Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijackthis log. Is there malware on my system?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijackthis log. Is there malware on my system?

Unread postby MacacaFascicula » August 7th, 2008, 9:01 am

Hello,
I'm having few issues with my windows xp pro, which lead me to this forum.

1)My explorer.exe shuts down randomly. Sometimes it will restart itself.
2) I am unable to use windows update. When I try to enable automatic update in services, it disables itself.

I have ran VundoFix.exe. It found and fixed 19 files. However, I'm continuing to have the same issues.

I have a PowerSepc 9262:
Intel® Pentium® 4 Processor 550 with HT Technology
Microsoft® Windows® XP Professional Edition
Intel® D915PGN
2.87 GB PC3200 SDRAM 184-pin DIMMs
Nvidea GeForce 8600GT

Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:30 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Marten\Application Data\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {25B11C02-C00B-4EB5-B24A-FA23C9234274} - C:\WINDOWS\system32\awtRHwxy.dll
O2 - BHO: (no name) - {27AF7590-1035-464C-A2BB-2FA3B8D3AC7B} - C:\Documents and Settings\Marten\Local Settings\Temporary Internet Files\Content.IE5\0RSZHUD0\3077ahntdksr[1].dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {99972D1B-964E-49EC-92F4-1EB39F4810A5} - C:\WINDOWS\system32\ddcBsstU.dll (file missing)
O2 - BHO: (no name) - {A86A87D3-FFEC-4656-BB08-A132C92604DE} - (no file)
O2 - BHO: {0820865c-6225-0329-cf14-8ae37f29310b} - {b01392f7-3ea8-41fc-9230-5226c5680280} - C:\WINDOWS\system32\odyqok.dll (file missing)
O2 - BHO: (no name) - {EB757622-6A08-41F6-98D5-96FF490F01A2} - C:\WINDOWS\system32\eqfcdndn.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BMdf6e7feb] Rundll32.exe "C:\WINDOWS\system32\nodffche.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.ak3.xpert.adecco.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O20 - Winlogon Notify: ddcBsstU - ddcBsstU.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O24 - Desktop Component 0: (no name) - http://images.vinylpulse.com/vp_pics/re ... emon_b.jpg
O24 - Desktop Component 1: (no name) - http://ic3.deviantart.com/fs15/i/2006/3 ... zkexis.jpg

--
End of file - 9452 bytes


Thank you.
MacacaFascicula
Regular Member
 
Posts: 22
Joined: August 7th, 2008, 8:38 am
Advertisement
Register to Remove

Re: Hijackthis log. Is there malware on my system?

Unread postby mz30 » August 7th, 2008, 10:25 am

Hi
I'm Mz30
I will be helping you with your malware issue's.
I am currently reviewing your hjt log and will post back soon with instructions.
As I am still in training, everything that I post to you, must be checked by an Admin or Moderator. Therefore there could be a delay between posts, but it shouldn't be too long.

  • The fixes i post, are for fixing your issues only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean,as even if you appear clean the chances are you are not.
  • Please bookmark or favourite this page. In case you need it as reference.
  • Please remember that all the staff here are volunteers and help in our free time and you will sometimes have to wait for a reply.

    Important
  • Please do not attempt to remove anything or fix anything unless i ask,This includes running any sort of anti-virus/spyware programs as they may make thing's harder to remove.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Hijackthis log. Is there malware on my system?

Unread postby MacacaFascicula » August 7th, 2008, 12:41 pm

Hello Mz30,

Thank you for the reply, looking forward for your instructions!

-Macaca
MacacaFascicula
Regular Member
 
Posts: 22
Joined: August 7th, 2008, 8:38 am

Re: Hijackthis log. Is there malware on my system?

Unread postby mz30 » August 8th, 2008, 9:46 am

Hi MacacaFascicula,
Just before we start any fixes could you please let me know, if you have installed these two desktops:

http://images.vinylpulse.com/vp_pics/re ... emon_b.jpg
http://ic3.deviantart.com/fs15/i/2006/3 ... zkexis.jpg


If not please follow the below instructions:


Go to start > control panel > Display (Display properties) > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")



-----------------------------------------------
You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

----------------------------------------------------



Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found here.
    The ones that need to be closed/disabled are:
    SPYBOT
    Whichever anti-virus you choose to download

  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Hijackthis log. Is there malware on my system?

Unread postby MacacaFascicula » August 9th, 2008, 8:33 pm

Hello,

Sorry for such a late reply, however I was unable to use my computer for sometime. I have been having other issues after downloading Avira Antivir.

-I did as you asked. I deleted the two .jpg files.
-downloaded Avira Antivir
-downloaded Combofix.exe

I was getting this pop up from Avira saying:

C:\windows\system32\qlwtycxf.dll
Is the TR\Vundo.Gen Trojan

And it would give me options to Move to quarantine, delete, rename, deny access or ignore. So I picked delete and another pop up would pop up. Giving me the same message and options, I picked delete and another popup of the same kind. It was doing this non stop last night, I sat there and hit delete for 10mins or longer. Finally it wouldn’t let me do anything, it would make this beeping noise and that pop up would be on screen and soon my screen would flood with them.

I went into msconfig and disabled qlwtycxf.dll (in safe mode) and it seems to keep those popups away and I am able to be on my computer. However, if I try to run combofix it comes up again. I ignored it and let combofix run for a while, it said Completed Stage_7 and then it didn’t seem to be doing anything after that.

I also followed your link to see how to disable anti software programs. I am unable to do that because I do not see the icon in my system tray. I went into task manger and it says it’s running avguard.exe and I am unable to end that process. Says “access is denied” but I am on a admin account (I am the admin).

In conclusion, I need a way to turn off the anti software so I can run combofix (I think). Downloading Antivir just made things more difficult. I can’t uninstall it, I do not see it in my add/remove programs. I’m thinking maybe I can do a system restore and then try to run combofix?

this is fun =)
MacacaFascicula
Regular Member
 
Posts: 22
Joined: August 7th, 2008, 8:38 am

Re: Hijackthis log. Is there malware on my system?

Unread postby MacacaFascicula » August 9th, 2008, 8:58 pm

Correction:

I just found avira and uninstalled it. Following the guide to combofix now. will post logs.
MacacaFascicula
Regular Member
 
Posts: 22
Joined: August 7th, 2008, 8:38 am

Re: Hijackthis log. Is there malware on my system?

Unread postby MacacaFascicula » August 9th, 2008, 9:29 pm

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:45 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.ak3.xpert.adecco.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

--
End of file - 7469 bytes



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Combofix Log:

ComboFix 08-08-09.03 - Marten 2008-08-09 21:08:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2527 [GMT -4:00]
Running from: C:\Documents and Settings\Marten\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Marten\Application Data\inst.exe
C:\Documents and Settings\Marten\Application Data\macromedia\Flash Player\#SharedObjects\8WGC56CG\interclick.com
C:\Documents and Settings\Marten\Application Data\macromedia\Flash Player\#SharedObjects\8WGC56CG\interclick.com\ud.sol
C:\Documents and Settings\Marten\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Marten\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Marten\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Marten\Application Data\WinAntiVirus Pro 2006\activator_info.txt
C:\Documents and Settings\Marten\Application Data\WinAntiVirus Pro 2006\Logs\Activate.log
C:\Documents and Settings\Marten\Application Data\WinAntiVirus Pro 2006\Logs\update.log
C:\Documents and Settings\Marten\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\Documents and Settings\Marten\Application Data\WinAntiVirus Pro 2006\Logs\winav.log
C:\Documents and Settings\Marten\Application Data\WinAntiVirus Pro 2006\PGE.dat
C:\WINDOWS\BMdf6e7feb.txt
C:\WINDOWS\BMdf6e7feb.xml
C:\WINDOWS\system32\bqgtltwe.dll
C:\WINDOWS\system32\ccqigs.dll
C:\WINDOWS\system32\cgitlx.dll
C:\WINDOWS\system32\cppegiig.dll
C:\WINDOWS\system32\csfxsgvs.dll
C:\WINDOWS\system32\dadbmxwv.ini
C:\WINDOWS\system32\dexnka.dll
C:\WINDOWS\system32\diqsnqud.dll
C:\WINDOWS\system32\djgqaw.dll
C:\WINDOWS\system32\dyisgneq.ini
C:\WINDOWS\system32\enryxqpq.ini
C:\WINDOWS\system32\fanexqtv.dll
C:\WINDOWS\system32\fkowthtn.dll
C:\WINDOWS\system32\fpbbpfka.ini
C:\WINDOWS\system32\ftcnnh.dll
C:\WINDOWS\system32\fxcytwlq.ini
C:\WINDOWS\system32\gdsemvsu.dll
C:\WINDOWS\system32\glgdghap.ini
C:\WINDOWS\system32\goxvcfvn.dll
C:\WINDOWS\system32\gsvklynt.dll
C:\WINDOWS\system32\guxwgfhb.dll
C:\WINDOWS\system32\hekxza.dll
C:\WINDOWS\system32\hkkpkekm.dll
C:\WINDOWS\system32\hlywjfax.dll
C:\WINDOWS\system32\hsvtcovd.ini
C:\WINDOWS\system32\hvnumtvm.ini
C:\WINDOWS\system32\jkdkof.dll
C:\WINDOWS\system32\jorgxtac.ini
C:\WINDOWS\system32\jsenckuo.dll
C:\WINDOWS\system32\ktqklb.dll
C:\WINDOWS\system32\kxgpaodc.dll
C:\WINDOWS\system32\kxnjioer.ini
C:\WINDOWS\system32\ljrxcdnu.ini
C:\WINDOWS\system32\lsqevp.dll
C:\WINDOWS\system32\mqoaurgy.ini
C:\WINDOWS\system32\mvtmunvh.dll
C:\WINDOWS\system32\npybfkpo.dll
C:\WINDOWS\system32\nveliweu.ini
C:\WINDOWS\system32\nywpxqoi.ini
C:\WINDOWS\system32\oeuigbbd.dll
C:\WINDOWS\system32\olmxvwnb.ini
C:\WINDOWS\system32\ommsgror.dll
C:\WINDOWS\system32\oubvpgax.ini
C:\WINDOWS\system32\ovutzb.dll
C:\WINDOWS\system32\pxrfos.dll
C:\WINDOWS\system32\qmfpmgxx.dll
C:\WINDOWS\system32\qpqxyrne.dll
C:\WINDOWS\system32\qtvobmna.ini
C:\WINDOWS\system32\reeerh.dll
C:\WINDOWS\system32\rgihsn.dll
C:\WINDOWS\system32\snjytkws.dll
C:\WINDOWS\system32\srugrv.dll
C:\WINDOWS\system32\tdmiaewy.ini
C:\WINDOWS\system32\uoukqumk.dll
C:\WINDOWS\system32\vamxnndb.dll
C:\WINDOWS\system32\vbthuysm.dll
C:\WINDOWS\system32\vfymnlha.dll
C:\WINDOWS\system32\vrlbscnd.dll
C:\WINDOWS\system32\xkgdlb.dll
C:\WINDOWS\system32\yjxulbbh.ini
C:\WINDOWS\system32\ykqxseye.dll
C:\WINDOWS\system32\yrkgljve.dll
C:\WINDOWS\system32\yxwHRtwa.ini
C:\WINDOWS\system32\yxwHRtwa.ini2
C:\WINDOWS\system32\zdplog.dll
.
---- Previous Run -------
.
C:\Program Files\Common Files\winantivirus pro 2006
C:\Program Files\Common Files\winantivirus pro 2006\wa6pinst.exe
C:\Program Files\Common Files\winantivirus pro 2006\WAPPChk.dll
C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Service_FOPN


((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-08 23:35 . 2008-08-08 23:35 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-08 17:36 . 2008-08-08 17:36 2,048 --a------ C:\WINDOWS\system32\vavebjjd.exe
2008-08-07 10:18 . 2008-08-07 10:18 2,048 --a------ C:\WINDOWS\system32\ykqwejab.exe
2008-08-07 08:16 . 2008-08-07 08:16 2,048 --a------ C:\WINDOWS\system32\kgdjcrfe.exe
2008-08-05 17:01 . 2008-08-07 09:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-05 17:01 . 2008-08-05 17:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-04 21:59 . 2008-08-04 21:59 2,048 --a------ C:\WINDOWS\system32\cjlgoilk.exe
2008-07-31 10:47 . 2008-08-01 20:01 810 --ahs---- C:\WINDOWS\system32\womutjjj.ini
2008-07-31 00:45 . 2008-07-31 00:45 <DIR> d-------- C:\Documents and Settings\Marten\DoctorWeb
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-14 02:09 . 2008-07-14 02:09 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-12 19:59 . 2008-07-12 19:59 <DIR> d-------- C:\Program Files\Veoh Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 00:43 --------- d-----w C:\Documents and Settings\Marten\Application Data\MxBoost
2008-08-09 23:39 --------- d-----w C:\Program Files\AviSynth 2.5
2008-08-07 20:40 --------- d-----w C:\Documents and Settings\Marten\Application Data\dvdcss
2008-08-06 02:30 --------- d-----w C:\Program Files\Trillian
2008-08-04 14:18 --------- d-----w C:\Documents and Settings\Marten\Application Data\Maxthon2
2008-07-13 00:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-08 12:35 --------- d-----w C:\Documents and Settings\Marten\Application Data\uTorrent
2008-07-07 22:28 --------- d-----w C:\Documents and Settings\Marten\Application Data\nView_Wallpaper
2008-07-07 21:52 --------- d-----w C:\Program Files\Ventrilo
2008-07-07 21:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinSoftware
2008-07-02 22:27 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-02 22:27 47,360 ----a-w C:\Documents and Settings\Marten\Application Data\pcouffin.sys
2008-07-02 22:27 --------- d-----w C:\Program Files\DVDFab 5
2008-07-02 22:27 --------- d-----w C:\Documents and Settings\Marten\Application Data\Vso
2008-07-02 22:25 --------- d-----w C:\Documents and Settings\Marten\Application Data\RipIt4Me
2008-06-22 12:09 --------- d-----w C:\Program Files\eMule
2008-06-22 00:43 --------- d-----w C:\Documents and Settings\Marten\Application Data\AdobeUM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 02:24 81 ----a-w C:\CTX.DAT
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 20:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-10 20:42 --------- d-----w C:\Program Files\RegCleaner
2005-12-21 13:48 2,248 -c--a-w C:\Documents and Settings\Marten\Application Data\wklnhst.dat
2005-12-12 02:33 89,800 -c--a-w C:\Documents and Settings\Marten\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2007-04-01 06:47 299520]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
backup=C:\WINDOWS\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=C:\WINDOWS\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marten^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Marten\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-03-21 21:30 1191936 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 19:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2008-05-19 10:57 1400832 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 10:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5400]
--a--c--- 2003-05-26 23:00 99840 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a--c--- 2004-08-04 01:31 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a--c--- 2005-12-04 16:38 437008 C:\Program Files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a--c--- 2003-08-19 06:43 57344 C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
--a------ 2003-08-18 10:32 174592 C:\WINDOWS\system32\LEXPPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
--a--c--- 2007-01-26 14:31 259440 C:\Program Files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a--c--- 2004-08-04 01:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 22:46 13529088 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 22:46 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a--c--- 2006-03-21 14:19 69632 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a--c--- 2004-08-04 01:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a--c--- 2004-08-04 01:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2006-05-20 06:13 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra--c--- 2003-09-30 01:14 155648 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a--c--- 2007-07-27 01:22 1258744 C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-10-05 15:01 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
--a--c--- 2007-01-11 11:18 5288960 C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a--c--- 2005-05-03 18:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a--c--- 2005-09-21 15:32 2807808 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a--c--- 2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a--c--- 2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2005-09-21 10:24 86016 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005.SR3\\sandra.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005.SR3\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005.SR3\\RpcDataSrv.exe"=
"D:\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"=
"C:\\StubInstaller.exe"=
"D:\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"=
"D:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Documents and Settings\\Marten\\Application Data\\Maxthon2\\Maxthon.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 21:22]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 21:23]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-04-14 00:07]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 02:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaba4e5a-0366-11dc-bcfc-0011113ff874}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3da53ac-4fe0-11dc-bd7c-0011113ff874}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe [2005-05-27 14:22]

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-06 C:\WINDOWS\Tasks\SpybotSD.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
- - - - ORPHANS REMOVED - - - -

BHO-{27AF7590-1035-464C-A2BB-2FA3B8D3AC7B} - C:\Documents and Settings\Marten\Local Settings\Temporary Internet Files\Content.IE5\0RSZHUD0\3077ahntdksr[1].dll
BHO-{3F63632A-EF8E-4E26-85CA-72C9EB35F785} - C:\WINDOWS\system32\awtRHwxy.dll
BHO-{99972D1B-964E-49EC-92F4-1EB39F4810A5} - C:\WINDOWS\system32\ddcBsstU.dll
BHO-{EB757622-6A08-41F6-98D5-96FF490F01A2} - C:\WINDOWS\system32\eqfcdndn.dll
Notify-ddcBsstU - ddcBsstU.dll
MSConfigStartUp-aimbooksoftwareremote - C:\Documents and Settings\All Users\Application Data\Cakedriveaimbook\army cast.exe
MSConfigStartUp-avgnt - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-BMdf6e7feb - C:\WINDOWS\system32\hpkfygmo.dll
MSConfigStartUp-dc5d4c77 - C:\WINDOWS\system32\qlwtycxf.dll
MSConfigStartUp-logeq - C:\DOCUME~1\Marten\APPLIC~1\BEEPFR~1\manager gpl fast.exe
MSConfigStartUp-New - C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
MSConfigStartUp-RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-WinAntiVirusPro2006 - C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe
MSConfigStartUp-Windows Defender - C:\Program Files\Windows Defender\MSASCui.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Marten\Application Data\Mozilla\Firefox\Profiles\rcvg7l1a.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 21:14:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2008-08-09 21:25:12 - machine was rebooted [Marten]
ComboFix-quarantined-files.txt 2008-08-10 01:24:59

Pre-Run: 3,354,398,720 bytes free
Post-Run: 3,406,032,896 bytes free

340 --- E O F --- 2008-07-14 06:10:03
MacacaFascicula
Regular Member
 
Posts: 22
Joined: August 7th, 2008, 8:38 am

Re: Hijackthis log. Is there malware on my system?

Unread postby mz30 » August 11th, 2008, 9:09 am

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent
E-mule


Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Post back a new HijackThis, so we can continue cleaning your pc.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Hijackthis log. Is there malware on my system?

Unread postby Vino Rosso » August 16th, 2008, 8:07 am

Due to the lack of a response, this topic is now closed.

Note: If it has been five days or more since your last post and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

Important! Do NOT be tempted to use any tools that your helper had you download. Incorrect use of such tools may see your computer become an expensive paperweight.

You can help support this site from this link: >Donations For Malware Removal<

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 307 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware