Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please take a look at my HJT log file please :]

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please take a look at my HJT log file please :]

Unread postby Aspire » January 3rd, 2008, 2:42 pm

about a month ago i started having trouble with an msn virus, it would always send some suspicious links to everyone online in my contacts list, somehow that stopped and i deleted a bunch iof stuff with vundofix, nod32 and spybot but now my computer is running very slowly, my CPU is always at 100% even when im not running any programs, and multiple programs have been deleted from my computer (including Windows Live Messenger) the two reoccurring problematic items are pkguard32.exe and nnnmjjj.dll. Heres my log file.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:35:43 AM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ESET\nod32.exe
C:\Documents and Settings\Connor Adams\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8FAE8A7F-AE28-466D-87F1-6ACF0F8C3FEC} - C:\WINDOWS\system32\pmnnm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B0EEDC94-E177-43D2-B600-84E7AC69969B} - C:\WINDOWS\system32\nnnmjjj.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock .exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PK Guard] C:\WINDOWS\system32\pkguard32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O20 - Winlogon Notify: nnnmjjj - C:\WINDOWS\SYSTEM32\nnnmjjj.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9145 bytes


Thanks in advance!
Aspire
Active Member
 
Posts: 7
Joined: January 3rd, 2008, 2:26 pm
Advertisement
Register to Remove

Re: Please take a look at my HJT log file please :]

Unread postby Scotty » January 3rd, 2008, 7:44 pm

Hi! Welcome to the MWR forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.

Please be patient as my posts to you have to be checked before I reply, so they make take longer.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Please take a look at my HJT log file please :]

Unread postby Aspire » January 3rd, 2008, 10:20 pm

Thanks Scotty, here is the uninstall list

Acoustica Effects Pack
Acoustica Mixcraft 3
Ad-Aware SE Personal
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 Plugin
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Photoshop Elements 4.0
Adobe Reader 8.1.0
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AIM 6
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Aston.1.9.3.1 Xmas edition
Blaze Media Pro
Build Your Own Net Dream (remove only)
Cheat Engine 5.3
CleanUp!
Counter-Strike: Source v17
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
Data Lifeguard Tools
DivX Web Player
Dream Aquarium
DVD Flick
File and Folder Protector v2.8
FL Studio 7
FlashGet 1.9.0.1012
FLV Player 1.3.3
Gogglebox TV
Grab & Burn, Version 5.0.2 Free( Build 2006-08-23, Win32, CSS )
GTA San Andreas
GTK+ 2.10.6-1 runtime environment
Hare 1.5.1
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IL Download Manager
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Launchy 1.0
Lernout & Hauspie TruVoice American English TTS Engine
LG USB Drivers
LimeWire PRO 4.12.11
Macromedia Shockwave Player
Messenger Plus! Live
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual Basic 2005 Express Edition: Build a Program Now!
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 7
neroxml
NOD32 antivirus system
NOD32 FiX
NVIDIA Drivers
OpenSSL 0.9.6m
PDF Settings
Picasa 2
Pocket Tanks Deluxe
Postal Fudge Pack
PowerDirector
PowerDVD
Project64 1.6
QuickTime
RealPlayer
Realtek AC'97 Audio
Replay Converter 2.20
RocketDock 1.3.1
Salon Styler Pro
SAM Broadcaster (remove only)
Samsung CamCorder Driver
Sauerbraten
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SereneScreen Marine Aquarium 2.6
SHOUTcast Source DSP 1.9.0 (remove only)
Skype 2.0
SmartSound Quicktracks Plugin
Spybot - Search & Destroy
Steam
System Requirements Lab
The GIMP 2.2.13
The Sims 2
Total Video Converter 3.11 070908
Ulead VideoStudio 9.0 SE DVD
Uninstall JL2005A Toy Camera
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
UseNeXT
V CAST Music
VIA Platform Device Manager
VIA/S3G Display Driver
VideoLAN VLC media player 0.8.6b
Viewpoint Media Player
Winamp (remove only)
WinAVI Video Converter
WindowBlinds
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
World of Warcraft
Xfire (remove only)
YouTUBE (TM) movie downloader
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)
Aspire
Active Member
 
Posts: 7
Joined: January 3rd, 2008, 2:26 pm

Re: Please take a look at my HJT log file please :]

Unread postby Scotty » January 4th, 2008, 3:40 pm

Hi

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs
Please refrain from using Limewire during the course of your fix, so you dont risk inviting more malware onto your computer.


Disable Teatimer
First:

  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident

Second:

  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Please take a look at my HJT log file :]

