a------ C:\Program Files\tmp48361031.exe <Not Verified; Search2find LLC; Search2find>
2008-02-15 05:31:50 10240 --a------ C:\Program Files\tmp48348906.exe <Not Verified; NoName Corp.; NNC module>
2008-02-14 04:45:45 10240 --a------ C:\Program Files\tmp2093953.exe <Not Verified; NoName Corp.; NNC module>
2008-01-31 06:27:02 11264 --a------ C:\WINDOWS\mgrs.exe
2008-01-31 03:07:55 10240 --a------ C:\Program Files\spoolsv.exe <Not Verified; NoName Corp.; NNC module>
2008-01-31 03:06:33 18944 --a------ C:\WINDOWS\avp.exe <Not Verified; MskVip Ltd.; Antivirus Project (AVP) spyware removal module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593}]
C:\Program Files\TrustIn Contextual\trustincontext.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AA870AC-8427-42a4-B92E-ECD956197489}]
C:\WINDOWS\AuroraHandler.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D288EC64-298A-3F18-5BF0-0824F86062A0}]
C:\Program Files\drvi\upbdamvhuo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 05:24 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM]
"nwiz"="nwiz.exe" []
"%FP%Barak013 L2TP fts.exe"="C:\Program Files\Barak013\Barak013_L2TP\fts.exe" [01/07/2004 03:37 PM]
"Virtual PDF Printer"="C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe" []
"msnappau"="C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe" [08/13/2004 06:41 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"RTHDCPL"="RTHDCPL.EXE" []
"Alcmtr"="ALCMTR.EXE" [05/03/2005 01:43 PM C:\WINDOWS\Alcmtr.exe]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [07/12/2006 12:58 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 01:22 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [11/08/2006 02:27 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/04/2006 01:50 AM]
"smgr"="mgrs.exe" [01/31/2008 06:27 AM C:\WINDOWS\mgrs.exe]
"Printer"="C:\WINDOWS\system32\printer.exe" []
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" []
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6145\SiteAdv.exe" [06/21/2007 11:06 PM]
"avp"="C:\WINDOWS\TEMP\win72.exe" []
"cbj"="C:\Program Files\cjb\cjb.exe" [03/06/2008 03:25 PM]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" []
"iSecurity applet"="iSecurity.cpl" [04/09/2008 09:27 AM C:\WINDOWS\system32\iSecurity.cpl]
"cjb"="C:\Program Files\cjb\cjb7.exe" [04/09/2008 01:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/17/2007 04:50 AM]
"@"="" []
"Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" []
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [01/30/2008 02:11 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"F6vFwLfsTU"=C:\WINDOWS\fwpyhmxg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KbdService"= {793b612a-2711-4c3b-af92-6da8f7369bcb} - C:\WINDOWS\Installer\{793b612a-2711-4c3b-af92-6da8f7369bcb}\KbdService.dll [02/14/2008 04:45 AM 14374]
"zip"= {c304f30f-fcb5-49dc-8906-f65cec679092} - C:\WINDOWS\Installer\{c304f30f-fcb5-49dc-8906-f65cec679092}\zip.dll [02/14/2008 04:45 AM 38438]
"CDSetup"= {66913b9a-6dd7-43ed-aadb-f2a121429107} - C:\WINDOWS\Installer\{66913b9a-6dd7-43ed-aadb-f2a121429107}\CDSetup.dll [02/16/2008 05:46 AM 14374]
"CheckBoot"= {4216babd-e74b-4eba-94b5-84c3fd8b0359} - C:\WINDOWS\Installer\{4216babd-e74b-4eba-94b5-84c3fd8b0359}\CheckBoot.dll [03/06/2008 04:06 AM 14374]
"WinRunOnce"= {60b3c4f6-fd89-4884-9973-e54295f9a3a4} - C:\WINDOWS\Installer\{60b3c4f6-fd89-4884-9973-e54295f9a3a4}\WinRunOnce.dll [03/07/2008 06:21 AM 14374]
"SrvVolume"= {b60c4cd1-a1bd-4af9-ac8d-0cdfd99c96c6} - C:\WINDOWS\Installer\{b60c4cd1-a1bd-4af9-ac8d-0cdfd99c96c6}\SrvVolume.dll [03/07/2008 11:45 PM 14374]
"SrvKernel"= {6d0c7515-b27a-477d-82bb-6651b8e7370f} - C:\WINDOWS\Installer\{6d0c7515-b27a-477d-82bb-6651b8e7370f}\SrvKernel.dll [03/12/2008 08:52 AM 14374]
"ChkUnknown"= {1557603e-f66c-4bf7-b27e-e8eaebbf915e} - C:\WINDOWS\Installer\{1557603e-f66c-4bf7-b27e-e8eaebbf915e}\ChkUnknown.dll [03/13/2008 07:10 AM 14374]
"SetupSys"= {5c46c749-7968-48e6-bc59-93f9c44f776c} - C:\WINDOWS\Installer\{5c46c749-7968-48e6-bc59-93f9c44f776c}\SetupSys.dll [03/28/2008 03:50 PM 14374]
"iSecurity"= {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~1.CPL [04/09/2008 09:27 AM 125440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwim32]
winwim32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=iSecurity.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 900 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp psc 900 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp psc 900 series) - 1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RaConfig2500.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RaConfig2500.lnk
backup=C:\WINDOWS\pss\RaConfig2500.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{428c4537-baaf-11db-90d8-806d6172696f}]
AutoRun\command- D:\SETUP.EXE




-- Hosts -----------------------------------------------------------------------

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net

90 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-17 19:04:45 ------------
lazyjesus
Active Member
 
Posts: 2
Joined: April 17th, 2008, 12:39 pm
Advertisement
Register to Remove

Re: Infected System

Unread postby Shaba » April 20th, 2008, 4:53 am

Hi lazyjesus

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Infected System

Unread postby lazyjesus » April 21st, 2008, 9:58 pm

Hi
I was able to install spybot, got rid of most of my problems, (control panel came back for one),
but I still have a fake "security center" running. Thanks for the help, I really appreciate it :)

Combofix:
ComboFix 08-04-20.5 - guy 04/22/2008 4:26:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.1.1033.18.615 [GMT 3:00]
Running from: C:\Documents and Settings\guy\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 01:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-21 15:04 --------- d-----w C:\Documents and Settings\guy\Application Data\SiteAdvisor
2008-04-20 15:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-18 20:15 --------- d-----w C:\Program Files\McAfee
2008-04-18 02:05 --------- d-----w C:\Program Files\nghabxli
2008-04-18 01:57 --------- d-----w C:\Program Files\IE Extensions
2008-04-17 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 22:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-17 15:26 --------- d-----w C:\Program Files\Trend Micro
2008-04-17 13:49 33,280 ----a-w C:\WINDOWS\xkrwfsxm.exe
2008-04-11 02:13 --------- d-----w C:\Program Files\Java
2008-03-28 04:56 --------- d-----w C:\Program Files\Poker.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 11:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2003-09-15 23:19 99,544 ----a-w C:\WINDOWS\inf\virprn.exe
2003-09-15 23:19 90,624 ----a-w C:\WINDOWS\inf\prtproc.dll
2003-09-15 23:19 18,950 ----a-w C:\WINDOWS\inf\virpntd.dll
2003-09-15 23:19 10,240 ----a-w C:\WINDOWS\inf\virport.dll
.

((((((((((((((((((((((((((((( snapshot@Tue 04-22-2008_ 4.19.41.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 01:15:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 01:22:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D288EC64-298A-3F18-5BF0-0824F86062A0}]
C:\Program Files\drvi\upbdamvhuo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/17/2007 04:50 AM 68856]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [01/30/2008 02:11 PM 3497984]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 05:24 PM 86016]
"nwiz"="nwiz.exe" []
"%FP%Barak013 L2TP fts.exe"="C:\Program Files\Barak013\Barak013_L2TP\fts.exe" [01/07/2004 03:37 PM 77312]
"Virtual PDF Printer"="C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe" [ ]
"msnappau"="C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe" [08/13/2004 06:41 PM 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 144784]
"RTHDCPL"="RTHDCPL.EXE" []
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [07/12/2006 12:58 PM 356352]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM 57344]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [11/08/2006 02:27 PM 222208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/04/2006 01:50 AM 282624]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6145\SiteAdv.exe" [06/21/2007 11:06 PM 36640]
"cbj"="C:\Program Files\cjb\cjb.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM 1694208]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [11/09/2006 06:15 PM 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [10/04/2006 11:48 AM 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"F6vFwLfsTU"= C:\WINDOWS\fwpyhmxg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwim32]
winwim32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 900 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp psc 900 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp psc 900 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RaConfig2500.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RaConfig2500.lnk
backup=C:\WINDOWS\pss\RaConfig2500.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 06/14/2006 05:24 PM 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 07/09/2001 12:50 PM 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 07/04/2006 01:50 AM 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 05/16/2006 01:04 PM 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\Rakion.bin"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\WINDOWS\\java\\powerfootball\\PowerFootball-D3D9.exe"=
"C:\\WINDOWS\\java\\powerfootball\\PowerFootball-OpenGL.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\PES6.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9339:TCP"= 9339:TCP:Facebook

R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [07/22/2003 09:14 AM]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\NetWlan5.sys [08/28/2002 11:59 PM]
S3 Oasis;Oasis;C:\WINDOWS\system32\DRIVERS\Oasisusb.sys [05/31/2003 05:21 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{428c4537-baaf-11db-90d8-806d6172696f}]
\Shell\AutoRun\command - D:\SETUP.EXE

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-14 23:45:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-31 22:00:06 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-04-20 17:52:41 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 04:28:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 04/22/2008 4:29:46
ComboFix-quarantined-files.txt 2008-04-22 01:29:41
ComboFix2.txt 2008-04-22 01:19:57

Pre-Run: 28,875,374,592 bytes free
Post-Run: 28,855,513,088 bytes free

154 --- E O F --- 2008-04-11 00:05:31

------------------------------------------------------------------------------------------

Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:48:26, on 22/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Barak013\Barak013_L2TP\fts.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\he-il\msntb.dll
O2 - BHO: (no name) - {D288EC64-298A-3F18-5BF0-0824F86062A0} - C:\Program Files\drvi\upbdamvhuo.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\he-il\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [%FP%Barak013 L2TP fts.exe] "C:\Program Files\Barak013\Barak013_L2TP\fts.exe"
O4 - HKLM\..\Run: [Virtual PDF Printer] C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
O4 - HKLM\..\Run: [cbj] C:\Program Files\cjb\cjb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [F6vFwLfsTU] C:\WINDOWS\fwpyhmxg.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\guy\Start Menu\Programs\Poker.com\Poker.com.lnk (HKCU)
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://hb2.bankleumi.co.il/Premium/dow ... fxIEAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52 ... scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)
O21 - SSODL: KbdService - {793b612a-2711-4c3b-af92-6da8f7369bcb} - (no file)
O21 - SSODL: zip - {c304f30f-fcb5-49dc-8906-f65cec679092} - (no file)
O21 - SSODL: CDSetup - {66913b9a-6dd7-43ed-aadb-f2a121429107} - (no file)
O21 - SSODL: CheckBoot - {4216babd-e74b-4eba-94b5-84c3fd8b0359} - (no file)
O21 - SSODL: WinRunOnce - {60b3c4f6-fd89-4884-9973-e54295f9a3a4} - (no file)
O21 - SSODL: SrvVolume - {b60c4cd1-a1bd-4af9-ac8d-0cdfd99c96c6} - (no file)
O21 - SSODL: SrvKernel - {6d0c7515-b27a-477d-82bb-6651b8e7370f} - (no file)
O21 - SSODL: ChkUnknown - {1557603e-f66c-4bf7-b27e-e8eaebbf915e} - (no file)
O21 - SSODL: SetupSys - {5c46c749-7968-48e6-bc59-93f9c44f776c} - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\system32\MRobeService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 12228 bytes
lazyjesus
Active Member
 
Posts: 2
Joined: April 17th, 2008, 12:39 pm

Re: Infected System

Unread postby Shaba » April 22nd, 2008, 7:31 am

Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.


Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {D288EC64-298A-3F18-5BF0-0824F86062A0} - C:\Program Files\drvi\upbdamvhuo.dll (file missing)
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [cbj] C:\Program Files\cjb\cjb.exe
O4 - HKLM\..\Policies\Explorer\Run: [F6vFwLfsTU] C:\WINDOWS\fwpyhmxg.exe
O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)
O21 - SSODL: KbdService - {793b612a-2711-4c3b-af92-6da8f7369bcb} - (no file)
O21 - SSODL: zip - {c304f30f-fcb5-49dc-8906-f65cec679092} - (no file)
O21 - SSODL: CDSetup - {66913b9a-6dd7-43ed-aadb-f2a121429107} - (no file)
O21 - SSODL: CheckBoot - {4216babd-e74b-4eba-94b5-84c3fd8b0359} - (no file)
O21 - SSODL: WinRunOnce - {60b3c4f6-fd89-4884-9973-e54295f9a3a4} - (no file)
O21 - SSODL: SrvVolume - {b60c4cd1-a1bd-4af9-ac8d-0cdfd99c96c6} - (no file)
O21 - SSODL: SrvKernel - {6d0c7515-b27a-477d-82bb-6651b8e7370f} - (no file)
O21 - SSODL: ChkUnknown - {1557603e-f66c-4bf7-b27e-e8eaebbf915e} - (no file)
O21 - SSODL: SetupSys - {5c46c749-7968-48e6-bc59-93f9c44f776c} - (no file)


Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\xkrwfsxm.exe
C:\WINDOWS\inf\virprn.exe
C:\WINDOWS\inf\prtproc.dll
C:\WINDOWS\inf\virpntd.dll
C:\WINDOWS\inf\virport.dll

Folder::
C:\Program Files\nghabxli
C:\Program Files\IE Extensions


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Infected System

Unread postby Shaba » April 27th, 2008, 4:36 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware