Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

VIRUS ALERT! next to clock, some programs have disappeared..

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 6th, 2008, 4:35 pm

Hi, I'm new and have major problems, After the "alert" I ran AdAware and scanned via Zonealarm, which removed both a couple of Trojans, but......
As before! Same problems, is there anyone able to help me? Would Combofix do something? I just don't know and am reading myself into this.....
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:34: VIRUS ALERT!, on 06/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Documents and Settings\unknown\Desktop\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: CodecPlugin Class - {5a4ab887-fbf2-489e-98e6-88e58176d142} - C:\WINDOWS\system32\CodecBHO.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
O2 - BHO: QXK Olive - {68E6FC8D-5DCC-4860-A14C-4B4D8651AB6B} - C:\WINDOWS\vanwxemgsal.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Explorer.Authenticate.AddIn - {CBD5C920-E16D-11D8-BE6C-80CE61C19600} - C:\WINDOWS\system32\msnovwin.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
O3 - Toolbar: gksraemq - {DA708AB1-837F-4230-B4E9-92E98A2CEB06} - C:\WINDOWS\gksraemq.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.moove.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {00E1C63A-1060-4EED-928B-2EF2E265D352} (MJPEGRender Control) - http://mcdonaldcastlehotel.remotemanage ... Render.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.0.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.airport-nuernberg.de/_/tools ... ontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B73BC7C7-858B-49FA-BBDB-74DD77D1D9F3} ({B73BC7C7-858B-49FA-BBDB-74DD77D1D9F3}) - http://camz.tintel.nl/installcab.php
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.tescophoto.com/wpp/tesco//ap ... loader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://217.23.231.4/activex/AMC.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WebViewCheck - {CBD5C920-E16D-11D8-BE6C-80CE61C19600} - C:\WINDOWS\system32\msnovwin.dll
O21 - SSODL: xrdwbfgn - {DAC1949D-685E-4DCC-8BB9-2F9F05F11525} - C:\WINDOWS\xrdwbfgn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9781 bytes
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top
Advertisement
Register to Remove

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby km2357 » September 7th, 2008, 2:37 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3206
Joined: January 30th, 2007, 2:48 pm
Location: California
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby km2357 » September 7th, 2008, 2:45 pm

Step # 1: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to save ComboFix.exe to your Desktop

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleaning the system:

Uninstall List
C:\ComboFix.txt
New HijackThis log.


Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3206
Joined: January 30th, 2007, 2:48 pm
Location: California
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 7th, 2008, 5:56 pm

Hi km2357!
Great of you that you want to help me! Cheers for that.
uninstall_list:
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon SELPHY CP520
Canon Utilities Easy-PhotoPrint
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Cave Rescue
ConvertXtoDVD 2.2.3.258h
Darkened Skye
Digital Camera Driver
Digital Ear
Disc2Phone
DSA Car & ADI Theory Test
DVDXCopy Xpress 2.5.2
Easy CD & DVD Creator 6
Easy Computing's Grote Encyclopedie 2000
Finale 2004
FXCM Trading Station II
GameSpy Arcade
Google Earth
Google Video Player
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_09
Java(TM) 6 Update 2
Java(TM) 6 Update 4
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Magic Online
Magic Workstation 0.94f
Majesty Gold
MGI PhotoSuite 4 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft AutoRoute v11.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Enzyklopädie 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Picture It! Foto Premium 9
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite-Add-Ins für Microsoft Word
Motorola Phone Tools
Mozilla Firefox (3.0.1)
MSN
MSXML 4.0 SP2 (KB936181)
MT882
Myst Masterpiece Edition
Nero Suite
Netscape Navigator (9.0.0.6)
NVIDIA Drivers
OpenOffice.org 2.4
PC Tune-Up
Perfect Uninstaller v6.1
Picasa 2
PowerDVD
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Setup-Start von Microsoft Works 2004
Shockwave
Sibelius Scorch (ActiveX Only)
Skype™ 3.8
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Soundflavor DJ 1.30
Steinberg Cubase SX
Syncrosoft's Protection Device Driver Package
Tesco Picture Suite
TRUST 120 SPACEC@M
Universal SCSI Controller
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
VIA Audio Driver Setup Program
Website Builder 7.6
WebVideo Support
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8 Beta 2
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
ZoneAlarm Security Suite
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 7th, 2008, 6:43 pm

ComboFix 08-09-05.03 - unknown 2008-09-07 23:15:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.570 [GMT 1:00]
Running from: C:\Documents and Settings\unknown\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\unknown\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Privacy Policy.url
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Terms and Conditions.url
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Website.url
C:\Documents and Settings\unknown\Application Data\inst.exe
C:\Documents and Settings\unknown\Favorites\Error Cleaner.url
C:\Documents and Settings\unknown\Favorites\Privacy Protector.url
C:\Documents and Settings\unknown\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\unknown\Local Settings\Application Data\kewis.dat
C:\Documents and Settings\unknown\Local Settings\Application Data\kewis_nav.dat
C:\Documents and Settings\unknown\Local Settings\Application Data\kewis_navps.dat
C:\Program Files\RichVideoCodec
C:\Program Files\webmediaplayer
C:\Program Files\webmediaplayer\resources\languages_v2.xml
C:\Program Files\webmediaplayer\resources\webmedias
C:\Program Files\webmediaplayer\skins\classic.skn
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\elbf.exe
C:\WINDOWS\gksraemq.dll
C:\WINDOWS\msn.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\secure32.html
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\vanwxemgsal.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-07 20:28 . 2008-09-07 20:28 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-09-07 20:28 . 2008-09-07 20:28 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\skypePM
2008-09-07 20:28 . 2008-09-07 20:28 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-09-07 13:58 . 2008-09-07 13:58 <DIR> d--hs---- C:\Documents and Settings\unknown\PrivacIE
2008-09-07 08:47 . 2008-09-07 08:47 <DIR> d-------- C:\d8e23c8845dfe8f93f
2008-09-06 23:01 . 2008-09-06 23:07 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-09-06 14:45 . 2008-09-06 14:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-06 14:40 . 2008-09-07 23:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-06 14:40 . 2008-09-06 14:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-06 14:33 . 2008-09-03 05:41 <DIR> d-------- C:\SDFix
2008-09-05 23:20 . 2008-09-05 23:20 <DIR> d-------- C:\Program Files\fixpolicies
2008-09-05 18:14 . 2008-09-05 18:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-05 18:14 . 2008-09-05 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-05 02:02 . 2006-10-27 16:07 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-09-05 01:14 . 2008-09-05 01:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\alot
2008-09-05 00:58 . 2008-09-05 01:04 <DIR> d-------- C:\Program Files\Perfect Uninstaller
2008-09-05 00:58 . 2008-09-05 00:58 42 --a------ C:\WINDOWS\system32\AK083E209605E394C.lie
2008-09-05 00:31 . 2008-09-05 00:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Netscape
2008-09-05 00:23 . 2008-09-05 00:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2008-09-05 00:20 . 2008-09-05 00:20 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-04 23:37 . 2008-09-04 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-04 23:35 . 2008-09-06 21:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-04 23:35 . 2008-09-06 21:43 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\SUPERAntiSpyware.com
2008-09-04 23:32 . 2008-09-06 21:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-04 23:14 . 2008-09-04 23:14 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\PC Tools
2008-09-04 23:14 . 2008-09-04 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-04 23:14 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-04 23:14 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-04 23:14 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-04 23:14 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-04 18:40 . 2004-08-04 13:00 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe.backup
2008-09-04 18:40 . 2004-08-04 13:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe.backup
2008-09-04 11:41 . 2008-09-04 11:41 36,864 -r-hs---- C:\WINDOWS\system32\Kcrnad1Drv.dll
2008-08-29 21:38 . 2008-08-29 21:38 <DIR> d-------- C:\Program Files\UltiDev
2008-08-29 21:37 . 2008-08-29 21:49 <DIR> d-------- C:\Program Files\InwiseDesktop
2008-08-29 21:37 . 2008-08-29 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\UltiDev
2008-08-28 11:41 . 2008-08-28 11:41 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\vlc
2008-08-28 11:39 . 2008-08-28 11:39 <DIR> d-------- C:\Program Files\VideoLAN
2008-08-27 14:57 . 2008-08-27 18:27 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\Winamp
2008-08-27 14:57 . 2007-03-08 00:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-08-25 23:17 . 2008-09-05 16:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-22 03:15 . 2008-08-22 03:15 1,216,512 --------- C:\WINDOWS\system32\ieframe.dll.mui
2008-08-22 03:14 . 2008-08-22 03:14 10,240 --------- C:\WINDOWS\system32\advpack.dll.mui
2008-08-22 03:05 . 2008-08-22 03:05 48,640 --------- C:\WINDOWS\system32\PrivacIE.dll
2008-08-19 22:14 . 2008-09-07 23:22 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\OpenOffice.org2
2008-08-19 22:07 . 2008-08-19 22:08 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-08-10 11:33 . 2008-08-10 11:39 <DIR> d-------- C:\Program Files\Free Saltwater Fish Screensaver
2008-08-10 11:33 . 2008-08-10 11:33 <DIR> d-------- C:\Program Files\Desktop XP
2008-08-09 14:24 . 2008-09-03 19:20 <DIR> d-------- C:\Program Files\GameSpy Arcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2090-01-01 01:43 2,686,464 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-09-07 22:27 48,258,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-07 22:21 647,348 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-07 22:21 251,756 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-07 22:21 2,674,208 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-07 21:28 --------- d-----w C:\Documents and Settings\unknown\Application Data\Skype
2008-09-07 19:29 512 ----a-w C:\ScanSectorLog.dat
2008-09-07 19:28 --------- d-----w C:\Program Files\Skype
2008-09-07 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-09-05 20:55 3,465,216 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-09-04 23:55 --------- d-----w C:\Program Files\Free Internet Window Washer
2008-09-04 22:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-09-04 17:41 24,064 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-09-04 17:37 --------- d-----w C:\Program Files\Google
2008-09-04 10:06 94,208 ----a-w C:\WINDOWS\sxmaokgf.exe
2008-09-02 21:24 45,634 ----a-w C:\Documents and Settings\unknown\Application Data\wklnhst.dat
2008-08-26 17:21 --------- d-----w C:\Program Files\Magic Workstation
2008-08-25 12:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-22 02:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 02:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 02:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 02:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 02:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 02:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 02:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 02:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 02:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 01:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-20 16:36 --------- d-----w C:\Program Files\Java
2008-08-06 13:14 --------- d-----w C:\Program Files\Majesty Gold
2008-08-05 16:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-08-02 15:36 --------- d-----w C:\Documents and Settings\unknown\Application Data\Image Zone Express
2008-07-29 19:57 --------- d-----w C:\Program Files\GIMP-2.0
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-12 11:13 --------- d-----w C:\Program Files\Ubi Soft
2008-07-12 09:38 --------- d-----w C:\Program Files\VIAudioi
2008-07-12 09:38 --------- d-----w C:\Program Files\Picasa2
2008-07-12 09:38 --------- d-----w C:\Program Files\Idigicon Ltd
2008-07-12 09:38 --------- d-----w C:\Program Files\EASY COMPUTING
2008-07-12 09:38 --------- d-----w C:\Program Files\Darkened Skye
2008-07-12 09:38 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-12 09:38 --------- d-----w C:\Program Files\Apple Software Update
2008-07-12 09:38 --------- d-----w C:\Program Files\321Studios
2008-07-12 09:38 --------- d-----w C:\Documents and Settings\unknown\Application Data\alot
2008-07-12 09:37 --------- d-----w C:\Program Files\Website Builder
2008-07-12 09:37 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-07-12 09:37 --------- d-----w C:\Program Files\Microsoft Encarta
2008-07-12 09:37 --------- d-----w C:\Program Files\Microsoft AutoRoute
2008-07-12 09:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-12 09:33 --------- d-----w C:\Program Files\iTunes
2008-07-12 09:33 --------- d-----w C:\Program Files\iPod
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock(2)(2).dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dnsapi(2)(2).dll
2008-06-12 10:27 26,144 ----a-w C:\WINDOWS\system32\spupdsvc.exe
2008-06-12 10:27 26,112 ----a-w C:\WINDOWS\system32\idndl.dll
2008-06-12 10:27 24,576 ----a-w C:\WINDOWS\system32\nlsdl.dll
2008-06-12 10:27 23,552 ----a-w C:\WINDOWS\system32\normaliz.dll
2008-06-04 18:00 47,360 ----a-w C:\Documents and Settings\unknown\Application Data\pcouffin.sys
2008-04-21 17:13 108,784 ----a-w C:\Documents and Settings\unknown\Application Data\GDIPFONTCACHEV1.DAT
2007-01-05 17:56 3,282,340 ----a-w C:\Program Files\podutilsetup.exe
2006-09-16 08:49 24,192 ----a-w C:\Documents and Settings\unknown\usbsermptxp.sys
2006-09-16 08:49 22,768 ----a-w C:\Documents and Settings\unknown\usbsermpt.sys
2006-04-09 13:37 1,800 -c--a-w C:\Documents and Settings\unknown\RISK.DAT
1990-01-01 01:01 36,864 --sh--r C:\WINDOWS\system32\KcrnadDrv.dll
.

------- Sigcheck -------

2008-04-14 01:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2005-10-19 09:53 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe

2008-04-14 01:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2008-09-04 18:41 24064 c3a2915c71ae6f225eb906c25ccd29b5 C:\WINDOWS\system32\ctfmon.exe
2008-09-04 18:41 24064 c3a2915c71ae6f225eb906c25ccd29b5 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 5562368]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2003-12-31 40960]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-08 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-09-04 24064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

C:\Documents and Settings\unknown\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-09-04 18:41 24064 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-06-17 16:14 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRC]
--a------ 2007-10-12 08:57 2435072 C:\Program Files\PC Tune-Up\PCTuneUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-04-14 16:56 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-04-01 16:16 5562368 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-04-01 16:16 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-08 17:35 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-01-13 10:19 757760 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-01-13 14:05 69632 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]
--a------ 2003-12-31 17:39 40960 C:\WINDOWS\vsnpstd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-11 23:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2007-03-09 02:02 919280 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 16:16 1495040 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SopCast\\SopServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9968:TCP"= 9968:TCP:BitComet 9968 TCP
"9968:UDP"= 9968:UDP:BitComet 9968 UDP
"62503:TCP"= 62503:TCP:utorrent

R3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2007-10-13 29696]
R3 uscbs109;uscbs109;C:\WINDOWS\system32\DRIVERS\uscbs109.sys [2005-03-22 8672]
R3 uscsc109;uscsc109;C:\WINDOWS\system32\DRIVERS\uscsc109.sys [2005-03-22 102336]
S3 firewall;firewall;C:\Program Files\Foxie Suite\firewall.sys [ ]
S3 RkHit;RkHit;C:\WINDOWS\system32\drivers\RKHit.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\unknown\Application Data\Mozilla\Firefox\Profiles\vhwmchw9.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 23:24:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-07 23:35:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-07 22:34:55

Pre-Run: 11,540,639,744 bytes free
Post-Run: 11,454,885,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=AlwaysOff Windows XP Home Edition" /noexecute=optin /fastdetect

336 --- E O F --- 2008-09-05 19:02:29
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 7th, 2008, 6:44 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:43, on 07/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\unknown\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.moove.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {00E1C63A-1060-4EED-928B-2EF2E265D352} (MJPEGRender Control) - http://mcdonaldcastlehotel.remotemanage ... Render.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.airport-nuernberg.de/_/tools ... ontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.tescophoto.com/wpp/tesco//ap ... loader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://217.23.231.4/activex/AMC.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8660 bytes
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby km2357 » September 8th, 2008, 1:32 am

Step # 1: Add/Remove Programs

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

WebVideo Support

Reboot your Computer.


Step # 2 Remove old versions of Java

While you have the latest version of Java installed, older Java versions have vulnerabilities and need to be removed.

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

Java 2 Runtime Environment, SE v1.4.2_09

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 10

Java(TM) SE Runtime Environment 6 Update 1

Java(TM) 6 Update 2

Java(TM) 6 Update 4

Reboot your Computer.


Step # 3 Upload Files


Go to Jotti
Copy the following line into the white textbox:
C:\WINDOWS\ieResetIcons.exe
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following file:

C:\WINDOWS\system32\PrivacIE.dll

If Jotti is busy, Go to VirusTotal and scan the file(s) there.



Step # 4: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KILLALL::

File::

C:\WINDOWS\system32\ezsidmv.dat
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\sxmaokgf.exe

Folder::

C:\Documents and Settings\Administrator\Application Data\alot
C:\Documents and Settings\unknown\Application Data\alot

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9968:TCP"=-
"9968:UDP"=-
"62503:TCP"=-



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Image


    Note: This CFScript is for use on arie's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. Jotti/Virustotal results
2. The ComboFix Log that appears after Step 4 has been completed
3. A fresh HiJackThis Log taken after Step 4 has been completed
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3206
Joined: January 30th, 2007, 2:48 pm
Location: California
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 8th, 2008, 2:57 pm

Hi again, just want to thank you already for al your help, absolutely great this.
Is it always that you have to manually remove the old java's?
Regards, arie.
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 8th, 2008, 3:29 pm

Service load: 0% 100%

File: ieResetIcons.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: cf7b28a2f3535c6b13ac10b389f3f381
Packers detected: -

Scanner results
Scan taken on 08 Sep 2008 19:32:44 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Last edited by arie on September 8th, 2008, 3:34 pm, edited 1 time in total.
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 8th, 2008, 3:32 pm

File: PrivacIE.dll
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 772d47f34dd56ddda96d6bab326c06fb
Packers detected: -

Scanner results
Scan taken on 08 Sep 2008 19:30:26 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 8th, 2008, 5:02 pm

ComboFix 08-09-05.03 - unknown 2008-09-08 20:40:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.730 [GMT 1:00]
Running from: C:\Documents and Settings\unknown\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\unknown\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\alot
C:\Documents and Settings\unknown\Application Data\alot
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\sxmaokgf.exe
C:\WINDOWS\system32\ezsidmv.dat

.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 20:28 . 2008-09-07 20:28 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-09-07 20:28 . 2008-09-07 20:28 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\skypePM
2008-09-07 13:58 . 2008-09-07 13:58 <DIR> d--hs---- C:\Documents and Settings\unknown\PrivacIE
2008-09-07 08:47 . 2008-09-07 08:47 <DIR> d-------- C:\d8e23c8845dfe8f93f
2008-09-06 23:01 . 2008-09-06 23:07 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-09-06 14:45 . 2008-09-06 14:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-06 14:40 . 2008-09-08 20:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-06 14:40 . 2008-09-06 14:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-06 14:33 . 2008-09-03 05:41 <DIR> d-------- C:\SDFix
2008-09-05 23:20 . 2008-09-05 23:20 <DIR> d-------- C:\Program Files\fixpolicies
2008-09-05 18:14 . 2008-09-05 18:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-05 18:14 . 2008-09-05 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-05 02:02 . 2006-10-27 16:07 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-09-05 00:58 . 2008-09-05 01:04 <DIR> d-------- C:\Program Files\Perfect Uninstaller
2008-09-05 00:58 . 2008-09-05 00:58 42 --a------ C:\WINDOWS\system32\AK083E209605E394C.lie
2008-09-05 00:31 . 2008-09-05 00:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Netscape
2008-09-05 00:23 . 2008-09-05 00:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2008-09-05 00:20 . 2008-09-05 00:20 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-04 23:37 . 2008-09-04 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-04 23:35 . 2008-09-06 21:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-04 23:35 . 2008-09-06 21:43 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\SUPERAntiSpyware.com
2008-09-04 23:32 . 2008-09-06 21:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-04 23:14 . 2008-09-04 23:14 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\PC Tools
2008-09-04 23:14 . 2008-09-04 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-04 23:14 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-04 23:14 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-04 23:14 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-04 23:14 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-04 18:40 . 2004-08-04 13:00 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe.backup
2008-09-04 18:40 . 2004-08-04 13:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe.backup
2008-09-04 11:41 . 2008-09-04 11:41 36,864 -r-hs---- C:\WINDOWS\system32\Kcrnad1Drv.dll
2008-08-29 21:38 . 2008-08-29 21:38 <DIR> d-------- C:\Program Files\UltiDev
2008-08-29 21:37 . 2008-08-29 21:49 <DIR> d-------- C:\Program Files\InwiseDesktop
2008-08-29 21:37 . 2008-08-29 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\UltiDev
2008-08-28 11:41 . 2008-08-28 11:41 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\vlc
2008-08-28 11:39 . 2008-08-28 11:39 <DIR> d-------- C:\Program Files\VideoLAN
2008-08-27 14:57 . 2008-08-27 18:27 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\Winamp
2008-08-27 14:57 . 2007-03-08 00:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-08-25 23:17 . 2008-09-05 16:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-22 03:15 . 2008-08-22 03:15 1,216,512 --------- C:\WINDOWS\system32\ieframe.dll.mui
2008-08-22 03:14 . 2008-08-22 03:14 10,240 --------- C:\WINDOWS\system32\advpack.dll.mui
2008-08-22 03:05 . 2008-08-22 03:05 48,640 --------- C:\WINDOWS\system32\PrivacIE.dll
2008-08-19 22:14 . 2008-09-08 20:47 <DIR> d-------- C:\Documents and Settings\unknown\Application Data\OpenOffice.org2
2008-08-19 22:07 . 2008-08-19 22:08 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-08-10 11:33 . 2008-08-10 11:39 <DIR> d-------- C:\Program Files\Free Saltwater Fish Screensaver
2008-08-10 11:33 . 2008-08-10 11:33 <DIR> d-------- C:\Program Files\Desktop XP
2008-08-09 14:24 . 2008-09-03 19:20 <DIR> d-------- C:\Program Files\GameSpy Arcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 19:13 --------- d-----w C:\Program Files\Java
2008-09-07 23:22 647,804 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-07 23:22 48,289,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-07 23:22 252,020 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-07 23:22 2,676,768 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-07 21:28 --------- d-----w C:\Documents and Settings\unknown\Application Data\Skype
2008-09-07 19:29 512 ----a-w C:\ScanSectorLog.dat
2008-09-07 19:28 --------- d-----w C:\Program Files\Skype
2008-09-07 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-09-04 23:55 --------- d-----w C:\Program Files\Free Internet Window Washer
2008-09-04 22:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-09-04 17:37 --------- d-----w C:\Program Files\Google
2008-09-02 21:24 45,634 ----a-w C:\Documents and Settings\unknown\Application Data\wklnhst.dat
2008-08-26 17:21 --------- d-----w C:\Program Files\Magic Workstation
2008-08-25 12:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 13:14 --------- d-----w C:\Program Files\Majesty Gold
2008-08-02 15:36 --------- d-----w C:\Documents and Settings\unknown\Application Data\Image Zone Express
2008-07-29 19:57 --------- d-----w C:\Program Files\GIMP-2.0
2008-07-12 11:13 --------- d-----w C:\Program Files\Ubi Soft
2008-07-12 09:38 --------- d-----w C:\Program Files\VIAudioi
2008-07-12 09:38 --------- d-----w C:\Program Files\Picasa2
2008-07-12 09:38 --------- d-----w C:\Program Files\Idigicon Ltd
2008-07-12 09:38 --------- d-----w C:\Program Files\EASY COMPUTING
2008-07-12 09:38 --------- d-----w C:\Program Files\Darkened Skye
2008-07-12 09:38 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-12 09:38 --------- d-----w C:\Program Files\Apple Software Update
2008-07-12 09:38 --------- d-----w C:\Program Files\321Studios
2008-07-12 09:37 --------- d-----w C:\Program Files\Website Builder
2008-07-12 09:37 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-07-12 09:37 --------- d-----w C:\Program Files\Microsoft Encarta
2008-07-12 09:37 --------- d-----w C:\Program Files\Microsoft AutoRoute
2008-07-12 09:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-12 09:33 --------- d-----w C:\Program Files\iTunes
2008-07-12 09:33 --------- d-----w C:\Program Files\iPod
2008-06-04 18:00 47,360 ----a-w C:\Documents and Settings\unknown\Application Data\pcouffin.sys
2008-04-21 17:13 108,784 ----a-w C:\Documents and Settings\unknown\Application Data\GDIPFONTCACHEV1.DAT
2007-01-05 17:56 3,282,340 ----a-w C:\Program Files\podutilsetup.exe
2006-09-16 08:49 24,192 ----a-w C:\Documents and Settings\unknown\usbsermptxp.sys
2006-09-16 08:49 22,768 ----a-w C:\Documents and Settings\unknown\usbsermpt.sys
2006-04-09 13:37 1,800 -c--a-w C:\Documents and Settings\unknown\RISK.DAT
1990-01-01 01:01 36,864 --sh--r C:\WINDOWS\system32\KcrnadDrv.dll
.

------- Sigcheck -------

2008-04-14 01:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2005-10-19 09:53 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe

2008-04-14 01:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2008-09-04 18:41 24064 c3a2915c71ae6f225eb906c25ccd29b5 C:\WINDOWS\system32\ctfmon.exe
2008-09-04 18:41 24064 c3a2915c71ae6f225eb906c25ccd29b5 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_23.34.16.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-07 22:14:51 888,032 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-09-07 23:22:14 888,060 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-09-07 20:15:47 839,680 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-09-07 23:17:28 839,680 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 5562368]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2003-12-31 40960]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-08 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-09-04 24064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

C:\Documents and Settings\unknown\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-09-04 18:41 24064 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-06-17 16:14 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRC]
--a------ 2007-10-12 08:57 2435072 C:\Program Files\PC Tune-Up\PCTuneUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-04-14 16:56 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-04-01 16:16 5562368 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-04-01 16:16 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-08 17:35 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-01-13 10:19 757760 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-01-13 14:05 69632 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]
--a------ 2003-12-31 17:39 40960 C:\WINDOWS\vsnpstd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-11 23:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2007-03-09 02:02 919280 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 16:16 1495040 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SopCast\\SopServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2007-10-13 29696]
R3 uscbs109;uscbs109;C:\WINDOWS\system32\DRIVERS\uscbs109.sys [2005-03-22 8672]
R3 uscsc109;uscsc109;C:\WINDOWS\system32\DRIVERS\uscsc109.sys [2005-03-22 102336]
S3 firewall;firewall;C:\Program Files\Foxie Suite\firewall.sys [ ]
S3 RkHit;RkHit;C:\WINDOWS\system32\drivers\RKHit.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 20:47:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-08 20:58:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 19:58:12
ComboFix2.txt 2008-09-07 22:35:01

Pre-Run: 11,411,869,696 bytes free
Post-Run: 11,402,457,088 bytes free

254 --- E O F --- 2008-09-05 19:02:29
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 8th, 2008, 5:03 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02, on 08/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\unknown\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.moove.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {00E1C63A-1060-4EED-928B-2EF2E265D352} (MJPEGRender Control) - http://mcdonaldcastlehotel.remotemanage ... Render.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.airport-nuernberg.de/_/tools ... ontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.tescophoto.com/wpp/tesco//ap ... loader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://217.23.231.4/activex/AMC.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8564 bytes
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 8th, 2008, 5:10 pm

Hi km 2357!
I read all your notes first, so I did step 4 also in total, somehow I can't read the last bit now anymore, but it's done anyway. That programm of step1 webmedia something was already gone, for I suspected it earlier last week. My son thinks he is doing himself and others on this computer a favour....... Any idea how to ged rid of that? Just kidding!
I couldn't get "Free Window Washer" removed last week either, it misses an install file, how to deal with these things, would be good to know!
Cheers for now, I'll read you tomorrow!
arie.
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby km2357 » September 8th, 2008, 6:19 pm

Hi again, just want to thank you already for al your help, absolutely great this.
Is it always that you have to manually remove the old java's?


Yes, you should always uninstall old versions of Java whenever you update to the latest version. The old versions have vunerablities in them and should be removed.

I couldn't get "Free Window Washer" removed last week either, it misses an install file, how to deal with these things, would be good to know!


Are you sure its not already gone? :? I don't see it on the Uninstall List you posted earlier. If it is still there, let's try this to get rid of it.

Step # 1 Download CCleaner

Download CCleaner from here to clean temp files from your computer.
  • Double click on the ccsetup.exe file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location.
  • Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
  • Click Install then finish to complete installation.


Step # 2 Uninstall a program using CCleaner

  • Launch CCleaner
  • Click Tools
  • If Uninstall is not selected, click it to select it
  • Under Programs to Remove,scroll down till Free Window Washer is selected
  • Click Run Uninstaller
  • If that doesn't work, make sure that Free Window Washer is still selected and click Delete Entry


Step # 3 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO


Step # 4: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYGB

    It may be helpful to know that when you put an item in your Trusted Zone, it has pretty much full access to your computer... Are you sure you trust these sites to that degree?? If you're not sure, and/or you do not need these in your trusted zone to facilitate access, or you did not knowingly permit this access yourself, then please fix the following O15 entries:

    O15 - Trusted Zone: *.moove.com

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.



Step # 5 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log taken after all 5 steps have been completed
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3206
Joined: January 30th, 2007, 2:48 pm
Location: California
Top

Re: VIRUS ALERT! next to clock, some programs have disappeared..

Unread postby arie » September 8th, 2008, 6:58 pm

No, I can'y be sure, for I see the icon popping back up on my Desktop! What's with all the thousands of windows updates? do they have to be removed manually?
arie
Regular Member
 
Posts: 24
Joined: September 6th, 2008, 4:28 pm
Location: Scotland
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 150 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index