Unread postby Aspire » January 5th, 2008, 2:27 am

ComboFix log

ComboFix 08-01-04.1 - Connor Adams 2008-01-04 20:39:25.1 - NTFSx86
Running from: C:\Documents and Settings\Connor Adams\desktop\combofix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Connor Adams\Application Data\Install.dat
C:\WINDOWS\00.exe
C:\WINDOWS\777.exe
C:\WINDOWS\system32\ddcdcca.dll
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\hggfdcc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\nnnmjjj.dll
C:\WINDOWS\system32\opnllmk.dll
C:\WINDOWS\system32\tuvsqnk.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 20:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 19:36 . 2008-01-04 19:36 323,072 --a------ C:\WINDOWS\system32\pmnnm.Vdll
2008-01-04 19:36 . 2008-01-04 19:36 39,936 --a------ C:\WINDOWS\system32\nnnmjjj.Vdll
2008-01-04 19:06 . 2008-01-04 19:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-04 18:45 . 2008-01-04 19:11 326,656 --a------ C:\WINDOWS\system32\pmnnm.exe
2008-01-03 16:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-03 16:06 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-03 16:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-03 15:57 . 2008-01-03 16:22 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-03 15:52 . 2008-01-03 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-28 21:34 . 2007-12-28 21:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-28 21:34 . 2007-12-28 21:34 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 13:12 . 2007-12-27 16:38 <DIR> d-------- C:\VundoFix Backups
2007-12-26 21:49 . 2007-12-26 21:49 1,044,480 --a------ C:\WINDOWS\activate3.exe
2007-12-26 21:38 . 2007-12-26 21:38 1,044,480 --a------ C:\WINDOWS\activat.exe
2007-12-26 21:13 . 2007-12-26 21:13 1,044,480 --a------ C:\WINDOWS\activate2.exe
2007-12-26 20:52 . 2007-12-26 20:55 1,044,480 --a------ C:\WINDOWS\activate.exe
2007-12-25 17:49 . 2007-12-26 14:21 961 --a------ C:\WINDOWS\srvdsgf.exe
2007-12-25 17:44 . 2007-12-25 17:45 <DIR> d-------- C:\Program Files\Total Video Converter
2007-12-25 17:05 . 2003-06-23 01:44 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-12-25 17:05 . 2003-08-29 00:55 423,424 --a------ C:\WINDOWS\system32\WMAVDS32.ax
2007-12-25 17:05 . 2001-05-16 16:54 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-25 17:05 . 2001-03-26 03:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2007-12-25 17:03 . 2007-12-25 17:03 <DIR> d-------- C:\Program Files\Amadis Software
2007-12-25 16:56 . 2007-12-25 16:56 244 --ah----- C:\sqmnoopt03.sqm
2007-12-25 11:44 . 2003-03-30 20:08 372,736 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-25 11:04 . 2007-12-25 11:04 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-25 11:04 . 2007-12-25 11:04 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-25 11:02 . 2007-12-27 12:05 <DIR> d-------- C:\Program Files\Zune
2007-12-23 11:19 . 2007-12-23 11:20 323,072 --a------ C:\WINDOWS\system32\pmnnm.dll
2007-12-22 14:58 . 2007-12-22 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 10:43 . 2007-12-22 10:55 188,416 --a------ C:\WINDOWS\spd.exe
2007-12-17 19:29 . 2007-12-17 19:29 69,648 --a------ C:\WINDOWS\aaas.exe
2007-12-12 19:16 . 2007-12-12 19:17 <DIR> d-------- C:\Documents and Settings\Connor Adams\Application Data\UseNeXT
2007-12-12 19:15 . 2007-12-12 19:16 <DIR> d-------- C:\Program Files\UseNeXT
2007-12-12 19:15 . 2007-12-12 19:15 2,175,488 --a------ C:\WINDOWS\system32\usenext_client.exe
2007-12-12 17:38 . 2008-01-03 12:58 <DIR> d-------- C:\Program Files\iTunes
2007-12-12 17:34 . 2007-12-12 17:34 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-06 22:36 . 2007-12-06 22:36 <DIR> d-------- C:\Documents and Settings\Connor Adams\Application Data\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 03:11 --------- d-----w C:\Program Files\RocketDock
2008-01-05 02:47 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Launchy
2008-01-04 00:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-04 00:39 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-03 23:54 --------- d-----w C:\Program Files\Windows Live
2007-12-27 20:05 --------- d-----w C:\Program Files\QuickTime
2007-12-27 20:03 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-27 08:15 --------- d-----w C:\Program Files\FlashGet
2007-12-26 18:16 --------- d-----w C:\Program Files\Astonsoft
2007-12-23 21:35 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\DVD Flick
2007-12-23 20:33 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\U3
2007-12-23 02:56 --------- d-----w C:\Program Files\Winamp
2007-12-22 08:31 --------- d-----w C:\Program Files\LimeWire
2007-12-17 23:14 --------- d-----w C:\Program Files\Steam
2007-12-13 01:38 --------- d-----w C:\Program Files\iPod
2007-11-30 04:09 --------- d-----w C:\Program Files\Postal2STP
2007-11-28 06:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-28 06:44 --------- d-----w C:\Program Files\Blaze Media Pro
2007-11-28 05:56 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\dvdcss
2007-11-28 01:44 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\FinalBurner Video DVD
2007-11-17 09:06 --------- d-----w C:\Program Files\DVD Flick
2007-11-17 08:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-11-17 07:55 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Thinstall
2007-11-16 17:35 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\DeepBurner Pro
2007-11-16 07:18 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Ahead
2007-11-16 05:38 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-15 15:26 --------- d-----w C:\Program Files\Apple Software Update
2007-11-15 15:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 00:51 --------- d-----w C:\Program Files\Cheat Engine
2007-11-10 18:23 --------- d-s---w C:\Program Files\Xfire
2007-11-10 05:10 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Xfire
2002-12-28 15:34 49,215 ----a-w C:\Program Files\Phone_ Ring.mp3
1998-10-31 00:45 199,680 ----a-w C:\Program Files\a3dapi.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.
Code: Select all
<pre>
----a-w           153,136 2007-12-26 17:21:08  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w           152,872 2007-12-26 17:21:24  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w           165,784 2007-12-26 17:21:18  C:\Program Files\DAEMON Tools\daemon .exe
----a-w           949,376 2007-12-26 17:20:59  C:\Program Files\ESET\nod32kui .exe
----a-w           267,048 2007-12-26 17:21:16  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2007-12-26 17:21:16  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w         5,674,352 2007-12-26 17:22:04  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w           286,720 2008-01-04 01:54:23  C:\Program Files\QuickTime\QTTask  .exe
----a-w           286,720 2008-01-04 01:54:39  C:\Program Files\QuickTime\QTTask .exe
----a-w           630,784 2008-01-04 01:59:53  C:\Program Files\RocketDock\RocketDock  .exe
----a-w           630,784 2008-01-04 02:00:07  C:\Program Files\RocketDock\RocketDock .exe
----a-w         1,460,560 2007-12-26 17:21:35  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           166,304 2007-12-26 17:21:17  C:\Program Files\Zune\ZuneLauncher .exe
----a-w            83,968 2007-12-26 17:21:40  C:\WINDOWS\ffpext\ffpsrv  .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61A58253-D492-4E15-9218-AFE997A74616}]
2007-12-23 11:20 323072 --a------ C:\WINDOWS\system32\pmnnm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2008-01-04 19:35 630784]
"Aim6"="" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-01-04 19:35 5724184]
"PK Guard"="C:\WINDOWS\system32\pkguard32.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 17:17 443968]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-04 19:35 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 21:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Connor Adams\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 00:12:44]
Hare.lnk - C:\Program Files\Dachshund Software\Hare\Hare.exe [2002-09-21 11:26:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-08-12 15:49:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 00000000
"DisableChangePassword"= 00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmjjj]
nnnmjjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-13 09:57 221184 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-10 21:46 624248 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

R0 Fasttrak;Fasttrak;C:\WINDOWS\system32\drivers\Fasttrak.sys [2003-04-23 10:23]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-04-26 08:22]
R1 FDCDNT;FDCDNT;C:\WINDOWS\system32\drivers\FDCDNT.SYS [2007-01-27 18:27]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys [2005-12-16 00:53]
S3 CAMFLT;%CAMFLT.SvcDesc%;C:\WINDOWS\system32\drivers\CAMFLT.sys [2005-07-19 16:23]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [2005-05-09 19:22]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 aac;aac;C:\WINDOWS\system32\drivers\aac.sys [2003-12-15 21:01]
S4 aarsi3x;aarsi3x;C:\WINDOWS\system32\drivers\aarsi3x.sys [2004-11-11 17:09]
S4 hpt374;hpt374;C:\WINDOWS\system32\drivers\hpt374.sys [2003-11-12 15:33]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 06:10]
S4 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fe12fa2-0d50-11dc-b759-00142aecaacb}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a397a9f9-8f2a-11da-abaf-806d6172696f}]
\Shell\AutoRun\command - D:\Programs\nu2menu\nu2menu.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 17:17:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 21:36:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2008-01-04 21:43:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 05:43:33
.
2008-01-05 03:09:25 --- E O F ---

HijackThis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:26:02 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Connor Adams\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61A58253-D492-4E15-9218-AFE997A74616} - C:\WINDOWS\system32\pmnnm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PK Guard] C:\WINDOWS\system32\pkguard32.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O20 - Winlogon Notify: nnnmjjj - nnnmjjj.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8920 bytes


(If it helps I've noticed an extreme difference after I ran combofix, my computer is running way faster and the programs that weren't working before are now working
Aspire
Active Member
 
Posts: 7
Joined: January 3rd, 2008, 2:26 pm

Re: Please take a look at my HJT log file please :]

Unread postby Scotty » January 5th, 2008, 8:06 pm

Hello

Remember to disconnect from the Internet and disable your anti-virus before carrying out the next instruction, and to reenable the anti-virus before reconnecting to the Internet


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
File::
C:\WINDOWS\system32\pmnnm.Vdll
C:\WINDOWS\system32\nnnmjjj.Vdll
C:\WINDOWS\system32\pmnnm.exe
C:\WINDOWS\activate3.exe
C:\WINDOWS\activat.exe
C:\WINDOWS\activate2.exe
C:\WINDOWS\activate.exe
C:\WINDOWS\srvdsgf.exe
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\aaas.exe
C:\WINDOWS\system32\pkguard32.exe

RenV::
----a-w           153,136 2007-12-26 17:21:08  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w           152,872 2007-12-26 17:21:24  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w           267,048 2007-12-26 17:21:16  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2007-12-26 17:21:16  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w         5,674,352 2007-12-26 17:22:04  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w           286,720 2008-01-04 01:54:23  C:\Program Files\QuickTime\QTTask  .exe
----a-w           286,720 2008-01-04 01:54:39  C:\Program Files\QuickTime\QTTask .exe
----a-w           630,784 2008-01-04 01:59:53  C:\Program Files\RocketDock\RocketDock  .exe
----a-w           630,784 2008-01-04 02:00:07  C:\Program Files\RocketDock\RocketDock .exe
----a-w         1,460,560 2007-12-26 17:21:35  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           166,304 2007-12-26 17:21:17  C:\Program Files\Zune\ZuneLauncher .exe

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61A58253-D492-4E15-9218-AFE997A74616}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PK Guard"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmjjj]
 

 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Please take a look at my HJT log file please :]

Unread postby Aspire » January 12th, 2008, 6:29 pm

Sorry it took so long, I just stumbled upon the log and I just remembered.

Combofix.txt:

ComboFix 08-01-04.1 - Connor Adams 2008-01-05 16:18:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.641 [GMT -8:00]
Running from: C:\Documents and Settings\Connor Adams\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Connor Adams\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\aaas.exe
C:\WINDOWS\activat.exe
C:\WINDOWS\activate.exe
C:\WINDOWS\activate2.exe
C:\WINDOWS\activate3.exe
C:\WINDOWS\srvdsgf.exe
C:\WINDOWS\system32\nnnmjjj.Vdll
C:\WINDOWS\system32\pkguard32.exe
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.exe
C:\WINDOWS\system32\pmnnm.Vdll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\is.exe.bad
C:\VundoFix Backups\lux.exe.bad
C:\VundoFix Backups\s02.exe.bad
C:\VundoFix Backups\th.exe.bad
C:\VundoFix Backups\th3.exe.bad
C:\WINDOWS\aaas.exe
C:\WINDOWS\activat.exe
C:\WINDOWS\activate.exe
C:\WINDOWS\activate2.exe
C:\WINDOWS\activate3.exe
C:\WINDOWS\srvdsgf.exe
C:\WINDOWS\system32\nnnmjjj.Vdll
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.exe
C:\WINDOWS\system32\pmnnm.Vdll

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-04 20:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 19:06 . 2008-01-04 19:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-03 16:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-03 16:06 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-03 16:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-03 15:57 . 2008-01-03 16:22 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-03 15:52 . 2008-01-03 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-28 21:34 . 2007-12-28 21:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-28 21:34 . 2007-12-28 21:34 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-25 17:44 . 2007-12-25 17:45 <DIR> d-------- C:\Program Files\Total Video Converter
2007-12-25 17:05 . 2003-06-23 01:44 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-12-25 17:05 . 2003-08-29 00:55 423,424 --a------ C:\WINDOWS\system32\WMAVDS32.ax
2007-12-25 17:05 . 2001-05-16 16:54 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-25 17:05 . 2001-03-26 03:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2007-12-25 17:03 . 2007-12-25 17:03 <DIR> d-------- C:\Program Files\Amadis Software
2007-12-25 16:56 . 2007-12-25 16:56 244 --ah----- C:\sqmnoopt03.sqm
2007-12-25 11:44 . 2003-03-30 20:08 372,736 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-25 11:04 . 2007-12-25 11:04 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-25 11:04 . 2007-12-25 11:04 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-25 11:02 . 2007-12-27 12:05 <DIR> d-------- C:\Program Files\Zune
2007-12-22 14:58 . 2007-12-22 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 10:43 . 2007-12-22 10:55 188,416 --a------ C:\WINDOWS\spd.exe
2007-12-12 19:16 . 2007-12-12 19:17 <DIR> d-------- C:\Documents and Settings\Connor Adams\Application Data\UseNeXT
2007-12-12 19:15 . 2007-12-12 19:16 <DIR> d-------- C:\Program Files\UseNeXT
2007-12-12 19:15 . 2007-12-12 19:15 2,175,488 --a------ C:\WINDOWS\system32\usenext_client.exe
2007-12-12 17:38 . 2008-01-03 12:58 <DIR> d-------- C:\Program Files\iTunes
2007-12-12 17:34 . 2007-12-12 17:34 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-06 22:36 . 2007-12-06 22:36 <DIR> d-------- C:\Documents and Settings\Connor Adams\Application Data\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 00:12 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Launchy
2008-01-05 09:58 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-05 03:11 --------- d-----w C:\Program Files\RocketDock
2008-01-04 00:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-04 00:39 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-03 23:54 --------- d-----w C:\Program Files\Windows Live
2007-12-27 20:05 --------- d-----w C:\Program Files\QuickTime
2007-12-27 20:03 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-27 08:15 --------- d-----w C:\Program Files\FlashGet
2007-12-26 18:16 --------- d-----w C:\Program Files\Astonsoft
2007-12-23 21:35 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\DVD Flick
2007-12-23 20:33 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\U3
2007-12-23 02:56 --------- d-----w C:\Program Files\Winamp
2007-12-22 08:31 --------- d-----w C:\Program Files\LimeWire
2007-12-17 23:14 --------- d-----w C:\Program Files\Steam
2007-12-13 01:38 --------- d-----w C:\Program Files\iPod
2007-11-30 04:09 --------- d-----w C:\Program Files\Postal2STP
2007-11-28 06:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-28 06:44 --------- d-----w C:\Program Files\Blaze Media Pro
2007-11-28 05:56 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\dvdcss
2007-11-28 01:44 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\FinalBurner Video DVD
2007-11-17 09:06 --------- d-----w C:\Program Files\DVD Flick
2007-11-17 08:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-11-17 07:55 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Thinstall
2007-11-16 17:35 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\DeepBurner Pro
2007-11-16 07:18 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Ahead
2007-11-16 05:51 80,288 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-16 05:51 72,608 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-16 05:51 59,296 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-16 05:51 45,472 ----a-w C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-16 05:51 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-16 05:51 155,552 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-16 05:38 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-15 15:26 --------- d-----w C:\Program Files\Apple Software Update
2007-11-15 15:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 00:51 --------- d-----w C:\Program Files\Cheat Engine
2007-11-10 18:23 --------- d-s---w C:\Program Files\Xfire
2007-11-10 05:10 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Xfire
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-18 21:09 1,419,232 ----a-w C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-10-18 19:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2005-11-03 23:29 72,832 ----a-r C:\WINDOWS\inf\CamAvb.sys
2002-12-28 15:34 49,215 ----a-w C:\Program Files\Phone_ Ring.mp3
1998-10-31 00:45 199,680 ----a-w C:\Program Files\a3dapi.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.
Code: Select all
<pre>
----a-w           165,784 2007-12-26 17:21:18  C:\Program Files\DAEMON Tools\daemon .exe
----a-w           949,376 2007-12-26 17:20:59  C:\Program Files\ESET\nod32kui .exe
----a-w           267,048 2007-12-26 17:21:16  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2007-12-26 17:21:16  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w         5,674,352 2007-12-26 17:22:04  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w           286,720 2008-01-04 01:54:23  C:\Program Files\QuickTime\QTTask  .exe
----a-w           286,720 2008-01-04 01:54:39  C:\Program Files\QuickTime\QTTask .exe
----a-w           630,784 2008-01-04 01:59:53  C:\Program Files\RocketDock\RocketDock  .exe
----a-w           630,784 2008-01-04 02:00:07  C:\Program Files\RocketDock\RocketDock .exe
----a-w         1,460,560 2007-12-26 17:21:35  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           166,304 2007-12-26 17:21:17  C:\Program Files\Zune\ZuneLauncher .exe
----a-w            83,968 2007-12-26 17:21:40  C:\WINDOWS\ffpext\ffpsrv  .exe
</pre>



((((((((((((((((((((((((((((( snapshot@2008-01-04_21.43.13.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-08-05 20:13:24 387,800 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.SqlServer.BatchParser\9.0.242.0__89845dcd8080cc91\microsoft.sqlserver.batchparser.dll
+ 2008-01-05 09:53:34 363,376 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.SqlServer.BatchParser\9.0.242.0__89845dcd8080cc91\microsoft.sqlserver.batchparser.dll
- 2006-08-05 20:13:24 75,480 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.SqlServer.MgdSqlDumper\9.0.242.0__89845dcd8080cc91\microsoft.sqlserver.mgdsqldumper.dll
+ 2008-01-05 09:53:34 78,192 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.SqlServer.MgdSqlDumper\9.0.242.0__89845dcd8080cc91\microsoft.sqlserver.mgdsqldumper.dll
- 2006-08-05 20:13:38 1,607,896 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.SqlServer.Replication\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.Replication.dll
+ 2008-01-05 09:53:48 1,626,480 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.SqlServer.Replication\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.Replication.dll
- 2006-08-05 20:13:26 539,352 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\9.0.242.0__89845dcd8080cc91\Microsoft.AnalysisServices.AdomdClient.dll
+ 2008-01-05 09:53:36 546,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\9.0.242.0__89845dcd8080cc91\Microsoft.AnalysisServices.AdomdClient.dll
- 2006-08-05 20:13:24 137,944 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.AnalysisServices.DeploymentEngine\9.0.242.0__89845dcd8080cc91\Microsoft.AnalysisServices.DeploymentEngine.dll
+ 2008-01-05 09:53:34 140,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.AnalysisServices.DeploymentEngine\9.0.242.0__89845dcd8080cc91\Microsoft.AnalysisServices.DeploymentEngine.dll
- 2006-08-05 20:13:24 1,211,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.AnalysisServices\9.0.242.0__89845dcd8080cc91\Microsoft.AnalysisServices.DLL
+ 2008-01-05 09:53:34 1,217,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.AnalysisServices\9.0.242.0__89845dcd8080cc91\Microsoft.AnalysisServices.DLL
- 2006-08-05 20:13:24 35,544 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.DataWarehouse.Interfaces\9.0.242.0__89845dcd8080cc91\Microsoft.DataWarehouse.Interfaces.DLL
+ 2008-01-05 09:53:34 38,256 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.DataWarehouse.Interfaces\9.0.242.0__89845dcd8080cc91\Microsoft.DataWarehouse.Interfaces.DLL
- 2006-08-05 20:11:57 133,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.NetEnterpriseServers.ExceptionMessageBox\9.0.242.0__89845dcd8080cc91\Microsoft.NetEnterpriseServers.ExceptionMessageBox.dll
+ 2008-01-05 09:51:54 136,560 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.NetEnterpriseServers.ExceptionMessageBox\9.0.242.0__89845dcd8080cc91\Microsoft.NetEnterpriseServers.ExceptionMessageBox.dll
- 2006-08-05 20:13:23 150,232 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.ConnectionInfo\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.ConnectionInfo.dll
+ 2008-01-05 09:53:34 157,040 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.ConnectionInfo\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.ConnectionInfo.dll
- 2006-08-05 20:11:58 43,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.CustomControls\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.CustomControls.dll
+ 2008-01-05 09:51:54 46,448 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.CustomControls\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.CustomControls.dll
- 2006-08-05 20:11:58 199,384 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.GridControl\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.GridControl.dll
+ 2008-01-05 09:51:54 202,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.GridControl\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.GridControl.dll
- 2006-08-05 20:13:24 68,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.RegSvrEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.RegSvrEnum.dll
+ 2008-01-05 09:53:34 71,024 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.RegSvrEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.RegSvrEnum.dll
- 2006-08-05 20:13:24 555,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.Rmo\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.Rmo.dll
+ 2008-01-05 09:53:34 558,448 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.Rmo\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.Rmo.dll
- 2006-08-05 20:13:24 39,640 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.ServiceBrokerEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.ServiceBrokerEnum.dll
+ 2008-01-05 09:53:34 42,352 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.ServiceBrokerEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.ServiceBrokerEnum.dll
- 2006-08-05 20:13:23 1,559,256 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.Smo\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.Smo.dll
+ 2008-01-05 09:53:33 1,598,832 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.Smo\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.Smo.dll
- 2006-08-05 20:13:23 223,960 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.SmoEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.SmoEnum.dll
+ 2008-01-05 09:53:33 222,576 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.SmoEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.SmoEnum.dll
- 2006-08-05 20:13:23 895,704 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.SqlEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.SqlEnum.dll
+ 2008-01-05 09:53:34 906,608 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.SqlEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.SqlEnum.dll
- 2006-08-05 20:11:57 592,600 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.WizardFrameworkLite\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.WizardFrameworkLite.dll
+ 2008-01-05 09:51:54 595,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.WizardFrameworkLite\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.WizardFrameworkLite.dll
- 2006-08-05 20:13:23 43,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.WmiEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.WmiEnum.dll
+ 2008-01-05 09:53:34 46,448 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.SqlServer.WmiEnum\9.0.242.0__89845dcd8080cc91\Microsoft.SqlServer.WmiEnum.dll
+ 2008-01-05 18:32:42 249,856 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.NetEnterp#\a098a7a77ae8276a19c0982876ba70c8\Microsoft.NetEnterpriseServers.ExceptionMessageBox.ni.dll
+ 2008-01-05 18:32:46 90,112 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\2222b4e5740c814861603eee5879fda4\Microsoft.SqlServer.CustomControls.ni.dll
+ 2008-01-05 18:33:04 1,028,096 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\ca874500a43a595f9e60d4eb45e18e72\Microsoft.SqlServer.WizardFrameworkLite.ni.dll
+ 2008-01-05 18:32:52 561,152 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\d46a07c3c416719efe51faa79d2bfad3\Microsoft.SqlServer.GridControl.ni.dll
- 2007-11-07 00:54:58 77,114 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-05 09:54:10 77,114 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-07 00:54:58 440,676 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-05 09:54:10 440,676 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2005-10-14 10:51:01 66,264 ----a-w C:\WINDOWS\system32\sqlctr90.dll
+ 2007-02-10 13:29:52 67,952 ----a-w C:\WINDOWS\system32\sqlctr90.dll
- 2005-10-14 10:51:26 2,208,016 ----a-w C:\WINDOWS\system32\sqlncli.dll
+ 2007-02-10 13:29:52 2,234,224 ----a-w C:\WINDOWS\system32\sqlncli.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-12-26 09:21 152872]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2008-01-04 19:35 630784]
"Aim6"="" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-01-04 19:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 17:17 443968]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-04 19:35 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 21:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Connor Adams\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 00:12:44]
Hare.lnk - C:\Program Files\Dachshund Software\Hare\Hare.exe [2002-09-21 11:26:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-08-12 15:49:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 00000000
"DisableChangePassword"= 00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-13 09:57 221184 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-10 21:46 624248 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

R0 Fasttrak;Fasttrak;C:\WINDOWS\system32\drivers\Fasttrak.sys [2003-04-23 10:23]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-04-26 08:22]
R1 FDCDNT;FDCDNT;C:\WINDOWS\system32\drivers\FDCDNT.SYS [2007-01-27 18:27]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys [2005-12-16 00:53]
S3 CAMFLT;%CAMFLT.SvcDesc%;C:\WINDOWS\system32\drivers\CAMFLT.sys [2005-07-19 16:23]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [2005-05-09 19:22]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 aac;aac;C:\WINDOWS\system32\drivers\aac.sys [2003-12-15 21:01]
S4 aarsi3x;aarsi3x;C:\WINDOWS\system32\drivers\aarsi3x.sys [2004-11-11 17:09]
S4 hpt374;hpt374;C:\WINDOWS\system32\drivers\hpt374.sys [2003-11-12 15:33]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 06:10]
S4 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fe12fa2-0d50-11dc-b759-00142aecaacb}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a397a9f9-8f2a-11da-abaf-806d6172696f}]
\Shell\AutoRun\command - D:\Programs\nu2menu\nu2menu.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 17:17:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 16:25:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 16:26:28
ComboFix-quarantined-files.txt 2008-01-06 00:26:08
ComboFix2.txt 2008-01-05 05:43:38
.
2008-01-05 09:59:30 --- E O F ---




New HJT log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:29:12 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msvs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Connor Adams\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8930 bytes
Aspire
Active Member
 
Posts: 7
Joined: January 3rd, 2008, 2:26 pm

Re: Please take a look at my HJT log file please :]

Unread postby Scotty » January 14th, 2008, 6:53 am

Hi

I should tell you that the infection you have is a variant of Vundo that infects your startup programs, replacing good files with malware. The purpose of this is to ensure you are re-infected each time the computer is rebooted. The best way to deal with this is to hit it as quickly as possible.

We also need to get the latest version of Combofix installed. It is a regularly updated tool.


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Image



Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Please take a look at my HJT log file please :]

Unread postby Aspire » January 20th, 2008, 5:56 pm

ComboFix 08-01-20.1 - Connor Adams 2008-01-20 13:26:06.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.635 [GMT -8:00]
Running from: C:\Documents and Settings\Connor Adams\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\PELoader.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 13:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 17:11 . 2008-01-19 17:11 <DIR> d-------- C:\Documents and Settings\Connor Adams\Application Data\Application Data
2008-01-19 17:11 . 2008-01-19 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Storm
2008-01-19 17:08 . 2008-01-20 13:28 <DIR> d-------- C:\Program Files\Poco2007
2008-01-19 17:08 . 2008-01-19 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\poco
2008-01-19 17:08 . 2007-09-19 11:19 503,808 --a------ C:\WINDOWS\system32\KuGoo3DownXControl.ocx
2008-01-16 17:11 . 2008-01-16 17:11 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-15 20:12 . 2008-01-20 12:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-15 20:12 . 2008-01-15 20:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-15 18:27 . 2008-01-15 18:27 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 19:06 . 2008-01-04 19:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-03 16:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-03 16:06 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-03 16:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-03 15:57 . 2008-01-03 16:22 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-03 15:52 . 2008-01-03 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-25 17:44 . 2007-12-25 17:45 <DIR> d-------- C:\Program Files\Total Video Converter
2007-12-25 17:05 . 2003-06-23 01:44 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-12-25 17:05 . 2003-08-29 00:55 423,424 --a------ C:\WINDOWS\system32\WMAVDS32.ax
2007-12-25 17:05 . 2001-05-16 16:54 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-25 17:05 . 2001-03-26 03:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2007-12-25 17:03 . 2007-12-25 17:03 <DIR> d-------- C:\Program Files\Amadis Software
2007-12-25 16:56 . 2007-12-25 16:56 244 --ah----- C:\sqmnoopt03.sqm
2007-12-25 11:44 . 2003-03-30 20:08 372,736 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-25 11:04 . 2007-12-25 11:04 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-25 11:04 . 2007-12-25 11:04 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-25 11:02 . 2007-12-27 12:05 <DIR> d-------- C:\Program Files\Zune
2007-12-22 14:58 . 2007-12-22 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 10:43 . 2007-12-22 10:55 188,416 --a------ C:\WINDOWS\spd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 21:29 --------- d-----w C:\Program Files\FlashGet
2008-01-20 21:12 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Launchy
2008-01-20 20:52 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\DVD Flick
2008-01-20 20:50 --------- d-----w C:\Program Files\DVD Flick
2008-01-16 04:12 --------- d-----w C:\Program Files\iTunes
2008-01-13 17:40 --------- d-----w C:\Program Files\File and Folder Protector
2008-01-05 09:58 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-05 03:11 --------- d-----w C:\Program Files\RocketDock
2008-01-04 00:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-04 00:39 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-03 23:54 --------- d-----w C:\Program Files\Windows Live
2007-12-27 20:05 --------- d-----w C:\Program Files\QuickTime
2007-12-27 20:03 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-26 18:16 --------- d-----w C:\Program Files\Astonsoft
2007-12-23 20:33 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\U3
2007-12-23 02:56 --------- d-----w C:\Program Files\Winamp
2007-12-22 08:31 --------- d-----w C:\Program Files\LimeWire
2007-12-17 23:14 --------- d-----w C:\Program Files\Steam
2007-12-13 03:17 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\UseNeXT
2007-12-13 03:16 --------- d-----w C:\Program Files\UseNeXT
2007-12-13 01:38 --------- d-----w C:\Program Files\iPod
2007-12-13 01:34 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-07 06:36 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\ImgBurn
2007-11-30 04:09 --------- d-----w C:\Program Files\Postal2STP
2007-11-28 06:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-28 06:44 --------- d-----w C:\Program Files\Blaze Media Pro
2007-11-28 05:56 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\dvdcss
2007-11-28 01:44 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\FinalBurner Video DVD
2007-11-14 03:41 918,045 ---ha-w C:\WINDOWS\DH Temp.tmp
2002-12-28 15:34 49,215 ----a-w C:\Program Files\Phone_ Ring.mp3
1998-10-31 00:45 199,680 ----a-w C:\Program Files\a3dapi.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.
Code: Select all
<pre>
----a-w           165,784 2007-12-26 17:21:18  C:\Program Files\DAEMON Tools\daemon .exe
----a-w           949,376 2007-12-26 17:20:59  C:\Program Files\ESET\nod32kui .exe
----a-w           267,048 2007-12-26 17:21:16  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2007-12-26 17:21:16  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w         5,674,352 2007-12-26 17:22:04  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w           286,720 2008-01-04 01:54:23  C:\Program Files\QuickTime\QTTask  .exe
----a-w           286,720 2008-01-04 01:54:39  C:\Program Files\QuickTime\QTTask .exe
----a-w           630,784 2008-01-04 01:59:53  C:\Program Files\RocketDock\RocketDock  .exe
----a-w           630,784 2008-01-04 02:00:07  C:\Program Files\RocketDock\RocketDock .exe
----a-w         1,460,560 2007-12-26 17:21:35  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           166,304 2007-12-26 17:21:17  C:\Program Files\Zune\ZuneLauncher .exe
----a-w            83,968 2007-12-26 17:21:40  C:\WINDOWS\ffpext\ffpsrv  .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-12-26 09:21 152872]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2008-01-04 19:35 630784]
"Aim6"="" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-01-04 19:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"ffpsrv"="c:\windows\ffpext\ffpsrv.exe" [2007-02-03 01:17 83968]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 17:17 443968]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-04 19:35 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 21:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Connor Adams\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 00:12:44 113664]
Hare.lnk - C:\Program Files\Dachshund Software\Hare\Hare.exe [2002-09-21 11:26:40 1874381]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-08-12 15:49:26 520192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 00000000
"DisableChangePassword"= 00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-13 09:57 221184 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 21:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-05 16:53 1266936 C:\Program Files\Steam\Steam.exe

R0 Fasttrak;Fasttrak;C:\WINDOWS\system32\drivers\Fasttrak.sys [2003-04-23 10:23]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-04-26 08:22]
R1 FDCDNT;FDCDNT;C:\WINDOWS\system32\drivers\FDCDNT.SYS [2007-01-27 18:27]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys [2005-12-16 00:53]
S3 CAMFLT;%CAMFLT.SvcDesc%;C:\WINDOWS\system32\drivers\CAMFLT.sys [2005-07-19 16:23]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [2005-05-09 19:22]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 aac;aac;C:\WINDOWS\system32\drivers\aac.sys [2003-12-15 21:01]
S4 aarsi3x;aarsi3x;C:\WINDOWS\system32\drivers\aarsi3x.sys [2004-11-11 17:09]
S4 hpt374;hpt374;C:\WINDOWS\system32\drivers\hpt374.sys [2003-11-12 15:33]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 06:10]
S4 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a397a9f9-8f2a-11da-abaf-806d6172696f}]
\Shell\AutoRun\command - D:\Programs\nu2menu\nu2menu.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 17:17:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 13:35:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 13:43:15 - machine was rebooted [Connor Adams]
ComboFix-quarantined-files.txt 2008-01-20 21:43:12
ComboFix2.txt 2008-01-06 00:26:29
.
2008-01-10 08:39:31 --- E O F ---




NEW HJT LOG

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:55:53 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\ffpext\ffpsrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Connor Adams\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ffpsrv] c:\windows\ffpext\ffpsrv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8477 bytes
Aspire
Active Member
 
Posts: 7
Joined: January 3rd, 2008, 2:26 pm

Re: Please take a look at my HJT log file please :]

Unread postby Scotty » January 21st, 2008, 12:11 pm

Hi

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Please take a look at my HJT log file please :]

Unread postby Aspire » January 22nd, 2008, 12:29 am

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Aspire
Active Member
 
Posts: 7
Joined: January 3rd, 2008, 2:26 pm

Re: Please take a look at my HJT log file please :]

Unread postby Scotty » January 22nd, 2008, 4:31 pm

Hi

Remember to disconnect from the Internet and disable your anti-virus before carrying out the next instruction, and to reenable the anti-virus before reconnecting to the Internet


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
RenV::
C:\Program Files\DAEMON Tools\daemon .exe
C:\Program Files\ESET\nod32kui .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\QuickTime\QTTask  .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\RocketDock\RocketDock  .exe
C:\Program Files\RocketDock\RocketDock .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Zune\ZuneLauncher .exe
C:\WINDOWS\ffpext\ffpsrv  .exe
 

 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Please take a look at my HJT log file please :]

Unread postby Aspire » January 22nd, 2008, 10:22 pm

combofix:



ComboFix 08-01-20.1 - Connor Adams 2008-01-22 16:26:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.622 [GMT -8:00]
Running from: C:\Documents and Settings\Connor Adams\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Connor Adams\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 16:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-21 20:25 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-21 20:25 . 2007-12-18 15:27 211 --a------ C:\Boot.bak
2008-01-21 15:41 . 2008-01-21 15:41 <DIR> d-------- C:\Documents and Settings\Connor Adams\Application Data\Screaming Bee
2008-01-21 15:32 . 2008-01-21 15:32 <DIR> d-------- C:\Program Files\Common Files\Screaming Bee
2008-01-21 15:30 . 2008-01-21 15:36 <DIR> d-------- C:\Program Files\Screaming Bee
2008-01-20 19:40 . 2008-01-20 19:41 <DIR> d-------- C:\Program Files\DVD Flick
2008-01-20 19:02 . 2008-01-20 20:18 <DIR> d-------- C:\Downloads
2008-01-19 17:11 . 2008-01-19 17:11 <DIR> d-------- C:\Documents and Settings\Connor Adams\Application Data\Application Data
2008-01-19 17:11 . 2008-01-19 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Storm
2008-01-19 17:08 . 2008-01-20 13:28 <DIR> d-------- C:\Program Files\Poco2007
2008-01-19 17:08 . 2008-01-19 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\poco
2008-01-19 17:08 . 2007-09-19 11:19 503,808 --a------ C:\WINDOWS\system32\KuGoo3DownXControl.ocx
2008-01-16 17:11 . 2008-01-16 17:11 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-15 20:12 . 2008-01-22 16:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-15 20:12 . 2008-01-15 20:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-15 18:27 . 2008-01-15 18:27 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 19:06 . 2008-01-04 19:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-03 16:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-03 16:06 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-03 16:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-03 15:57 . 2008-01-03 16:22 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-03 15:52 . 2008-01-03 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-25 17:44 . 2007-12-25 17:45 <DIR> d-------- C:\Program Files\Total Video Converter
2007-12-25 17:05 . 2003-06-23 01:44 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-12-25 17:05 . 2003-08-29 00:55 423,424 --a------ C:\WINDOWS\system32\WMAVDS32.ax
2007-12-25 17:05 . 2001-05-16 16:54 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-25 17:05 . 2001-03-26 03:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2007-12-25 17:03 . 2007-12-25 17:03 <DIR> d-------- C:\Program Files\Amadis Software
2007-12-25 16:56 . 2007-12-25 16:56 244 --ah----- C:\sqmnoopt03.sqm
2007-12-25 11:44 . 2003-03-30 20:08 372,736 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-25 11:04 . 2007-12-25 11:04 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-25 11:04 . 2007-12-25 11:04 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-25 11:02 . 2008-01-22 16:26 <DIR> d-------- C:\Program Files\Zune

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:28 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\Launchy
2008-01-23 00:26 --------- d-----w C:\Program Files\RocketDock
2008-01-23 00:26 --------- d-----w C:\Program Files\QuickTime
2008-01-23 00:26 --------- d-----w C:\Program Files\MSN Messenger
2008-01-23 00:26 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:25 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-22 02:01 --------- d-----w C:\Program Files\FlashGet
2008-01-21 07:02 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\DVD Flick
2008-01-21 06:12 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\ImgBurn
2008-01-21 00:32 --------- d-----w C:\Program Files\World of Warcraft
2008-01-13 17:40 --------- d-----w C:\Program Files\File and Folder Protector
2008-01-05 09:58 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-04 00:39 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-03 23:54 --------- d-----w C:\Program Files\Windows Live
2007-12-26 18:16 --------- d-----w C:\Program Files\Astonsoft
2007-12-23 20:33 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\U3
2007-12-23 02:56 --------- d-----w C:\Program Files\Winamp
2007-12-23 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 18:55 188,416 ----a-w C:\WINDOWS\spd.exe
2007-12-22 08:31 --------- d-----w C:\Program Files\LimeWire
2007-12-17 23:14 --------- d-----w C:\Program Files\Steam
2007-12-13 03:17 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\UseNeXT
2007-12-13 03:16 --------- d-----w C:\Program Files\UseNeXT
2007-12-13 01:38 --------- d-----w C:\Program Files\iPod
2007-12-13 01:34 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-30 04:09 --------- d-----w C:\Program Files\Postal2STP
2007-11-28 06:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-28 06:44 --------- d-----w C:\Program Files\Blaze Media Pro
2007-11-28 05:56 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\dvdcss
2007-11-28 01:44 --------- d-----w C:\Documents and Settings\Connor Adams\Application Data\FinalBurner Video DVD
2007-11-14 03:41 918,045 ---ha-w C:\WINDOWS\DH Temp.tmp
2002-12-28 15:34 49,215 ----a-w C:\Program Files\Phone_ Ring.mp3
1998-10-31 00:45 199,680 ----a-w C:\Program Files\a3dapi.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_13.42.57.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 21:25:49 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 00:25:38 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 21:25:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 00:25:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 21:25:49 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 00:25:38 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 21:25:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 00:25:39 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 21:25:49 8,839,168 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-23 00:25:39 8,839,168 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 21:25:49 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 00:25:39 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-02-03 09:17:28 83,968 ----a-w C:\WINDOWS\ffpext\ffpsrv.exe
+ 2007-12-26 17:21:40 83,968 ----a-w C:\WINDOWS\ffpext\ffpsrv.exe
- 2004-08-04 06:08:00 60,288 -c--a-w C:\WINDOWS\system32\dllcache\drmk.sys
+ 2004-08-04 07:08:00 60,288 -c--a-w C:\WINDOWS\system32\dllcache\drmk.sys
- 2004-08-04 06:15:22 140,928 -c--a-w C:\WINDOWS\system32\dllcache\ks.sys
+ 2004-08-04 07:15:22 140,928 -c--a-w C:\WINDOWS\system32\dllcache\ks.sys
- 2004-08-04 06:15:50 145,792 -c--a-w C:\WINDOWS\system32\dllcache\portcls.sys
+ 2004-08-04 07:15:50 145,792 -c--a-w C:\WINDOWS\system32\dllcache\portcls.sys
- 2004-08-04 06:08:04 48,640 -c--a-w C:\WINDOWS\system32\dllcache\stream.sys
+ 2004-08-04 07:08:04 48,640 -c--a-w C:\WINDOWS\system32\dllcache\stream.sys
- 2004-08-04 06:08:00 60,288 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
+ 2004-08-04 07:08:00 60,288 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
- 2004-08-04 06:15:22 140,928 ----a-w C:\WINDOWS\system32\drivers\ks.sys
+ 2004-08-04 07:15:22 140,928 ----a-w C:\WINDOWS\system32\drivers\ks.sys
- 2004-08-04 06:15:50 145,792 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
+ 2004-08-04 07:15:50 145,792 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
+ 2006-09-28 19:20:16 21,920 ----a-w C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
- 2004-08-04 06:08:04 48,640 ----a-w C:\WINDOWS\system32\drivers\stream.sys
+ 2004-08-04 07:08:04 48,640 ----a-w C:\WINDOWS\system32\drivers\stream.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-12-26 09:21 152872]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-26 09:21 165784]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2008-01-03 18:00 630784]
"Aim6"="" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-01-04 19:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"ffpsrv"="c:\windows\ffpext\ffpsrv.exe" [2007-12-26 09:21 83968]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-26 09:21 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 17:17 443968]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-04 19:35 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 21:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Connor Adams\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 00:12:44 113664]
Hare.lnk - C:\Program Files\Dachshund Software\Hare\Hare.exe [2002-09-21 11:26:40 1874381]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-08-12 15:49:26 520192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 00000000
"DisableChangePassword"= 00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-13 09:57 221184 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 21:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-12-26 09:22 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-05 16:53 1266936 C:\Program Files\Steam\Steam.exe

R0 Fasttrak;Fasttrak;C:\WINDOWS\system32\drivers\Fasttrak.sys [2003-04-23 10:23]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-04-26 08:22]
R1 FDCDNT;FDCDNT;C:\WINDOWS\system32\drivers\FDCDNT.SYS [2007-01-27 18:27]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [2006-09-28 11:20]
S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys [2005-12-16 00:53]
S3 CAMFLT;%CAMFLT.SvcDesc%;C:\WINDOWS\system32\drivers\CAMFLT.sys [2005-07-19 16:23]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [2005-05-09 19:22]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 aac;aac;C:\WINDOWS\system32\drivers\aac.sys [2003-12-15 21:01]
S4 aarsi3x;aarsi3x;C:\WINDOWS\system32\drivers\aarsi3x.sys [2004-11-11 17:09]
S4 hpt374;hpt374;C:\WINDOWS\system32\drivers\hpt374.sys [2003-11-12 15:33]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 06:10]
S4 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a397a9f9-8f2a-11da-abaf-806d6172696f}]
\Shell\AutoRun\command - D:\Programs\nu2menu\nu2menu.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 17:17:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 16:35:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 16:42:01 - machine was rebooted [Connor Adams]
ComboFix-quarantined-files.txt 2008-01-23 00:41:58
ComboFix2.txt 2008-01-20 21:43:15
ComboFix3.txt 2008-01-06 00:26:29
.
2008-01-10 08:39:31 --- E O F ---





new HJT log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:22:15 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\ffpext\ffpsrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Connor Adams\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ffpsrv] c:\windows\ffpext\ffpsrv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9171 bytes




o and do you mind filling me in on whats happening w/ all these repetitive scans and what exactly the CFS scripts are?
Aspire
Active Member
 
Posts: 7
Joined: January 3rd, 2008, 2:26 pm

Re: Please take a look at my HJT log file please :]

Unread postby Scotty » January 23rd, 2008, 4:37 pm

Hello

I know it seems like we are repeating scans but the infection you had was quite a tough one and those scripts are what we are removing from the computer. With force. ;)

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new HijackThis log, please.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Please take a look at my HJT log file please :]

Unread postby ping » January 28th, 2008, 1:55 pm

thx from germany too, found today on my pc Trojan.Vundo.DWR via BD10.
(with the locked opnllmk.dll) BD10 couldn't remove it - no deleting, not put
it in the quarantine -> NOTHING.

your tut really helped me, my machine is clean now.
ping
Active Member
 
Posts: 1
Joined: January 28th, 2008, 1:44 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware