Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help. Got infected!!!. HJT log here. Thanks

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help. Got infected!!!. HJT log here. Thanks

Unread postby bpolunin » March 9th, 2009, 1:46 pm

Please help. This is driving me crazy. I think I downloaded an mp3 but it was something else. My desktop changes to some gif that says DANGER!!! you are infected. Task manager disabled. Desktop manager disabled. Also have a big red X in my task bar that when clicked takes me to some site that advertises adware removal tools.

What can I do?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:30 PM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2CBE0A48-2691-48AC-8F7F-EEB42B48C9AB} - C:\WINDOWS\system32\byXNHWml.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google plugin - {684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA} - kjsvc32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [48e4c4ac] rundll32.exe "C:\WINDOWS\system32\rbhbscmk.dll",b
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/ ... review.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmuk.webex.com/client/v_mywebe ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\Software\..\Telephony: DomainName = travelinc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: gtrmts.dll lhprgw.dll
O20 - Winlogon Notify: opnomkJd - opnomkJd.dll (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10498 bytes
bpolunin
Active Member
 
Posts: 11
Joined: March 9th, 2009, 1:33 pm
Advertisement
Register to Remove

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby dan12 » March 9th, 2009, 2:57 pm

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby bpolunin » March 9th, 2009, 5:24 pm

Thanks Dan,
Here is my list of installed programs:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Ad-Aware
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.8
Adobe Reader Japanese Fonts
Adobe Shockwave Player 11
Advertisement Service
Alexa Toolbar
Apple Software Update
AttachmentOptions
Big Fish Games Client
Bluesoleil2.6.0.8 Release 070517
Broadcom Advanced Control Suite
Business Contact Manager for Outlook 2007 SP1
Business Contact Manager for Outlook 2007 SP1
CDBurnerXP
Crystal Reports
DivX Codec
DivX Converter
ESET Online Scanner
Express Burn
Galaxy
GDR 1406 for SQL Server Tools and Workstation Components 2005 ENU (KB932557)
Google Talk (remove only)
Hidden Wonders of the Depths
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix for Windows XP (KB952287)
InstallShield for Microsoft Visual C++ 6
Intel Matrix Storage Manager
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Lotus NotesSQL 2.06 driver
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2000
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Monitor Clean
Mozilla Firefox (2.0.0.14)
MSDN Library - April 2004
MSXML 6.0 Parser (KB933579)
Musicmatch® Jukebox
NCH Toolbox
NVIDIA Drivers
Nvu 1.0
pdfFactory
QuickTime
RealPlayer
Replay Media Catcher
Replay Media Catcher
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Sheridan Data Widgets 3.1
Skype™ 3.5
SQL Server 2000 DTS Designer Components
SQLXML4
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
URL Assistant
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Web CEO 7.7
Windows Communication Foundation
Windows Defender
Windows Imaging Component
Windows Media Format Runtime
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! SiteBuilder
Yahoo! Toolbar
bpolunin
Active Member
 
Posts: 11
Joined: March 9th, 2009, 1:33 pm

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby dan12 » March 9th, 2009, 5:53 pm

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

-----------------


Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby bpolunin » March 9th, 2009, 6:30 pm

Hi,
Here is the log from ComboFix:
ComboFix 09-03-06.02 - bpolunin 2009-03-09 18:14:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.634 [GMT -4:00]
Running from: c:\documents and settings\bpolunin\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\bpolunin\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\bpolunin\LOCALS~1\Temp\tmp2.tmp
c:\program files\alexa toolbar
c:\program files\alexa toolbar\uninstall.exe
c:\windows\Downloaded Program Files\MyWebEx
c:\windows\Downloaded Program Files\MyWebEx\419\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\419\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasnt40.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atdl2006.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atlchat.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atwbxui5.dll
c:\windows\Downloaded Program Files\MyWebEx\419\ieatgpc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwm.ini
c:\windows\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
c:\windows\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmtrace.txt
c:\windows\Downloaded Program Files\MyWebEx\419\mwmupd.exe
c:\windows\Downloaded Program Files\MyWebEx\419\ratrace.dll
c:\windows\Downloaded Program Files\MyWebEx\419\raurl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
c:\windows\Downloaded Program Files\MyWebEx\419\webexmgr.dll
c:\windows\Downloaded Program Files\Temp
c:\windows\IE4 Error Log.txt
c:\windows\system32\comsa32.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaobumqyak.sys
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\inf\xccefb090131.scr
c:\windows\system32\init32.exe
c:\windows\system32\kmcsbhbr.ini
c:\windows\system32\lmWHNXyb.ini
c:\windows\system32\lmWHNXyb.ini2
c:\windows\system32\mdm.exe
c:\windows\system32\senekadipxpyic.dat
c:\windows\system32\senekaktwmknto.dll
c:\windows\system32\senekaluvdcgsq.dll
c:\windows\system32\senekandrjnrfj.dll
c:\windows\system32\senekaxehkucvq.dat
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\flvriksd.job
c:\windows\xccwinsys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_6TO4
-------\Legacy_DEFAULTLIB
-------\Legacy_SOFTYINFORWOW1
-------\Service_6to4
-------\Service_defaultlib
-------\Service_softyinforwow1


((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-09 18:14 . 2009-03-09 18:14 <DIR> d-------- C:\quarantine
2009-03-09 13:43 . 2009-03-09 13:43 <DIR> d-------- c:\program files\Trend Micro
2009-03-09 13:09 . 2009-03-09 13:09 552 --a------ c:\windows\system32\d3d8caps.dat
2009-03-09 12:59 . 2009-03-09 13:04 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-03-09 12:43 . 2009-03-06 19:18 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-09 12:23 . 2009-03-09 12:23 186,368 --a------ c:\windows\Monitor Clean.scr
2009-03-03 17:02 . 2009-03-03 17:03 <DIR> d-------- c:\documents and settings\psligar
2009-03-03 14:36 . 2009-03-09 12:32 1,324 --a------ c:\windows\system32\d3d9caps.dat
2009-02-28 08:30 . 2009-03-09 13:59 <DIR> d-------- c:\windows\system32\3361
2009-02-28 07:38 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 07:37 . 2009-03-09 18:16 <DIR> d-------- c:\windows\system32\inf
2009-02-28 07:37 . 2009-02-28 07:37 155,175 --a------ c:\windows\system\xccef090131.exe
2009-02-23 17:09 . 2009-02-23 17:09 <DIR> d-------- C:\e695dbab6f220fa305e4ad5b538902
2009-02-23 16:49 . 2009-02-23 16:49 <DIR> d-------- c:\program files\Windows Defender
2009-02-23 16:45 . 2009-03-09 18:21 2,206 --a------ c:\windows\system32\wpa.dbl
2009-02-23 16:37 . 2009-02-23 16:37 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-23 13:46 . 2009-02-23 13:46 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\yahoo!
2009-02-23 12:26 . 2009-03-09 17:24 512 --a------ c:\windows\randseed.rnd
2009-02-23 12:25 . 2009-02-23 12:25 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2009-02-23 12:25 . 2009-02-23 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 12:24 . 2009-02-23 12:25 <DIR> d-------- c:\program files\Network Associates
2009-02-23 12:24 . 2009-02-23 12:24 <DIR> d-------- c:\program files\Common Files\Network Associates
2009-02-23 12:24 . 2009-02-23 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Network Associates
2009-02-23 12:24 . 2006-06-08 21:00 116,864 --a------ c:\windows\system32\drivers\naiavf5x.sys
2009-02-23 12:24 . 2006-06-08 21:00 58,464 --a------ c:\windows\system32\drivers\mvstdi5x.sys
2009-02-20 19:15 . 2009-02-20 19:15 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-20 19:15 . 2009-02-20 19:15 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-20 19:13 . 2009-02-20 19:13 <DIR> d-------- c:\program files\Lavasoft
2009-02-20 19:13 . 2009-02-20 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 19:13 . 2009-02-20 19:13 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-20 18:58 . 2009-03-09 18:20 2,204 --a------ c:\windows\qrkyvldt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 00:06 --------- d-----w c:\program files\Replay Media Catcher
2009-01-30 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-26 21:44 --------- d-----w c:\program files\Galaxy
2009-01-21 16:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-06-11 16:20 56,912 ----a-w c:\documents and settings\bpolunin\g2mdlhlpx.exe
2008-04-28 15:33 0 ----a-w c:\program files\temp01
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-04-26 143360]
"pdfFactory Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2004-11-19 442368]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-06 515416]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-10-02 81920]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gtrmts.dll lhprgw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-06 18:03 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-09-07 10:08 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-08-09 15:41 4617720 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Tools\\Binn\\VSShell\\Common7\\IDE\\SqlWb.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-20 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2009-02-23 58464]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\vcdcontrolpanel\VCdRom.sys [2008-06-03 8576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 qrkyvldt;qrkyvldt;c:\windows\system32\drivers\twkusmnj.sys []
S1 fxbodfnl;fxbodfnl;\??\c:\windows\system32\drivers\fxbodfnl.sys --> c:\windows\system32\drivers\fxbodfnl.sys [?]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 19:15]

2009-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2CBE0A48-2691-48AC-8F7F-EEB42B48C9AB} - c:\windows\system32\byXNHWml.dll
BHO-{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA} - kjsvc32.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-48e4c4ac - c:\windows\system32\rbhbscmk.dll
Notify-opnomkJd - opnomkJd.dll


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... channel=us
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: musicmatch.com\online
TCP: {66374EF0-1FF9-4A70-9584-2E10BA00081A} = 10.218.36.210,10.218.36.181
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bpolunin\Application Data\Mozilla\Firefox\Profiles\vzjibl2a.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 18:21:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\twkusmnj.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-409800705-1564488996-1541874228-2363\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{07F69B93-795C-4777-4410-3296887861AB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ialcpmibkiffihmfak"=hex:69,61,67,70,6c,68,64,6b,66,6b,6e,68,63,62,69,65,6e,63,
00,00
"handbmnhefeojfkl"=hex:69,61,67,70,6c,68,64,6b,66,6b,6e,68,63,62,69,65,6e,63,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(964)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\progra~1\MICROS~4\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-09 18:26:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-09 22:26:36

Pre-Run: 124,459,962,368 bytes free
Post-Run: 126,016,675,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

283 --- E O F --- 2009-01-21 16:05:42


Here is the fresh log from HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30, on 2009-03-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmuk.webex.com/client/v_mywebe ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\Software\..\Telephony: DomainName = travelinc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: gtrmts.dll lhprgw.dll
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9961 bytes
bpolunin
Active Member
 
Posts: 11
Joined: March 9th, 2009, 1:33 pm

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby dan12 » March 9th, 2009, 7:26 pm

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::
File::
c:\windows\system32\drivers\twkusmnj.sys 
c:\windows\qrkyvldt
c:\program files\temp01
c:\windows\system32\drivers\fxbodfnl.sys 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Driver::
qrkyvldt
fxbodfnl
DirLook::
C:\e695dbab6f220fa305e4ad5b538902
c:\windows\system32\3361


    


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

-----------------------


: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt




Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

  1. Check (tick) this box: YES, I accept the Terms of Use.
  2. Click on the Start button next to it.
  3. When prompted to run ActiveX. click Yes.
  4. You will be asked to install an ActiveX. Click Install.
  5. Once installed, the scanner will be initialized.
  6. After the scanner is initialized, click Start.
  7. Uncheck (untick) Remove found threats box.
  8. Check (tick) Scan unwanted applications.
  9. Click on Scan.
  10. It will start scanning. Please be patient.
  11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.


Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 12.



Post
combofix report
malwarebytes report
Eset scanner report
java report
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby bpolunin » March 11th, 2009, 1:51 pm

Hi,
Here are 2 logs I got. The Eset said nothing found. The JavaRa looks like deleted all but then when was producing the log crashed so I don't have the log file for it. Also, downloaded the 1236721476893-integrated.jnlp from the link you gave me but it won't start cause the extention is unknown. Let mek now what I need to do.

Combofix:

ComboFix 09-03-06.02 - bpolunin 2009-03-10 17:28:45.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.645 [GMT -4:00]
Running from: c:\documents and settings\bpolunin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-03-09 18:59 . 2009-03-09 18:59 <DIR> d-------- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-03-09 18:57 . 2009-03-09 18:57 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-09 18:14 . 2009-03-09 18:14 <DIR> d-------- C:\quarantine
2009-03-09 13:43 . 2009-03-09 13:43 <DIR> d-------- c:\program files\Trend Micro
2009-03-09 13:09 . 2009-03-09 13:09 552 --a------ c:\windows\system32\d3d8caps.dat
2009-03-09 12:59 . 2009-03-09 13:04 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-03-09 12:43 . 2009-03-06 19:18 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-09 12:23 . 2009-03-09 12:23 186,368 --a------ c:\windows\Monitor Clean.scr
2009-03-03 17:02 . 2009-03-03 17:03 <DIR> d-------- c:\documents and settings\psligar
2009-03-03 14:36 . 2009-03-09 12:32 1,324 --a------ c:\windows\system32\d3d9caps.dat
2009-02-28 08:30 . 2009-03-09 13:59 <DIR> d-------- c:\windows\system32\3361
2009-02-28 07:38 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 07:37 . 2009-03-09 18:16 <DIR> d-------- c:\windows\system32\inf
2009-02-28 07:37 . 2009-02-28 07:37 155,175 --a------ c:\windows\system\xccef090131.exe
2009-02-23 17:09 . 2009-02-23 17:09 <DIR> d-------- C:\e695dbab6f220fa305e4ad5b538902
2009-02-23 16:49 . 2009-02-23 16:49 <DIR> d-------- c:\program files\Windows Defender
2009-02-23 16:45 . 2009-03-10 17:33 2,206 --a------ c:\windows\system32\wpa.dbl
2009-02-23 16:37 . 2009-02-23 16:37 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-23 13:46 . 2009-02-23 13:46 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\yahoo!
2009-02-23 12:26 . 2009-03-10 17:25 512 --a------ c:\windows\randseed.rnd
2009-02-23 12:25 . 2009-02-23 12:25 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2009-02-23 12:25 . 2009-02-23 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 12:24 . 2009-02-23 12:25 <DIR> d-------- c:\program files\Network Associates
2009-02-23 12:24 . 2009-02-23 12:24 <DIR> d-------- c:\program files\Common Files\Network Associates
2009-02-23 12:24 . 2009-02-23 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Network Associates
2009-02-23 12:24 . 2006-06-08 21:00 116,864 --a------ c:\windows\system32\drivers\naiavf5x.sys
2009-02-23 12:24 . 2006-06-08 21:00 58,464 --a------ c:\windows\system32\drivers\mvstdi5x.sys
2009-02-20 19:15 . 2009-02-20 19:15 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-20 19:15 . 2009-02-20 19:15 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-20 19:13 . 2009-02-20 19:13 <DIR> d-------- c:\program files\Lavasoft
2009-02-20 19:13 . 2009-02-20 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 19:13 . 2009-02-20 19:13 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-20 18:58 . 2009-03-10 17:32 2,204 --a------ c:\windows\qrkyvldt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 22:59 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-26 00:06 --------- d-----w c:\program files\Replay Media Catcher
2009-01-30 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-26 21:44 --------- d-----w c:\program files\Galaxy
2008-06-11 16:20 56,912 ----a-w c:\documents and settings\bpolunin\g2mdlhlpx.exe
2008-04-28 15:33 0 ----a-w c:\program files\temp01
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-04-26 143360]
"pdfFactory Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2004-11-19 442368]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-06 515416]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-10-02 81920]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gtrmts.dll lhprgw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-06 18:03 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-09-07 10:08 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-08-09 15:41 4617720 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Tools\\Binn\\VSShell\\Common7\\IDE\\SqlWb.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-20 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2009-02-23 58464]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\vcdcontrolpanel\VCdRom.sys [2008-06-03 8576]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 qrkyvldt;qrkyvldt;c:\windows\system32\drivers\twkusmnj.sys []
S1 fxbodfnl;fxbodfnl;\??\c:\windows\system32\drivers\fxbodfnl.sys --> c:\windows\system32\drivers\fxbodfnl.sys [?]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 19:15]

2009-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-03-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... channel=us
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: musicmatch.com\online
TCP: {66374EF0-1FF9-4A70-9584-2E10BA00081A} = 10.218.36.210,10.218.36.181
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bpolunin\Application Data\Mozilla\Firefox\Profiles\vzjibl2a.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 17:33:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\twkusmnj.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-409800705-1564488996-1541874228-2363\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{07F69B93-795C-4777-4410-3296887861AB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ialcpmibkiffihmfak"=hex:69,61,67,70,6c,68,64,6b,66,6b,6e,68,63,62,69,65,6e,63,
00,00
"handbmnhefeojfkl"=hex:69,61,67,70,6c,68,64,6b,66,6b,6e,68,63,62,69,65,6e,63,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(964)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\progra~1\MICROS~4\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\windows\system32\rundll32.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
.
**************************************************************************
.
Completion time: 2009-03-10 17:37:48 - machine was rebooted [bpolunin]
ComboFix-quarantined-files.txt 2009-03-10 21:37:45
ComboFix2.txt 2009-03-10 17:12:51
ComboFix3.txt 2009-03-09 22:26:40

Pre-Run: 125,806,387,200 bytes free
Post-Run: 125,790,236,672 bytes free

205 --- E O F --- 2009-03-09 23:00:04


Melwarebyte:

Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 5.1.2600 Service Pack 3

2009-03-10 18:11:14
mbam-log-2009-03-10 (18-11-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198945
Time elapsed: 31 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qrkyvldt (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrkyvldt (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrkyvldt (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\bpolunin\Desktop\LJJ Tyers.exe (Backdoor.VBBot.H) -> No action taken.
C:\Documents and Settings\bpolunin\Desktop\Stas\Inventory Control01292007\Inventory Control\LJJ Tyers.exe (Backdoor.VBBot.H) -> No action taken.
C:\Projects\Cool Apps\INI File Functions\INI Example.exe (Backdoor.VBBot.H) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaktwmknto.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaluvdcgsq.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekandrjnrfj.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaobumqyak.sys.vir (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP904\A0061989.sys (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP904\A0061990.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP904\A0061991.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP904\A0061992.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\twkusmnj.sys (Rootkit.Agent) -> No action taken.
C:\dell\E-Center\Project.exe (Backdoor.VBBot.H) -> No action taken.
C:\WINDOWS\system\xccef090131.exe (Spyware.OnlineGames) -> No action taken.
bpolunin
Active Member
 
Posts: 11
Joined: March 9th, 2009, 1:33 pm

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby dan12 » March 11th, 2009, 3:49 pm

Why have you run combofix 4 times it should of been just it's second sweep?
When you run malwarebytes you need as instruction says to check selected items! as you can see (No action taken.)
Can you run malwarebytes through again.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby bpolunin » March 11th, 2009, 5:52 pm

Hi,
I ran Combofix 4 time cause it crashed 2 times after draging the file into it.
As for melwarebytes. I did have all checked for removal and I think it did remove it all cause it said at the end that 2 of the files could not be deleted and to restart the system so they can be deleted.
I just reran malwarebytes and nothing was detected. Here is the log:
Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 5.1.2600 Service Pack 3

2009-03-11 17:50:06
mbam-log-2009-03-11 (17-50-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 199606
Time elapsed: 29 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
bpolunin
Active Member
 
Posts: 11
Joined: March 9th, 2009, 1:33 pm

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby dan12 » March 11th, 2009, 6:28 pm

I ran Combofix 4 time cause it crashed 2 times after draging the file into it.

Is combofix the only thing running whilst carrying out the scan?
Is your antivirus and antimalware programs disabled whilst doing the scan?


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
c:\documents and settings\bpolunin\g2mdlhlpx.exe

Click Submit/Send File
Please post back, to let me know the results.



If Jotti is too busy please try Virustotal



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
c:\windows\system32\drivers\twkusmnj.sys 
c:\windows\system32\drivers\fxbodfnl.sys 
c:\program files\temp01
c:\windows\qrkyvldt
c:\windows\system\xccef090131.exe
Driver::
qrkyvldt
fxbodfnl
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
DirLook::
c:\documents and settings\psligar
c:\windows\system32\3361
C:\e695dbab6f220fa305e4ad5b538902


    


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Post the jotti's report
combofix report
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby bpolunin » March 11th, 2009, 7:01 pm

Hi,
Yes, ComboFix is the only program running unless there are processes running. All antivirus programs are disabled.

Jotti found nothing on that file.

Here is the log from ComboFix:
ComboFix 09-03-06.02 - bpolunin 2009-03-11 18:44:55.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.581 [GMT -4:00]
Running from: c:\documents and settings\bpolunin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bpolunin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\temp01
c:\windows\qrkyvldt
c:\windows\system\xccef090131.exe
c:\windows\system32\drivers\fxbodfnl.sys
c:\windows\system32\drivers\twkusmnj.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp01
c:\windows\IE4 Error Log.txt
c:\windows\qrkyvldt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QRKYVLDT
-------\Service_fxbodfnl


((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-10 17:38 . 2009-03-10 17:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 17:38 . 2009-03-10 17:38 <DIR> d-------- c:\documents and settings\bpolunin\Application Data\Malwarebytes
2009-03-10 17:38 . 2009-03-10 17:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-10 17:38 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 17:38 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-09 18:59 . 2009-03-09 18:59 <DIR> d-------- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-03-09 18:57 . 2009-03-09 18:57 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-09 18:14 . 2009-03-10 19:12 <DIR> d-------- C:\quarantine
2009-03-09 13:43 . 2009-03-09 13:43 <DIR> d-------- c:\program files\Trend Micro
2009-03-09 13:09 . 2009-03-09 13:09 552 --a------ c:\windows\system32\d3d8caps.dat
2009-03-09 12:59 . 2009-03-11 11:09 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-03-09 12:43 . 2009-03-06 19:18 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-09 12:23 . 2009-03-09 12:23 186,368 --a------ c:\windows\Monitor Clean.scr
2009-03-03 17:02 . 2009-03-03 17:03 <DIR> d-------- c:\documents and settings\psligar
2009-03-03 14:36 . 2009-03-09 12:32 1,324 --a------ c:\windows\system32\d3d9caps.dat
2009-02-28 08:30 . 2009-03-09 13:59 <DIR> d-------- c:\windows\system32\3361
2009-02-28 07:38 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 07:37 . 2009-03-09 18:16 <DIR> d-------- c:\windows\system32\inf
2009-02-23 17:09 . 2009-02-23 17:09 <DIR> d-------- C:\e695dbab6f220fa305e4ad5b538902
2009-02-23 16:49 . 2009-02-23 16:49 <DIR> d-------- c:\program files\Windows Defender
2009-02-23 16:45 . 2009-03-11 18:54 2,206 --a------ c:\windows\system32\wpa.dbl
2009-02-23 16:37 . 2009-02-23 16:37 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-23 13:46 . 2009-02-23 13:46 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\yahoo!
2009-02-23 12:26 . 2009-03-11 17:05 512 --a------ c:\windows\randseed.rnd
2009-02-23 12:25 . 2009-02-23 12:25 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2009-02-23 12:25 . 2009-02-23 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 12:24 . 2009-02-23 12:25 <DIR> d-------- c:\program files\Network Associates
2009-02-23 12:24 . 2009-02-23 12:24 <DIR> d-------- c:\program files\Common Files\Network Associates
2009-02-23 12:24 . 2009-02-23 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Network Associates
2009-02-23 12:24 . 2006-06-08 21:00 116,864 --a------ c:\windows\system32\drivers\naiavf5x.sys
2009-02-23 12:24 . 2006-06-08 21:00 58,464 --a------ c:\windows\system32\drivers\mvstdi5x.sys
2009-02-20 19:15 . 2009-02-20 19:15 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-20 19:15 . 2009-02-20 19:15 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-20 19:13 . 2009-02-20 19:13 <DIR> d-------- c:\program files\Lavasoft
2009-02-20 19:13 . 2009-02-20 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 19:13 . 2009-02-20 19:13 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 17:55 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-11 16:46 --------- d-----w c:\program files\Java
2009-02-26 00:06 --------- d-----w c:\program files\Replay Media Catcher
2009-01-30 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-26 21:44 --------- d-----w c:\program files\Galaxy
2008-06-11 16:20 56,912 ----a-w c:\documents and settings\bpolunin\g2mdlhlpx.exe
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\psligar ----

2009-03-11 00:05 1024 --ah----- c:\documents and settings\psligar\ntuser.dat.LOG
2009-03-11 00:05 1024 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2009-03-03 17:09 786432 --ah----- c:\documents and settings\psligar\NTUSER.DAT
2009-03-03 17:09 262144 ---h----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2009-03-03 17:09 178 --ahs---- c:\documents and settings\psligar\ntuser.ini
2009-03-03 17:07 32768 --a------ c:\documents and settings\psligar\Local Settings\History\History.IE5\index.dat
2009-03-03 17:03 62 --ahs---- c:\documents and settings\psligar\Local Settings\desktop.ini
2009-03-03 17:03 552 --a-s---- c:\documents and settings\psligar\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
2009-03-03 17:03 132 --a-s---- c:\documents and settings\psligar\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
2009-02-28 21:40 70456 --a------ c:\documents and settings\psligar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-06-04 03:03 636 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VSA\8.0\toolbox_reset.tbd
2008-06-04 03:03 636 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VSA\8.0\toolbox.tbd
2008-06-04 03:03 636 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\MSDN\8.0\toolbox_reset.tbd
2008-06-04 03:03 636 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\MSDN\8.0\toolbox.tbd
2008-06-04 03:03 526 --a------ c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VSA\8.0\browsers.xml
2008-06-04 03:03 526 --a------ c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VisualStudio\8.0\browsers.xml
2008-06-04 03:03 526 --a------ c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\MSDN\8.0\browsers.xml
2008-06-04 03:03 526 --a------ c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\browsers.xml
2008-06-04 03:03 503832 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VisualStudio\8.0\toolbox_reset.tbd
2008-06-04 03:03 503832 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VisualStudio\8.0\toolbox.tbd
2008-06-04 03:03 43405 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\toolbox_reset.tbd
2008-06-04 03:03 43405 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\toolbox.tbd
2008-06-04 03:03 4278 --a------ c:\documents and settings\psligar\Application Data\Microsoft\VSA\8.0\ActivityLog.xsl
2008-06-04 03:03 4278 --a------ c:\documents and settings\psligar\Application Data\Microsoft\MSDN\8.0\ActivityLog.xsl
2008-06-04 03:03 31 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\toolboxIndex_reset.tbd
2008-06-04 03:03 31 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\toolboxIndex.tbd
2008-06-04 03:03 294 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VisualStudio\8.0\toolboxIndex_reset.tbd
2008-06-04 03:03 294 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VisualStudio\8.0\toolboxIndex.tbd
2008-06-04 03:03 20 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VSA\8.0\toolboxIndex_reset.tbd
2008-06-04 03:03 20 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\VSA\8.0\toolboxIndex.tbd
2008-06-04 03:03 20 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\MSDN\8.0\toolboxIndex_reset.tbd
2008-06-04 03:03 20 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\MSDN\8.0\toolboxIndex.tbd
2008-04-23 03:18 978 --a------ c:\documents and settings\psligar\Application Data\Microsoft\VisualStudio\8.0\VsFontLk.dat
2008-04-23 03:17 67 --ahs---- c:\documents and settings\psligar\Local Settings\Temporary Internet Files\desktop.ini
2008-04-23 03:17 113 --ahs---- c:\documents and settings\psligar\Local Settings\History\History.IE5\desktop.ini
2008-04-23 03:17 113 --ahs---- c:\documents and settings\psligar\Local Settings\History\desktop.ini
2006-08-04 18:02 39936 --a------ c:\documents and settings\psligar\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch
2006-07-18 12:03 2698778 --ah----- c:\documents and settings\psligar\Local Settings\Application Data\IconCache.db
2006-07-18 12:01 800 --a------ c:\documents and settings\psligar\Desktop\Help and Support.lnk
2006-07-18 12:01 777 --a------ c:\documents and settings\psligar\Local Settings\Application Data\ApplicationHistory\fileEdit.exe.6448eaba.ini
2006-07-18 11:57 9946112 --a------ c:\documents and settings\psligar\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}\Java 2 Runtime Environment, SE v1.4.2_03.msi
2006-07-18 11:57 473 --a------ c:\documents and settings\psligar\Application Data\Sun\Java\Deployment\deployment.properties
2006-07-18 11:57 3584 --a------ c:\documents and settings\psligar\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}\1033.MST
2006-07-18 11:49 522 --a------ c:\documents and settings\psligar\Start Menu\Programs\Dell\Phone Support.lnk
2006-07-18 11:49 1211 --a------ c:\documents and settings\psligar\Start Menu\Programs\Dell Accessories\Express Service Code.lnk
2006-07-18 11:44 52 --a------ c:\documents and settings\psligar\Favorites\Dell\Dell Auction.url
2006-07-18 11:44 49 --a------ c:\documents and settings\psligar\Favorites\Dell\Support.Dell.Com.url
2006-07-18 11:44 45 --a------ c:\documents and settings\psligar\Favorites\Dell\Dell.url
2006-07-18 11:44 124 --a------ c:\documents and settings\psligar\Favorites\Dell\Dell Internet Security.url
2004-08-11 18:24 2852 --a------ c:\documents and settings\psligar\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
2004-08-11 18:23 21768 --a------ c:\documents and settings\psligar\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config
2004-08-11 18:23 1340 --a------ c:\documents and settings\psligar\Local Settings\Application Data\ApplicationHistory\SL30.tmp.47ef97a6.ini
2004-08-11 18:20 84 --ahs---- c:\documents and settings\psligar\My Documents\desktop.ini
2004-08-11 18:20 79 --a------ c:\documents and settings\psligar\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
2004-08-11 18:20 708 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk
2004-08-11 18:20 683 --a------ c:\documents and settings\psligar\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
2004-08-11 18:20 678 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Address Book.lnk
2004-08-11 18:20 671 --a------ c:\documents and settings\psligar\Start Menu\Programs\Internet Explorer.lnk
2004-08-11 18:20 642 --a------ c:\documents and settings\psligar\Start Menu\Programs\Outlook Express.lnk
2004-08-11 18:20 572 --a------ c:\documents and settings\psligar\My Documents\My Pictures\Sample Pictures.lnk
2004-08-11 18:20 542 --ahs---- c:\documents and settings\psligar\Start Menu\Programs\Accessories\desktop.ini
2004-08-11 18:20 542 --a------ c:\documents and settings\psligar\My Documents\My Music\Sample Music.lnk
2004-08-11 18:20 2570 --ahs---- c:\documents and settings\psligar\Application Data\Microsoft\Internet Explorer\Desktop.htt
2004-08-11 18:20 234 --ahs---- c:\documents and settings\psligar\Start Menu\Programs\desktop.ini
2004-08-11 18:20 197 --a------ c:\documents and settings\psligar\Favorites\Radio Station Guide.url
2004-08-11 18:20 191 --ahs---- c:\documents and settings\psligar\My Documents\My Pictures\Desktop.ini
2004-08-11 18:20 189 --ahs---- c:\documents and settings\psligar\My Documents\My Music\Desktop.ini
2004-08-11 18:20 169 --a------ c:\documents and settings\psligar\Favorites\Links\Windows Marketplace.url
2004-08-11 18:20 150 --ahs---- c:\documents and settings\psligar\Recent\Desktop.ini
2004-08-11 18:20 122 --ahs---- c:\documents and settings\psligar\Favorites\Desktop.ini
2004-08-11 18:20 119 --ahs---- c:\documents and settings\psligar\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
2004-08-11 18:20 119 --a------ c:\documents and settings\psligar\Favorites\MSN.com.url
2004-08-11 18:20 119 --a------ c:\documents and settings\psligar\Favorites\Links\Customize Links.url
2004-08-11 18:20 118 --a------ c:\documents and settings\psligar\Favorites\Links\Windows Media.url
2004-08-11 18:20 113 --a------ c:\documents and settings\psligar\Favorites\Links\Windows.url
2004-08-11 18:20 113 --a------ c:\documents and settings\psligar\Favorites\Links\Free Hotmail.url
2004-08-11 18:20 10389 --a------ c:\documents and settings\psligar\Application Data\Microsoft\Internet Explorer\brndlog.txt
2004-08-11 18:20 0 --a------ c:\documents and settings\psligar\SendTo\My Documents.mydocs
2004-08-11 18:15 84 --ahs---- c:\documents and settings\psligar\Start Menu\Programs\Startup\desktop.ini
2004-08-11 18:15 84 --ahs---- c:\documents and settings\psligar\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2004-08-11 18:15 386 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
2004-08-11 18:15 348 --ahs---- c:\documents and settings\psligar\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2004-08-11 18:15 1503 --a------ c:\documents and settings\psligar\Start Menu\Programs\Remote Assistance.lnk
2004-08-11 18:15 1459 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Command Prompt.lnk
2004-08-11 18:15 1443 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
2004-08-11 18:15 1436 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
2004-08-11 18:15 1431 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Tour Windows XP.lnk
2004-08-11 18:15 1429 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
2004-08-11 18:15 1423 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Synchronize.lnk
2004-08-11 18:15 1423 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Notepad.lnk
2004-08-11 18:15 1405 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
2004-08-11 18:14 720896 --a------ c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb
2004-08-11 18:14 498 --a------ c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD
2004-08-11 18:14 141 --a------ c:\documents and settings\psligar\Application Data\Microsoft\Internet Explorer\brndlog.bak
2004-08-11 18:14 12784 --a------ c:\documents and settings\psligar\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
2004-08-11 18:13 181 --ahs---- c:\documents and settings\psligar\SendTo\desktop.ini
2004-08-11 18:13 1391 --a------ c:\documents and settings\psligar\Start Menu\Programs\Accessories\Windows Explorer.lnk
2004-08-11 18:13 0 --a------ c:\documents and settings\psligar\SendTo\Mail Recipient.MAPIMail
2004-08-11 18:13 0 --a------ c:\documents and settings\psligar\SendTo\Desktop (create shortcut).DeskLink
2004-08-11 18:13 0 --a------ c:\documents and settings\psligar\SendTo\Compressed (zipped) Folder.ZFSendToTarget
2004-08-11 18:07 62 --ahs---- c:\documents and settings\psligar\Start Menu\desktop.ini
2004-08-11 18:07 62 --ahs---- c:\documents and settings\psligar\Application Data\desktop.ini
2004-08-04 06:00 58 --a------ c:\documents and settings\psligar\Templates\sndrec.wav
2004-08-04 06:00 57 --a------ c:\documents and settings\psligar\Templates\wordpfct.wpg
2004-08-04 06:00 5632 --a------ c:\documents and settings\psligar\Templates\excel.xls
2004-08-04 06:00 461 --a------ c:\documents and settings\psligar\Templates\presenta.shw
2004-08-04 06:00 4608 --a------ c:\documents and settings\psligar\Templates\winword.doc
2004-08-04 06:00 4570 --a------ c:\documents and settings\psligar\Templates\amipro.sam
2004-08-04 06:00 4017 --a------ c:\documents and settings\psligar\Templates\quattro.wb2
2004-08-04 06:00 30 --a------ c:\documents and settings\psligar\Templates\wordpfct.wpd
2004-08-04 06:00 2448 --a------ c:\documents and settings\psligar\Templates\lotus.wk4
2004-08-04 06:00 1769 --a------ c:\documents and settings\psligar\Templates\winword2.doc
2004-08-04 06:00 1518 --a------ c:\documents and settings\psligar\Templates\excel4.xls
2004-08-04 06:00 12288 --a------ c:\documents and settings\psligar\Templates\powerpnt.ppt

---- Directory of C:\e695dbab6f220fa305e4ad5b538902 ----

2009-02-23 17:09 788 --ah----- c:\e695dbab6f220fa305e4ad5b538902\$shtdwn$.req
2009-02-11 21:56 24520 --a------ c:\e695dbab6f220fa305e4ad5b538902\mrtstub.exe
2009-02-11 21:56 21244872 --a------ c:\e695dbab6f220fa305e4ad5b538902\mrt.exe

---- Directory of c:\windows\system32\3361 ----

2009-03-01 06:10 4 --a------ c:\windows\system32\3361\mlog


((((((((((((((((((((((((((((( SnapShot_2009-03-10_13.11.36.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
- 2009-03-09 22:59:33 1,165,584 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-11 17:56:00 1,165,584 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2009-03-09 22:59:33 20,240 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-11 17:56:01 20,240 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-03-09 22:59:33 217,864 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-11 17:56:01 217,864 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2009-03-09 22:59:34 18,704 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-03-11 17:56:01 18,704 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-03-09 22:59:34 35,088 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-11 17:56:01 35,088 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-03-09 22:59:33 845,584 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-03-11 17:56:01 845,584 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-03-09 22:59:33 922,384 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-11 17:56:01 922,384 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2009-03-09 22:59:33 272,648 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-03-11 17:56:01 272,648 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2009-03-09 22:59:34 888,080 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-03-11 17:56:01 888,080 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-03-09 22:59:33 1,172,240 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-11 17:56:01 1,172,240 ----a-r c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-12-05 06:54:55 144,896 ------w c:\windows\system32\dllcache\schannel.dll
+ 2008-06-17 19:02:19 8,461,312 ------w c:\windows\system32\dllcache\shell32.dll
- 2008-09-15 12:12:56 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
- 2008-10-24 21:49:59 270,984 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 17:58:03 270,984 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys
+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-04-26 143360]
"pdfFactory Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2004-11-19 442368]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-06 515416]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-10-02 81920]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-06 18:03 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-09-07 10:08 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-08-09 15:41 4617720 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Tools\\Binn\\VSShell\\Common7\\IDE\\SqlWb.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-20 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2009-02-23 58464]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\vcdcontrolpanel\VCdRom.sys [2008-06-03 8576]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 19:15]

2009-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-03-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... channel=us
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: musicmatch.com\online
TCP: {66374EF0-1FF9-4A70-9584-2E10BA00081A} = 10.218.36.210,10.218.36.181
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 18:54:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-409800705-1564488996-1541874228-2363\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{07F69B93-795C-4777-4410-3296887861AB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ialcpmibkiffihmfak"=hex:69,61,67,70,6c,68,64,6b,66,6b,6e,68,63,62,69,65,6e,63,
00,00
"handbmnhefeojfkl"=hex:69,61,67,70,6c,68,64,6b,66,6b,6e,68,63,62,69,65,6e,63,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\progra~1\MICROS~4\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\windows\system32\rundll32.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
.
**************************************************************************
.
Completion time: 2009-03-11 18:58:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-11 22:58:08
ComboFix2.txt 2009-03-10 21:37:50
ComboFix3.txt 2009-03-10 17:12:51
ComboFix4.txt 2009-03-09 22:26:40

Pre-Run: 125,807,566,848 bytes free
Post-Run: 125,832,032,256 bytes free

401 --- E O F --- 2009-03-11 17:56:58
bpolunin
Active Member
 
Posts: 11
Joined: March 9th, 2009, 1:33 pm

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby dan12 » March 11th, 2009, 7:24 pm

Hi, Can I see a further HJT log and let me know how things are with the pc.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby bpolunin » March 11th, 2009, 7:55 pm

The PC is running fine. Don't see any signs of anything. One thing, my MS Outlook seems to be hanging up now since the last run of ComboFix but I am not sure if one thing has anything to do with another.
Here is the HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:53 PM, on 03/11/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmuk.webex.com/client/v_mywebe ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\Software\..\Telephony: DomainName = travelinc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9705 bytes
bpolunin
Active Member
 
Posts: 11
Joined: March 9th, 2009, 1:33 pm

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby dan12 » March 12th, 2009, 4:31 pm

Have you set these domains?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\Software\..\Telephony: DomainName = travelinc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = travelinc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{66374EF0-1FF9-4A70-9584-2E10BA00081A}: NameServer = 10.218.36.210,10.218.36.181

---------------------


Please can you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.





Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

  1. Check (tick) this box: YES, I accept the Terms of Use.
  2. Click on the Start button next to it.
  3. When prompted to run ActiveX. click Yes.
  4. You will be asked to install an ActiveX. Click Install.
  5. Once installed, the scanner will be initialized.
  6. After the scanner is initialized, click Start.
  7. Uncheck (untick) Remove found threats box.
  8. Check (tick) Scan unwanted applications.
  9. Click on Scan.
  10. It will start scanning. Please be patient.
  11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.


post report
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help. Got infected!!!. HJT log here. Thanks

Unread postby bpolunin » March 13th, 2009, 12:09 pm

Hi, yes, those domains are set by me.

Here is the list of installed programs:
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Ad-Aware
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.8
Adobe Reader Japanese Fonts
Adobe Shockwave Player 11
Apple Software Update
AttachmentOptions
Big Fish Games Client
Bluesoleil2.6.0.8 Release 070517
Broadcom Advanced Control Suite
Business Contact Manager for Outlook 2007 SP1
Business Contact Manager for Outlook 2007 SP1
CDBurnerXP
Crystal Reports
DivX Codec
DivX Converter
ESET Online Scanner
Express Burn
Galaxy
GDR 1406 for SQL Server Tools and Workstation Components 2005 ENU (KB932557)
Google Talk (remove only)
Hidden Wonders of the Depths
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Windows XP (KB952287)
InstallShield for Microsoft Visual C++ 6
Intel Matrix Storage Manager
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Lotus NotesSQL 2.06 driver
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2000
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Monitor Clean
Mozilla Firefox (2.0.0.14)
MSDN Library - April 2004
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Musicmatch® Jukebox
NCH Toolbox
NVIDIA Drivers
Nvu 1.0
pdfFactory
QuickTime
RealPlayer
Replay Media Catcher
Replay Media Catcher
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Sheridan Data Widgets 3.1
Skype™ 3.5
SQL Server 2000 DTS Designer Components
SQLXML4
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
URL Assistant
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Web CEO 7.7
Windows Communication Foundation
Windows Defender
Windows Imaging Component
Windows Media Format Runtime
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! SiteBuilder
Yahoo! Toolbar

Eset did not find any threats.

Thanks.
bpolunin
Active Member
 
Posts: 11
Joined: March 9th, 2009, 1:33 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware