Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

nagging infection, please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

nagging infection, please help

Unread postby rayoliveira » June 2nd, 2008, 4:35 pm

Dear Members,

Thank you so much for any help you can give me here. My computer is freezing, I'm getting errors on startup, and it seems clear there is some sort of infection here. I want to get rid of things like txplatform.exe, but I can't seem to delete them. Thanks for any assistance!

Best,
Ray

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:09 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drivers\disdn\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0118995668
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IIS AdministratorSvr (IISADMINSRC) - IISADMINSRC - C:\Program Files\NetMeeting\Update.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: QQQQÒ½Éú (QQÒ½Éú) - Unknown owner - C:\WINDOWS\System32\QQÒ½Éú.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\drivers\disdn\svchost.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: txplatform.exe (txplatform) - Unknown owner - C:\WINDOWS\System32\txplatform.exe
O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe
O23 - Service: Windows Media Player Updates (WMupdates) - Media Player - C:\Program Files\Windows Media Player\Update.exe

--
End of file - 9654 bytes
rayoliveira
Active Member
 
Posts: 8
Joined: June 2nd, 2008, 4:27 pm
Advertisement
Register to Remove

Re: nagging infection, please help

Unread postby MWR 3 day Mod » June 5th, 2008, 6:15 pm

Hi, rayoliveira

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: nagging infection, please help

Unread postby Bio-Hazard » June 6th, 2008, 2:26 pm

Welcome to the MWR forums. My name is Bio-Hazard. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know or understand something please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • It is important that you reply to this thread. Do not start a new topic.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.


Uninstall list

Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:

  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: nagging infection, please help

Unread postby rayoliveira » June 6th, 2008, 4:28 pm

Bio-Hazard,

Thanks so much for your help. Here you go:

Access IBM
Ad-Aware
Adobe Contribute 4
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.7
Agere Systems AC'97 Modem
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
BitTorrent 5.0.3
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
Bonjour
Connected DataProtector
Continental Airlines Timetable
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
eMusic Download Manager
EPSON Printer Software
GMATPrep(TM)
Google Desktop
Google Desktop
HijackThis 2.0.2
HP Business Inkjet 1200
HP Business Inkjet 1200
IBM RecordNow
IBM RecordNow Update Manager
IBM ThinkPad Battery MaxiMiser and Power Management Features
Intel(R) PRO Network Connections Drivers
InterVideo WinDVD
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Last.fm 1.5.0.24910
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Contribute 3.11
Macromedia Flash Player 8
Macromedia Shockwave Player
MeetingPlace for Outlook
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office 2003 Proofing Tools
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visio Viewer 2002
MLB.TV NexDef Plug-in
Mozilla Firefox (2.0.0.14)
QuickBooks Simple Start Online Edition
QuickTime
RealPlayer
Roxio Media Manager
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Symantec Client Security
ThinkPad Configuration
ThinkPad Integrated 56K Modem
ThinkPad Power Management Driver
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
ThinkVantage Active Protection System
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URGE
Virtual Earth 3D (Beta)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Messenger 5.1
WinRAR archiver
WinZip
rayoliveira
Active Member
 
Posts: 8
Joined: June 2nd, 2008, 4:27 pm

Re: nagging infection, please help

Unread postby Bio-Hazard » June 7th, 2008, 2:28 am

End a Process using HiJackThis

We need to End Processes with HijackThis.

  • Open HiJackThis
  • Click on the tab Open the Misc. Tools Session
  • Click on the box that says Open Process Manager
  • Locate the following process(e)s and click on it.
      C:\WINDOWS\system32\drivers\disdn\svchost.exe
  • Click on the button Kill Process
  • Click Yes at the prompt.
  • Please do this for each process listed.


Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it on to your desktop. HERE
  • Click on the erunt-setup.exe
  • Follow the prompts to install ERUNT
  • Backup your registry to the default location

Note: To restore your registry, go to the folder and start ERDNT.exe



Delete Bad Services

  • Copy and Paste everything from the Quote box into Notepad:

    @echo off
    sc stop IISADMINSRC
    sc stop QQÒ½Éú
    sc stop txplatform
    sc stop WindowsEntServer2008
    sc stop WMupdates
    sc stop RasAuto
    sc config IISADMINSRC start= disabled
    sc config QQÒ½Éú start= disabled
    sc config txplatform start= disabled
    sc config WindowsEntServer2008 start= disabled
    sc config WMupdates start= disabled
    sc config RasAuto start= disabled
    sc delete IISADMINSRC
    sc delete QQÒ½Éú
    sc delete txplatform
    sc delete WindowsEntServer2008
    sc delete WMupdates
    sc delete RasAuto

  • Make sure there are NO blank lines before @echo off
  • Make sure there IS one blank line at the end of the file.
  • Go to File > Save As
  • Save File name as Fix.bat
  • Change Save as Type to All Files and save the file to your desktop.
  • Close Notepad
  • Double-click Fix.bat on your Desktop




Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O23 - Service: IIS AdministratorSvr (IISADMINSRC) - IISADMINSRC - C:\Program Files\NetMeeting\Update.exe
    O23 - Service: QQQQÒ½Éú (QQÒ½Éú) - Unknown owner - C:\WINDOWS\System32\QQÒ½Éú.exe (file missing)
    O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\drivers\disdn\svchost.exe
    O23 - Service: txplatform.exe (txplatform) - Unknown owner - C:\WINDOWS\System32\txplatform.exe
    O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe
    O23 - Service: Windows Media Player Updates (WMupdates) - Media Player - C:\Program Files\Windows Media Player\Update.exe


  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.



Reboot before running Malwarebytes' Anti-Malware


Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items and click on Remove Selected.
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.




Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Malwarebytes' Anti-Malware
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: nagging infection, please help

Unread postby rayoliveira » June 7th, 2008, 1:53 pm

Thanks for your help! Here are the requested logs:

Malwarebytes' Anti-Malware 1.15
Database version: 838

1:56:17 PM 6/7/2008
mbam-log-6-7-2008 (13-56-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 96518
Time elapsed: 1 hour(s), 13 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\Proxy.Dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\ProxyM.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\npptools.dll (HackTool.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\WanPacket.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\sgcxcxxaspf080524.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system\sgcxcxxaspf080526.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\sppdcrs080524.scr (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\sppdcrs080526.scr (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\svchosts.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tmpcj0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Proxy.Dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ProxyM.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wmplayer.exe (Worm.Rbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchost.exf (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:18 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0118995668
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: QQQQÒ½Éú (QQÒ½Éú) - Unknown owner - C:\WINDOWS\System32\QQÒ½Éú.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 9377 bytes
rayoliveira
Active Member
 
Posts: 8
Joined: June 2nd, 2008, 4:27 pm

Re: nagging infection, please help

Unread postby Bio-Hazard » June 8th, 2008, 4:14 pm

BACKDOOR TROJAN

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all youraccount numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.

Please let us know what you have decided to do in your next post.



If you decide you want to continue repairing with those limitations, proceed as follows


P2P Warning!

BitTorrent 5.0.3

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources you can expect infestations of malware to occur. Once upon a time P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however please keep in mind that this practice may be the source of your current malware infestation Additional information on the safety of Peer to Peer programs themselves is here: Clean/Infected P2P Programs Please decide if you want to keep using P2P. If you dont want to keep P2P then this is how you can uninstall it/them:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    BitTorrent 5.0.3

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

If you wish to keep them, please do not use them until your computer is cleaned.



You need to REBOOT your computer so Malwarebytes' Antimalware can clean some of the infections it found.



Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O23 - Service: QQQQÒ½Éú (QQÒ½Éú) - Unknown owner - C:\WINDOWS\System32\QQÒ½Éú.exe (file missing)

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.





Remove programs

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Java 2 Runtime Environment, SE v1.4.2_03
    Adobe Reader 7.0.7

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.



Kaspersky Online Scan

With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image
  • Copy and paste the report in your next post.

Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.Please don't go surfing while your resident protection is disabled!Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.




Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: nagging infection, please help

Unread postby rayoliveira » June 8th, 2008, 8:08 pm

Hi! The computer is running pretty well right now. I ran the scans without doing anything to the computer, but normally I open Process Explorer and kill a bunch of shady looking svchost.exe processes. Who knows if that makes my computer safer or not. The logs follow below. Thank you again!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 8:01:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/06/2008
Kaspersky Anti-Virus database records: 840174
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55184
Number of viruses found: 19
Number of infected objects: 60
Number of suspicious objects: 0
Duration of the scan process: 01:39:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Client Firewall\System.log Object is locked skipped
C:\Documents and Settings\a\.autobahn\autobahn-log.txt Object is locked skipped
C:\Documents and Settings\a\.autobahn\Swarmcast\cache-490e2cdcedfc7479\cache\cache-index.dir Object is locked skipped
C:\Documents and Settings\a\.autobahn\Swarmcast\cache-490e2cdcedfc7479\cache\cache-index.pag Object is locked skipped
C:\Documents and Settings\a\.autobahn\Swarmcast\cache-490e2cdcedfc7479\cache\cache-meta.dir Object is locked skipped
C:\Documents and Settings\a\.autobahn\Swarmcast\cache-490e2cdcedfc7479\cache\cache-meta.pag Object is locked skipped
C:\Documents and Settings\a\.autobahn\Swarmcast\cache-490e2cdcedfc7479\metadata\metadata-index.dir Object is locked skipped
C:\Documents and Settings\a\.autobahn\Swarmcast\cache-490e2cdcedfc7479\metadata\metadata-index.pag Object is locked skipped
C:\Documents and Settings\a\.autobahn\Swarmcast\cache-490e2cdcedfc7479\metadata\metadata-meta.dir Object is locked skipped
C:\Documents and Settings\a\.autobahn\Swarmcast\cache-490e2cdcedfc7479\metadata\metadata-meta.pag Object is locked skipped
C:\Documents and Settings\a\Application Data\autobahn.log Object is locked skipped
C:\Documents and Settings\a\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\a\Desktop\Lphant-v2.01-Installer.exe/file231 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\a\Desktop\Lphant-v2.01-Installer.exe Inno: infected - 1 skipped
C:\Documents and Settings\a\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\a\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\a\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\a\Local Settings\Temp\arp.exe Infected: Backdoor.Win32.Agent.fjs skipped
C:\Documents and Settings\a\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\a\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\a\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\pm\Desktop\s5.exe/CDial.dll Infected: not-a-virus:Server-Proxy.Win32.CCProxy.63 skipped
C:\Documents and Settings\pm\Desktop\s5.exe/svchost.exe Infected: not-a-virus:Server-Proxy.Win32.CCProxy.63 skipped
C:\Documents and Settings\pm\Desktop\s5.exe RAR: infected - 2 skipped
C:\Documents and Settings\pm\Local Settings\Application Data\Mozilla\Firefox\Profiles\urxw1212.default\Cache\BAF9B53Bd01/CDial.dll Infected: not-a-virus:Server-Proxy.Win32.CCProxy.63 skipped
C:\Documents and Settings\pm\Local Settings\Application Data\Mozilla\Firefox\Profiles\urxw1212.default\Cache\BAF9B53Bd01/svchost.exe Infected: not-a-virus:Server-Proxy.Win32.CCProxy.63 skipped
C:\Documents and Settings\pm\Local Settings\Application Data\Mozilla\Firefox\Profiles\urxw1212.default\Cache\BAF9B53Bd01 RAR: infected - 2 skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\33891126.reg Infected: Trojan.WinREG.Teserv.a skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0020NAV~.TMP Object is locked skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0770NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\3800hk.dll Infected: Backdoor.Win32.Delf.iof skipped
C:\WINDOWS\system32\caabsc.dll Infected: Backdoor.Win32.PcClient.dub skipped
C:\WINDOWS\system32\CCM\Logs\CcmExec.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\CertificateMaintenance.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\ClientIDManagerStartup.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\execmgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\LocationServices.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\mtrmgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PatchInstall.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PatchUIMonitor.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyAgent.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyAgentProvider.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\PolicyEvaluator.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\Scheduler.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\SrcUpdateMgr.log Object is locked skipped
C:\WINDOWS\system32\CCM\Logs\StatusAgent.log Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000002G.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000002G.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000005.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000005.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000002.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000002.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000000O.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000000O.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000008.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000008.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000015Y.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000015Y.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000002.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000002.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\000000F9.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\000000F9.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000002.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000002.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000005N.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000005N.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000003.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000003.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvcollfileendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvcollfileendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\00000001.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\00000001.que Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\000000EA.msg Object is locked skipped
C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\000000EA.que Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ctfmon.dll Infected: Trojan-Downloader.Win32.Agent.rpm skipped
C:\WINDOWS\system32\dhfnng.dll Infected: Backdoor.Win32.PcClient.dub skipped
C:\WINDOWS\system32\drivers\disdn\CDial.dll Infected: not-a-virus:Server-Proxy.Win32.CCProxy.63 skipped
C:\WINDOWS\system32\drivers\disdn\svchost.exe Infected: not-a-virus:Server-Proxy.Win32.CCProxy.63 skipped
C:\WINDOWS\system32\exfqpf.dll Infected: Backdoor.Win32.PcClient.dlv skipped
C:\WINDOWS\system32\Girl.exe Infected: Backdoor.Win32.Agent.hif skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hyaawo.dll Infected: Backdoor.Win32.PcClient.dub skipped
C:\WINDOWS\system32\hzjwcv.dll Infected: Backdoor.Win32.PcClient.dkm skipped
C:\WINDOWS\system32\IpSvchostF.dll Object is locked skipped
C:\WINDOWS\system32\lfotah.dll Infected: Backdoor.Win32.PcClient.dpl skipped
C:\WINDOWS\system32\mooqfh.dll Infected: Backdoor.Win32.PcClient.crv skipped
C:\WINDOWS\system32\nrgbzr.dll Infected: Backdoor.Win32.PcClient.dpl skipped
C:\WINDOWS\system32\NSQ.exe Infected: Backdoor.Win32.Agent.iva skipped
C:\WINDOWS\system32\otvlwe.dll Infected: Backdoor.Win32.PcClient.dlv skipped
C:\WINDOWS\system32\profile.dat Object is locked skipped
C:\WINDOWS\system32\qsacsj.dll Infected: Backdoor.Win32.PcClient.dpl skipped
C:\WINDOWS\system32\sluhlp.dll Infected: Backdoor.Win32.PcClient.drl skipped
C:\WINDOWS\system32\txplatform.exe Infected: Backdoor.Win32.Agent.hws skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\10156.Exe Infected: Backdoor.Win32.PcClient.dpb skipped
C:\WINDOWS\Temp\119.exe Infected: Backdoor.Win32.Agent.iva skipped
C:\WINDOWS\Temp\16992.EXe Infected: Trojan-Downloader.Win32.NanoDesu.u skipped
C:\WINDOWS\Temp\17452.EXe Infected: Trojan-Downloader.Win32.NanoDesu.u skipped
C:\WINDOWS\Temp\19328.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\21992.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\22284.EXe Infected: Trojan-Downloader.Win32.NanoDesu.u skipped
C:\WINDOWS\Temp\2524.EXe Infected: Trojan-Downloader.Win32.NanoDesu.u skipped
C:\WINDOWS\Temp\28068.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\2840594511208.Exe Infected: Backdoor.Win32.PcClient.dpb skipped
C:\WINDOWS\Temp\2850586910400.Exe Infected: Backdoor.Win32.PcClient.dpb skipped
C:\WINDOWS\Temp\2850625911496.Exe Infected: Backdoor.Win32.PcClient.dpb skipped
C:\WINDOWS\Temp\30972.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\35508.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\35644.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\35856.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\41498275992.ExE Infected: Trojan-Downloader.Win32.NanoDesu.u skipped
C:\WINDOWS\Temp\4560.EXe Infected: Trojan-Downloader.Win32.NanoDesu.u skipped
C:\WINDOWS\Temp\5116.EXe Infected: Trojan-Downloader.Win32.NanoDesu.u skipped
C:\WINDOWS\Temp\5376.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\5776.Exe Infected: Backdoor.Win32.PcClient.dpb skipped
C:\WINDOWS\Temp\5812.EXe Infected: Trojan-Downloader.Win32.NanoDesu.u skipped
C:\WINDOWS\Temp\58184.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\61912.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\62204.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\6836.Exe Infected: Backdoor.Win32.PcClient.dpb skipped
C:\WINDOWS\Temp\7012.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\7260.Exe Infected: Backdoor.Win32.PcClient.dkl skipped
C:\WINDOWS\Temp\8453843926512.exe Infected: Trojan-Dropper.Win32.Mudrop.lg skipped
C:\WINDOWS\Temp\8852.Exe Infected: Backdoor.Win32.PcClient.dpb skipped
C:\WINDOWS\Temp\9092.Exe Infected: Backdoor.Win32.PcClient.dpb skipped
C:\WINDOWS\Temp\txplatform.exe Infected: Backdoor.Win32.Agent.hws skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



_____________________________________________________________________________



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:24 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0118995668
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: QQQQÒ½Éú (QQÒ½Éú) - Unknown owner - C:\WINDOWS\System32\QQÒ½Éú.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 9017 bytes
rayoliveira
Active Member
 
Posts: 8
Joined: June 2nd, 2008, 4:27 pm

Re: nagging infection, please help

Unread postby Bio-Hazard » June 9th, 2008, 7:14 am

Hello!

Have you fully understand about the information i gave you about BACKDOOR TROJAN?

OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\Documents and Settings\a\Desktop\Lphant-v2.01-Installer.exe
C:\Documents and Settings\a\Local Settings\Temp\arp.exe
C:\Documents and Settings\pm\Desktop\s5.exe
C:\WINDOWS\system32\3800hk.dll
C:\WINDOWS\system32\caabsc.dll
C:\WINDOWS\system32\ctfmon.dll
C:\WINDOWS\system32\dhfnng.dll
C:\WINDOWS\system32\drivers\disdn\CDial.dll
C:\WINDOWS\system32\drivers\disdn\svchost.exe
C:\WINDOWS\system32\exfqpf.dll
C:\WINDOWS\system32\Girl.exe
C:\WINDOWS\system32\hyaawo.dll
C:\WINDOWS\system32\hzjwcv.dll
C:\WINDOWS\system32\lfotah.dll
C:\WINDOWS\system32\mooqfh.dll
C:\WINDOWS\system32\nrgbzr.dll
C:\WINDOWS\system32\NSQ.exe
C:\WINDOWS\system32\otvlwe.dll
C:\WINDOWS\system32\qsacsj.dll
C:\WINDOWS\system32\sluhlp.dll
C:\WINDOWS\system32\txplatform.exe
C:\WINDOWS\Temp\10156.Exe
C:\WINDOWS\Temp\119.exe
C:\WINDOWS\Temp\16992.EXe
C:\WINDOWS\Temp\17452.EXe
C:\WINDOWS\Temp\19328.Exe
C:\WINDOWS\Temp\21992.Exe
C:\WINDOWS\Temp\22284.EXe
C:\WINDOWS\Temp\2524.EXe
C:\WINDOWS\Temp\28068.Exe
C:\WINDOWS\Temp\2840594511208.Exe
C:\WINDOWS\Temp\2850586910400.Exe
C:\WINDOWS\Temp\2850625911496.Exe
C:\WINDOWS\Temp\30972.Exe
C:\WINDOWS\Temp\35508.Exe
C:\WINDOWS\Temp\35644.Exe
C:\WINDOWS\Temp\35856.Exe
C:\WINDOWS\Temp\41498275992.ExE
C:\WINDOWS\Temp\4560.EXe
C:\WINDOWS\Temp\5116.EXe
C:\WINDOWS\Temp\5376.Exe
C:\WINDOWS\Temp\5776.Exe
C:\WINDOWS\Temp\5812.EXe
C:\WINDOWS\Temp\58184.Exe
C:\WINDOWS\Temp\61912.Exe
C:\WINDOWS\Temp\62204.Exe
C:\WINDOWS\Temp\6836.Exe
C:\WINDOWS\Temp\7012.Exe
C:\WINDOWS\Temp\7260.Exe
C:\WINDOWS\Temp\8453843926512.exe
C:\WINDOWS\Temp\8852.Exe
C:\WINDOWS\Temp\9092.Exe
C:\WINDOWS\Temp\txplatform.exe

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2




Install Java Runtime:

Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.
  • Go to HERE
  • Click on the link named Java Runtime Environment (JRE) 6 Update 6
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation Multi-language and save the downloaded file to your hard disk
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file and follow the on-screen instructions.
  • Reboot your computer


Install Adobe Reader

  • Click HERE to download the latest version of Adobe Acrobat Reader.
  • Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • Close your Internet browser and open it again.


Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • OTMoveIt2 Results
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: nagging infection, please help

Unread postby rayoliveira » June 9th, 2008, 8:25 am

Hi. Thanks again for all of your help. Yes, I understand the importance of the Backdoor Trojan, but I need this computer, so let's see if we can get it clean.

Things seem to be running fine. Below are the logs you requested:

File/Folder C:\Documents and Settings\a\Desktop\Lphant-v2.01-Installer.exe not found.
File/Folder C:\Documents and Settings\a\Local Settings\Temp\arp.exe not found.
File/Folder C:\Documents and Settings\pm\Desktop\s5.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\3800hk.dll
C:\WINDOWS\system32\3800hk.dll NOT unregistered.
C:\WINDOWS\system32\3800hk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\caabsc.dll
C:\WINDOWS\system32\caabsc.dll NOT unregistered.
C:\WINDOWS\system32\caabsc.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ctfmon.dll
C:\WINDOWS\system32\ctfmon.dll NOT unregistered.
C:\WINDOWS\system32\ctfmon.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\dhfnng.dll
C:\WINDOWS\system32\dhfnng.dll NOT unregistered.
C:\WINDOWS\system32\dhfnng.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\drivers\disdn\CDial.dll
C:\WINDOWS\system32\drivers\disdn\CDial.dll NOT unregistered.
C:\WINDOWS\system32\drivers\disdn\CDial.dll moved successfully.
C:\WINDOWS\system32\drivers\disdn\svchost.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\exfqpf.dll
C:\WINDOWS\system32\exfqpf.dll NOT unregistered.
C:\WINDOWS\system32\exfqpf.dll moved successfully.
C:\WINDOWS\system32\Girl.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hyaawo.dll
C:\WINDOWS\system32\hyaawo.dll NOT unregistered.
C:\WINDOWS\system32\hyaawo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hzjwcv.dll
C:\WINDOWS\system32\hzjwcv.dll NOT unregistered.
C:\WINDOWS\system32\hzjwcv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lfotah.dll
C:\WINDOWS\system32\lfotah.dll NOT unregistered.
C:\WINDOWS\system32\lfotah.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mooqfh.dll
C:\WINDOWS\system32\mooqfh.dll NOT unregistered.
C:\WINDOWS\system32\mooqfh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nrgbzr.dll
C:\WINDOWS\system32\nrgbzr.dll NOT unregistered.
C:\WINDOWS\system32\nrgbzr.dll moved successfully.
C:\WINDOWS\system32\NSQ.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\otvlwe.dll
C:\WINDOWS\system32\otvlwe.dll NOT unregistered.
C:\WINDOWS\system32\otvlwe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qsacsj.dll
C:\WINDOWS\system32\qsacsj.dll NOT unregistered.
C:\WINDOWS\system32\qsacsj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\sluhlp.dll
C:\WINDOWS\system32\sluhlp.dll NOT unregistered.
C:\WINDOWS\system32\sluhlp.dll moved successfully.
C:\WINDOWS\system32\txplatform.exe moved successfully.
C:\WINDOWS\Temp\10156.Exe moved successfully.
C:\WINDOWS\Temp\119.exe moved successfully.
C:\WINDOWS\Temp\16992.EXe moved successfully.
C:\WINDOWS\Temp\17452.EXe moved successfully.
C:\WINDOWS\Temp\19328.Exe moved successfully.
C:\WINDOWS\Temp\21992.Exe moved successfully.
C:\WINDOWS\Temp\22284.EXe moved successfully.
C:\WINDOWS\Temp\2524.EXe moved successfully.
C:\WINDOWS\Temp\28068.Exe moved successfully.
C:\WINDOWS\Temp\2840594511208.Exe moved successfully.
C:\WINDOWS\Temp\2850586910400.Exe moved successfully.
C:\WINDOWS\Temp\2850625911496.Exe moved successfully.
C:\WINDOWS\Temp\30972.Exe moved successfully.
C:\WINDOWS\Temp\35508.Exe moved successfully.
C:\WINDOWS\Temp\35644.Exe moved successfully.
C:\WINDOWS\Temp\35856.Exe moved successfully.
C:\WINDOWS\Temp\41498275992.ExE moved successfully.
C:\WINDOWS\Temp\4560.EXe moved successfully.
C:\WINDOWS\Temp\5116.EXe moved successfully.
C:\WINDOWS\Temp\5376.Exe moved successfully.
C:\WINDOWS\Temp\5776.Exe moved successfully.
C:\WINDOWS\Temp\5812.EXe moved successfully.
C:\WINDOWS\Temp\58184.Exe moved successfully.
C:\WINDOWS\Temp\61912.Exe moved successfully.
C:\WINDOWS\Temp\62204.Exe moved successfully.
C:\WINDOWS\Temp\6836.Exe moved successfully.
C:\WINDOWS\Temp\7012.Exe moved successfully.
C:\WINDOWS\Temp\7260.Exe moved successfully.
C:\WINDOWS\Temp\8453843926512.exe moved successfully.
C:\WINDOWS\Temp\8852.Exe moved successfully.
C:\WINDOWS\Temp\9092.Exe moved successfully.
C:\WINDOWS\Temp\txplatform.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06092008_075214


________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:44 AM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\SVCHOST.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0118995668
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: QQQQÒ½Éú (QQÒ½Éú) - Unknown owner - C:\WINDOWS\System32\QQÒ½Éú.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 9837 bytes
rayoliveira
Active Member
 
Posts: 8
Joined: June 2nd, 2008, 4:27 pm

Re: nagging infection, please help

Unread postby Bio-Hazard » June 9th, 2008, 11:47 am

Hi. Thanks again for all of your help. Yes, I understand the importance of the Backdoor Trojan, but I need this computer, so let's see if we can get it clean.


Ok. Lets see what we can do.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • Click Exit on the Main menu to close the program.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.


OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\WINDOWS\System32\QQÒ½Éú.exe

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2


Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Logs/Information to Post in Reply

Please post the following logs/Information in your reply
  • OTMoveIt2 Results
  • ComboFix log (found at C:\Combofix.txt)
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: nagging infection, please help

Unread postby rayoliveira » June 9th, 2008, 3:37 pm

Thanks, here's the requested info:



File/Folder C:\WINDOWS\System32\QQÒ½Éú.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06092008_153651

____________________________________________________________________

ComboFix 08-06-08.8 - a 2008-06-09 14:52:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.243 [GMT -4:00]
Running from: C:\Documents and Settings\a\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\a\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\pwisys.ini
C:\WINDOWS\system32\drivers\1.tmp
C:\WINDOWS\system32\drivers\12C.tmp
C:\WINDOWS\system32\fhpatch.dll
C:\WINDOWS\system32\iphy.dll
C:\WINDOWS\system32\IpSvchostF.dll
C:\WINDOWS\system32\riphy.dll

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-09 15:00 . 2008-06-09 15:00 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-09 08:21 . 2008-06-09 08:21 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-06-09 08:05 . 2008-06-09 08:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-09 08:00 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-09 07:57 . 2008-06-09 07:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-09 07:52 . 2008-06-09 07:52 <DIR> d-------- C:\_OTMoveIt
2008-06-08 17:38 . 2008-06-08 17:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 17:38 . 2008-06-08 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 13:06 . 2008-06-08 13:07 <DIR> d-------- C:\Documents and Settings\a\Application Data\Media Player Classic
2008-06-07 12:35 . 2008-06-07 12:35 <DIR> d-------- C:\Documents and Settings\a\Application Data\Malwarebytes
2008-06-07 12:34 . 2008-06-07 12:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 12:34 . 2008-06-07 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 12:34 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 12:34 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-07 11:52 . 2008-06-07 11:53 <DIR> d-------- C:\Program Files\ERUNT
2008-06-03 20:20 . 2008-06-03 20:20 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-06-03 20:20 . 2004-07-21 00:27 102,400 --a------ C:\WINDOWS\scrub2k.exe
2008-06-03 20:20 . 2004-07-21 00:27 423 --a------ C:\WINDOWS\hpw1200k.ini
2008-06-03 20:18 . 2008-06-03 20:22 383,111 --a------ C:\WINDOWS\hpbj1200.his
2008-06-03 20:18 . 2008-06-03 20:23 23,403 --a------ C:\WINDOWS\mariner.his
2008-06-03 20:18 . 2008-06-03 20:22 18,647 --a------ C:\WINDOWS\hpbj1200.ini
2008-06-03 20:18 . 2008-06-03 20:23 5,683 --a------ C:\WINDOWS\mariner.ini
2008-06-01 12:16 . 2008-06-01 12:15 225,384 -r-hs---- C:\WINDOWS\dosec
2008-05-31 12:29 . 2008-05-31 12:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-31 12:29 . 2008-05-31 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 12:28 . 2008-05-31 12:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 23:03 . 2008-05-29 23:03 249,383 --a------ C:\WINDOWS\system32\5tIS6Cbv.exe
2008-05-29 23:00 . 2008-05-29 23:02 249,383 --a------ C:\WINDOWS\system32\NnONUeIq.exe
2008-05-29 22:59 . 2008-05-29 23:00 249,383 --a------ C:\WINDOWS\system32\YbF1ZsMs.exe
2008-05-29 22:58 . 2008-05-29 22:59 249,383 --a------ C:\WINDOWS\system32\u1zbje7m.exe
2008-05-29 22:57 . 2008-05-29 22:58 247,923 --a------ C:\WINDOWS\system32\qdPkcMRi.exe
2008-05-29 22:56 . 2008-05-29 22:57 247,923 --a------ C:\WINDOWS\system32\W4KoNFAa.exe
2008-05-29 22:55 . 2008-05-29 22:56 249,383 --a------ C:\WINDOWS\system32\n1I6EJOf.exe
2008-05-29 22:54 . 2008-05-29 22:55 249,383 --a------ C:\WINDOWS\system32\cdjMPjjC.exe
2008-05-29 22:53 . 2008-05-29 22:54 247,923 --a------ C:\WINDOWS\system32\WW55Hr5w.exe
2008-05-29 22:51 . 2008-05-29 22:53 247,923 --a------ C:\WINDOWS\system32\oDZNoFeh.exe
2008-05-29 22:50 . 2008-05-29 22:51 249,383 --a------ C:\WINDOWS\system32\JkjvFiE4.exe
2008-05-29 22:49 . 2008-05-29 22:50 247,923 --a------ C:\WINDOWS\system32\T1nKSEAC.exe
2008-05-29 22:48 . 2008-05-29 22:49 249,383 --a------ C:\WINDOWS\system32\14xxYQZr.exe
2008-05-29 22:47 . 2008-05-29 22:48 247,923 --a------ C:\WINDOWS\system32\XK03blZm.exe
2008-05-29 22:46 . 2008-05-29 22:47 250,113 --a------ C:\WINDOWS\system32\7a7Sucub.exe
2008-05-29 22:43 . 2008-05-29 22:43 247,923 --a------ C:\WINDOWS\system32\PQzfDamm.exe
2008-05-29 22:42 . 2008-05-29 22:42 247,923 --a------ C:\WINDOWS\system32\EiwnxdnQ.exe
2008-05-29 22:40 . 2008-05-29 22:40 247,923 --a------ C:\WINDOWS\system32\QJCXYj5m.exe
2008-05-29 22:39 . 2008-05-29 22:40 249,383 --a------ C:\WINDOWS\system32\WRKxa08a.exe
2008-05-29 22:36 . 2008-05-29 22:36 247,923 --a------ C:\WINDOWS\system32\RKh43XVk.exe
2008-05-29 22:35 . 2008-05-29 22:36 249,383 --a------ C:\WINDOWS\system32\WCJxz3h3.exe
2008-05-29 22:34 . 2008-05-29 22:34 249,383 --a------ C:\WINDOWS\system32\WBrGHOhH.exe
2008-05-29 22:33 . 2008-05-29 22:34 249,383 --a------ C:\WINDOWS\system32\iaXUKNRX.exe
2008-05-29 22:32 . 2008-05-29 22:33 249,383 --a------ C:\WINDOWS\system32\pZ4d4jSq.exe
2008-05-29 22:31 . 2008-05-29 22:32 249,383 --a------ C:\WINDOWS\system32\aQfx3Mj7.exe
2008-05-29 22:30 . 2008-05-29 22:31 249,383 --a------ C:\WINDOWS\system32\TcoyiBGD.exe
2008-05-29 22:29 . 2008-05-29 22:30 249,383 --a------ C:\WINDOWS\system32\pHrFClW8.exe
2008-05-29 22:28 . 2008-05-29 22:28 247,923 --a------ C:\WINDOWS\system32\KFQSGHfI.exe
2008-05-29 22:27 . 2008-05-29 22:28 249,383 --a------ C:\WINDOWS\system32\ZkaXf8fg.exe
2008-05-29 22:26 . 2008-05-29 22:26 247,923 --a------ C:\WINDOWS\system32\IcvfqC4J.exe
2008-05-29 22:25 . 2008-05-29 22:26 247,923 --a------ C:\WINDOWS\system32\b3OYiPob.exe
2008-05-29 22:24 . 2008-05-29 22:25 249,383 --a------ C:\WINDOWS\system32\gure4DZp.exe
2008-05-29 22:23 . 2008-05-29 22:23 249,383 --a------ C:\WINDOWS\system32\ndiV6MBf.exe
2008-05-29 22:21 . 2008-05-29 22:22 247,923 --a------ C:\WINDOWS\system32\OdjAYIMa.exe
2008-05-29 22:18 . 2008-05-29 22:18 249,383 --a------ C:\WINDOWS\system32\rntaYYKT.exe
2008-05-29 22:15 . 2008-05-29 22:15 246,463 --a------ C:\WINDOWS\system32\TfPF7qbl.exe
2008-05-29 22:14 . 2008-05-29 22:14 249,383 --a------ C:\WINDOWS\system32\1FEWu4ub.exe
2008-05-29 22:13 . 2008-05-29 22:13 249,383 --a------ C:\WINDOWS\system32\gRcMYrDy.exe
2008-05-29 22:10 . 2008-05-29 22:11 247,923 --a------ C:\WINDOWS\system32\qihqXB4x.exe
2008-05-29 22:09 . 2008-05-29 22:09 249,383 --a------ C:\WINDOWS\system32\tVehfhYr.exe
2008-05-29 22:08 . 2008-05-29 22:08 249,383 --a------ C:\WINDOWS\system32\bMYLazBj.exe
2008-05-29 22:07 . 2008-05-29 22:08 249,383 --a------ C:\WINDOWS\system32\ALv5htMB.exe
2008-05-29 22:06 . 2008-05-29 22:06 249,383 --a------ C:\WINDOWS\system32\EKwLNJBs.exe
2008-05-29 22:03 . 2008-05-29 22:03 246,463 --a------ C:\WINDOWS\system32\asXiaDns.exe
2008-05-29 22:02 . 2008-05-29 22:02 249,383 --a------ C:\WINDOWS\system32\6aZXD3EC.exe
2008-05-29 22:00 . 2008-05-29 22:01 249,383 --a------ C:\WINDOWS\system32\jnG0H7oP.exe
2008-05-29 21:57 . 2008-05-29 21:57 249,383 --a------ C:\WINDOWS\system32\ECdoKuqK.exe
2008-05-29 21:56 . 2008-05-29 21:56 247,923 --a------ C:\WINDOWS\system32\41o5pITe.exe
2008-05-29 21:55 . 2008-05-29 21:55 247,923 --a------ C:\WINDOWS\system32\rdGQfADR.exe
2008-05-29 21:53 . 2008-05-29 21:53 239,163 --a------ C:\WINDOWS\system32\Wh3XmbTg.exe
2008-05-29 21:50 . 2008-05-29 21:50 247,923 --a------ C:\WINDOWS\system32\nvf66s6U.exe
2008-05-29 21:49 . 2008-05-29 21:50 249,383 --a------ C:\WINDOWS\system32\zgXmjQjg.exe
2008-05-29 21:48 . 2008-05-29 21:48 249,383 --a------ C:\WINDOWS\system32\N2vkykhJ.exe
2008-05-29 21:46 . 2008-05-29 21:46 247,923 --a------ C:\WINDOWS\system32\3SbkShTw.exe
2008-05-29 21:45 . 2008-05-29 21:45 249,383 --a------ C:\WINDOWS\system32\Gnldn5V8.exe
2008-05-29 21:44 . 2008-05-29 21:44 249,383 --a------ C:\WINDOWS\system32\QRl0HpUy.exe
2008-05-29 21:43 . 2008-05-29 21:43 249,383 --a------ C:\WINDOWS\system32\nL2Qlsvx.exe
2008-05-29 21:42 . 2008-05-29 21:42 247,923 --a------ C:\WINDOWS\system32\tv4EBAYf.exe
2008-05-29 21:41 . 2008-05-29 21:41 247,923 --a------ C:\WINDOWS\system32\VhuTw0ot.exe
2008-05-29 21:40 . 2008-05-29 21:40 249,383 --a------ C:\WINDOWS\system32\EAZwEF1w.exe
2008-05-29 21:38 . 2008-05-29 21:39 249,383 --a------ C:\WINDOWS\system32\iCRf2fcZ.exe
2008-05-29 21:37 . 2008-05-29 21:37 245,003 --a------ C:\WINDOWS\system32\WqavSCtp.exe
2008-05-29 21:35 . 2008-05-29 21:35 249,383 --a------ C:\WINDOWS\system32\Gxi0msZV.exe
2008-05-29 21:34 . 2008-05-29 21:35 247,923 --a------ C:\WINDOWS\system32\3Tuzeob6.exe
2008-05-29 21:32 . 2008-05-29 21:32 246,463 --a------ C:\WINDOWS\system32\85BjdBWy.exe
2008-05-29 21:31 . 2008-05-29 21:31 249,383 --a------ C:\WINDOWS\system32\CUw7YWFD.exe
2008-05-29 21:30 . 2008-05-29 21:31 246,463 --a------ C:\WINDOWS\system32\WNiqPJCD.exe
2008-05-29 21:28 . 2008-05-29 21:28 249,383 --a------ C:\WINDOWS\system32\x0rNQcJR.exe
2008-05-29 21:27 . 2008-05-29 21:27 249,383 --a------ C:\WINDOWS\system32\LAt5BX42.exe
2008-05-29 21:26 . 2008-05-29 21:26 249,383 --a------ C:\WINDOWS\system32\luzeZykN.exe
2008-05-29 21:24 . 2008-05-29 21:24 247,923 --a------ C:\WINDOWS\system32\wjMLXEVz.exe
2008-05-29 21:23 . 2008-05-29 21:23 249,383 --a------ C:\WINDOWS\system32\lq2irTmC.exe
2008-05-29 21:22 . 2008-05-29 21:22 247,923 --a------ C:\WINDOWS\system32\ZUsaCpMY.exe
2008-05-29 21:19 . 2008-05-29 21:19 249,383 --a------ C:\WINDOWS\system32\5HG55RIq.exe
2008-05-29 21:18 . 2008-05-29 21:18 249,383 --a------ C:\WINDOWS\system32\lsQcBylH.exe
2008-05-29 21:17 . 2008-05-29 21:17 249,383 --a------ C:\WINDOWS\system32\cCI15p3K.exe
2008-05-29 21:15 . 2008-05-29 21:15 247,923 --a------ C:\WINDOWS\system32\X7tXhHiC.exe
2008-05-29 21:14 . 2008-05-29 21:14 249,383 --a------ C:\WINDOWS\system32\FHeTGhUX.exe
2008-05-29 21:12 . 2008-05-29 21:12 247,923 --a------ C:\WINDOWS\system32\gylGOqql.exe
2008-05-29 21:10 . 2008-05-29 21:10 247,923 --a------ C:\WINDOWS\system32\0FWc0Qfr.exe
2008-05-29 21:09 . 2008-05-29 21:09 246,463 --a------ C:\WINDOWS\system32\Rp8zOZ3r.exe
2008-05-29 21:08 . 2008-05-29 21:08 245,003 --a------ C:\WINDOWS\system32\WBNPUbUn.exe
2008-05-29 21:07 . 2008-05-29 21:07 239,163 --a------ C:\WINDOWS\system32\Q22N3tjq.exe
2008-05-29 21:06 . 2008-05-29 21:06 246,463 --a------ C:\WINDOWS\system32\6jzLnfDK.exe
2008-05-29 21:05 . 2008-05-29 21:05 243,543 --a------ C:\WINDOWS\system32\nltuCek5.exe
2008-05-29 21:04 . 2008-05-29 21:04 247,923 --a------ C:\WINDOWS\system32\XH08rUv2.exe
2008-05-29 21:03 . 2008-05-29 21:03 249,383 --a------ C:\WINDOWS\system32\BrWl7UZd.exe
2008-05-29 21:00 . 2008-05-29 21:00 249,383 --a------ C:\WINDOWS\system32\74ldQVO4.exe
2008-05-29 20:59 . 2008-05-29 20:59 249,383 --a------ C:\WINDOWS\system32\cZKGCXo4.exe
2008-05-29 20:57 . 2008-05-29 20:57 249,383 --a------ C:\WINDOWS\system32\KQUnHDrW.exe
2008-05-29 20:56 . 2008-05-29 20:56 247,923 --a------ C:\WINDOWS\system32\qlimqnjz.exe
2008-05-29 20:55 . 2008-05-29 20:55 246,463 --a------ C:\WINDOWS\system32\rG2Xj1aS.exe
2008-05-29 20:54 . 2008-05-29 20:54 249,383 --a------ C:\WINDOWS\system32\OqPnfIPf.exe
2008-05-29 20:52 . 2008-05-29 20:52 247,923 --a------ C:\WINDOWS\system32\GvrHgfaN.exe
2008-05-29 20:51 . 2008-05-29 20:51 247,923 --a------ C:\WINDOWS\system32\aulWYdE1.exe
2008-05-29 20:50 . 2008-05-29 20:50 243,543 --a------ C:\WINDOWS\system32\7sVZ21IP.exe
2008-05-29 20:49 . 2008-05-29 20:49 243,543 --a------ C:\WINDOWS\system32\AueI3gqj.exe
2008-05-29 20:48 . 2008-05-29 20:48 249,383 --a------ C:\WINDOWS\system32\1WCXJYDM.exe
2008-05-29 20:47 . 2008-05-29 20:47 249,383 --a------ C:\WINDOWS\system32\0QzQnbGA.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 12:00 --------- d-----w C:\Program Files\Java
2008-06-05 04:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 15:54 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-05-20 13:43 --------- d-----w C:\Program Files\iTunes
2008-05-20 13:36 --------- d-----w C:\Program Files\Last.fm
2008-05-06 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-05-06 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-06 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-06 05:29 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-06 05:28 --------- d-----w C:\Program Files\Roxio
2008-05-06 05:24 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-05-06 05:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-06 05:15 --------- d-----w C:\Program Files\Research In Motion
2008-05-06 05:15 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-05-03 11:50 431,616 --sh--r C:\WINDOWS\EntSver.exe
2008-05-03 00:08 --------- d-----w C:\Program Files\Autobahn
2008-05-02 18:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-30 02:12 --------- d-----w C:\Documents and Settings\a\Application Data\BitTorrent
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2006-02-17 16:17 3,452 ----a-w C:\Program Files\BlockedSenders.txt
2006-02-17 16:17 254 ----a-w C:\Program Files\SafeSenders.txt
2004-08-04 08:56 124,928 --sha-r C:\WINDOWS\system32\ncn.exe
.

------- Sigcheck -------

2004-08-04 04:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 04:56 14336 28b84d2e2bdb2e3410b3491ad41f71a4 C:\WINDOWS\system32\svchost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 17:57 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 17:57 512000]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2005-12-20 02:57 409600]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2005-12-20 02:56 98304]
"TpShocks"="TpShocks.exe" [2005-11-07 15:14 106496 C:\WINDOWS\system32\TpShocks.exe]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-02-05 05:36 106496]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-02-05 05:36 395264]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 13:33 48800]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-12-21 21:45 85744]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:56 158208]
"HPWNTOOLBOX"="C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe" [2004-07-21 11:35 327680]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 19:52:34 799496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_g729a"= sl_g729a.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RedGirl"=2 (0x2)
"RoxLiveShare9"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"<NO NAME>"= :apisvc
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 19:58]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 13:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\Drivers\IBMBLDID.sys [2005-11-08 13:27]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 16:18]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-02-05 05:36]
S2 yqnjcixf;yqnjcixf;C:\WINDOWS\system32\DRIvers\owspth.SYS []
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;C:\WINDOWS\system32\DRIVERS\el574nd4.sys [2001-08-17 16:10]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2004-06-27 03:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
MSDTCSERVEsss REG_MULTI_SZ MSDTCSERVEsss
MSOLAP REG_MULTI_SZ MSOLAP
oyqhhg REG_MULTI_SZ oyqhhg
beocai REG_MULTI_SZ beocai
wmosvr REG_MULTI_SZ WMOptimizer
hebapb REG_MULTI_SZ hebapb
rheqed REG_MULTI_SZ rheqed
rnjetj REG_MULTI_SZ rnjetj
xcywzqERVEsss REG_MULTI_SZ xcywzqERVEsss
scardsvrs.exe REG_MULTI_SZ scardsvrs.exe
jqnjci REG_MULTI_SZ jqnjci
xukybz REG_MULTI_SZ xukybz
exfqpfvrs.exe REG_MULTI_SZ exfqpfvrs.exe
buyreoaky REG_MULTI_SZ buyreoaky
otquon REG_MULTI_SZ otquon
umawxz REG_MULTI_SZ umawxz
cwnlee REG_MULTI_SZ cwnlee
hyaawovrs.exe REG_MULTI_SZ hyaawovrs.exe
ManeagersSecurity REG_MULTI_SZ ManeagersSecurity

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
3800hk

.
Contents of the 'Scheduled Tasks' folder
"2006-02-17 17:52:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 15:00:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\SERVICES\ASP State Services]
"ImagePath"="C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_states\aspnet"

[HKEY_LOCAL_MACHINE\System\ControlSet005\SERVICES\Microsoftpvsy]
"ImagePath"="C:\WINDOWS\dosec"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> c:\windows\system32\xcywzq.dll

PROCESS: C:\WINDOWS\explorer.exe
-> c:\windows\system32\xcywzq.dll
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Connected\AgentSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-06-09 15:18:55 - machine was rebooted [a]
ComboFix-quarantined-files.txt 2008-06-09 19:18:31

Pre-Run: 10,031,779,840 bytes free
Post-Run: 12,294,594,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

331 --- E O F --- 2008-05-19 02:25:51

________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35, on 2008-06-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\SVCHOST.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0118995668
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: QQQQÒ½Éú (QQÒ½Éú) - Unknown owner - C:\WINDOWS\System32\QQÒ½Éú.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 10057 bytes
rayoliveira
Active Member
 
Posts: 8
Joined: June 2nd, 2008, 4:27 pm

Re: nagging infection, please help

Unread postby Bio-Hazard » June 11th, 2008, 12:50 pm

Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "cscdll.dll" >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of this file.



Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\WINDOWS\EntSver.exe
C:\WINDOWS\System32\QQÒ½Éú.exe
C:\WINDOWS\system32\ncn.exe
C:\WINDOWS\system32\DRIvers\owspth.SYS
c:\windows\system32\xcywzq.dll
C:\WINDOWS\system32\5tIS6Cbv.exe
C:\WINDOWS\system32\NnONUeIq.exe
C:\WINDOWS\system32\YbF1ZsMs.exe
C:\WINDOWS\system32\u1zbje7m.exe
C:\WINDOWS\system32\qdPkcMRi.exe
C:\WINDOWS\system32\W4KoNFAa.exe
C:\WINDOWS\system32\n1I6EJOf.exe
C:\WINDOWS\system32\cdjMPjjC.exe
C:\WINDOWS\system32\WW55Hr5w.exe
C:\WINDOWS\system32\oDZNoFeh.exe
C:\WINDOWS\system32\JkjvFiE4.exe
C:\WINDOWS\system32\T1nKSEAC.exe
C:\WINDOWS\system32\14xxYQZr.exe
C:\WINDOWS\system32\XK03blZm.exe
C:\WINDOWS\system32\7a7Sucub.exe
C:\WINDOWS\system32\PQzfDamm.exe
C:\WINDOWS\system32\EiwnxdnQ.exe
C:\WINDOWS\system32\QJCXYj5m.exe
C:\WINDOWS\system32\WRKxa08a.exe
C:\WINDOWS\system32\RKh43XVk.exe
C:\WINDOWS\system32\WCJxz3h3.exe
C:\WINDOWS\system32\WBrGHOhH.exe
C:\WINDOWS\system32\iaXUKNRX.exe
C:\WINDOWS\system32\pZ4d4jSq.exe
C:\WINDOWS\system32\aQfx3Mj7.exe
C:\WINDOWS\system32\TcoyiBGD.exe
C:\WINDOWS\system32\pHrFClW8.exe
C:\WINDOWS\system32\KFQSGHfI.exe
C:\WINDOWS\system32\ZkaXf8fg.exe
C:\WINDOWS\system32\IcvfqC4J.exe
C:\WINDOWS\system32\b3OYiPob.exe
C:\WINDOWS\system32\gure4DZp.exe
C:\WINDOWS\system32\ndiV6MBf.exe
C:\WINDOWS\system32\OdjAYIMa.exe
C:\WINDOWS\system32\rntaYYKT.exe
C:\WINDOWS\system32\TfPF7qbl.exe
C:\WINDOWS\system32\1FEWu4ub.exe
C:\WINDOWS\system32\gRcMYrDy.exe
C:\WINDOWS\system32\qihqXB4x.exe
C:\WINDOWS\system32\tVehfhYr.exe
C:\WINDOWS\system32\bMYLazBj.exe
C:\WINDOWS\system32\ALv5htMB.exe
C:\WINDOWS\system32\EKwLNJBs.exe
C:\WINDOWS\system32\asXiaDns.exe
C:\WINDOWS\system32\6aZXD3EC.exe
C:\WINDOWS\system32\jnG0H7oP.exe
C:\WINDOWS\system32\ECdoKuqK.exe
C:\WINDOWS\system32\41o5pITe.exe
C:\WINDOWS\system32\rdGQfADR.exe
C:\WINDOWS\system32\Wh3XmbTg.exe
C:\WINDOWS\system32\nvf66s6U.exe
C:\WINDOWS\system32\zgXmjQjg.exe
C:\WINDOWS\system32\N2vkykhJ.exe
C:\WINDOWS\system32\3SbkShTw.exe
C:\WINDOWS\system32\Gnldn5V8.exe
C:\WINDOWS\system32\QRl0HpUy.exe
C:\WINDOWS\system32\nL2Qlsvx.exe
C:\WINDOWS\system32\tv4EBAYf.exe
C:\WINDOWS\system32\VhuTw0ot.exe
C:\WINDOWS\system32\EAZwEF1w.exe
C:\WINDOWS\system32\iCRf2fcZ.exe
C:\WINDOWS\system32\WqavSCtp.exe
C:\WINDOWS\system32\Gxi0msZV.exe
C:\WINDOWS\system32\3Tuzeob6.exe
C:\WINDOWS\system32\85BjdBWy.exe
C:\WINDOWS\system32\CUw7YWFD.exe
C:\WINDOWS\system32\WNiqPJCD.exe
C:\WINDOWS\system32\x0rNQcJR.exe
C:\WINDOWS\system32\LAt5BX42.exe
C:\WINDOWS\system32\luzeZykN.exe
C:\WINDOWS\system32\wjMLXEVz.exe
C:\WINDOWS\system32\lq2irTmC.exe
C:\WINDOWS\system32\ZUsaCpMY.exe
C:\WINDOWS\system32\5HG55RIq.exe
C:\WINDOWS\system32\lsQcBylH.exe
C:\WINDOWS\system32\cCI15p3K.exe
C:\WINDOWS\system32\X7tXhHiC.exe
C:\WINDOWS\system32\FHeTGhUX.exe
C:\WINDOWS\system32\gylGOqql.exe
C:\WINDOWS\system32\0FWc0Qfr.exe
C:\WINDOWS\system32\Rp8zOZ3r.exe
C:\WINDOWS\system32\WBNPUbUn.exe
C:\WINDOWS\system32\Q22N3tjq.exe
C:\WINDOWS\system32\6jzLnfDK.exe
C:\WINDOWS\system32\nltuCek5.exe
C:\WINDOWS\system32\XH08rUv2.exe
C:\WINDOWS\system32\BrWl7UZd.exe
C:\WINDOWS\system32\74ldQVO4.exe
C:\WINDOWS\system32\cZKGCXo4.exe
C:\WINDOWS\system32\KQUnHDrW.exe
C:\WINDOWS\system32\qlimqnjz.exe
C:\WINDOWS\system32\rG2Xj1aS.exe
C:\WINDOWS\system32\OqPnfIPf.exe
C:\WINDOWS\system32\GvrHgfaN.exe
C:\WINDOWS\system32\aulWYdE1.exe
C:\WINDOWS\system32\7sVZ21IP.exe
C:\WINDOWS\system32\AueI3gqj.exe
C:\WINDOWS\system32\1WCXJYDM.exe
C:\WINDOWS\system32\0QzQnbGA.exe
Folder::
C:\WINDOWS\dosec
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RedGirl"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"<NO NAME>"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"oyqhhg"=-
"beocai"=-
"wmosvr"=-
"hebapb"=-
"rheqed"=-
"rnjetj"=-
"xcywzqERVEsss"=-
"scardsvrs.exe"=-
"jqnjci"=-
"xukybz"=-
"exfqpfvrs.exe"=-
"buyreoaky"=-
"otquon"=-
"umawxz"=-
"cwnlee"=-
"hyaawovrs.exe"=-
"ManeagersSecurity"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet005\SERVICES\Microsoftpvsy]


Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into ComboFix.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Logs/Information to Post in Reply

Please post the following logs/Information in your reply
  • Combofix Log
  • look.txt
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: nagging infection, please help

Unread postby rayoliveira » June 13th, 2008, 12:24 am

Hi,

Look.txt was a completely empty file. Everything seems to be running fine, but I still seem to have that svchost process I have to kill to feel like nothing is lurking in the background of my computer.


ComboFix 08-06-08.8 - a 2008-06-13 0:13:31.2 - NTFSx86
Running from: C:\Documents and Settings\a\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\a\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\EntSver.exe
C:\WINDOWS\system32\0FWc0Qfr.exe
C:\WINDOWS\system32\0QzQnbGA.exe
C:\WINDOWS\system32\14xxYQZr.exe
C:\WINDOWS\system32\1FEWu4ub.exe
C:\WINDOWS\system32\1WCXJYDM.exe
C:\WINDOWS\system32\3SbkShTw.exe
C:\WINDOWS\system32\3Tuzeob6.exe
C:\WINDOWS\system32\41o5pITe.exe
C:\WINDOWS\system32\5HG55RIq.exe
C:\WINDOWS\system32\5tIS6Cbv.exe
C:\WINDOWS\system32\6aZXD3EC.exe
C:\WINDOWS\system32\6jzLnfDK.exe
C:\WINDOWS\system32\74ldQVO4.exe
C:\WINDOWS\system32\7a7Sucub.exe
C:\WINDOWS\system32\7sVZ21IP.exe
C:\WINDOWS\system32\85BjdBWy.exe
C:\WINDOWS\system32\ALv5htMB.exe
C:\WINDOWS\system32\aQfx3Mj7.exe
C:\WINDOWS\system32\asXiaDns.exe
C:\WINDOWS\system32\AueI3gqj.exe
C:\WINDOWS\system32\aulWYdE1.exe
C:\WINDOWS\system32\b3OYiPob.exe
C:\WINDOWS\system32\bMYLazBj.exe
C:\WINDOWS\system32\BrWl7UZd.exe
C:\WINDOWS\system32\cCI15p3K.exe
C:\WINDOWS\system32\cdjMPjjC.exe
C:\WINDOWS\system32\CUw7YWFD.exe
C:\WINDOWS\system32\cZKGCXo4.exe
C:\WINDOWS\system32\DRIvers\owspth.SYS
C:\WINDOWS\system32\EAZwEF1w.exe
C:\WINDOWS\system32\ECdoKuqK.exe
C:\WINDOWS\system32\EiwnxdnQ.exe
C:\WINDOWS\system32\EKwLNJBs.exe
C:\WINDOWS\system32\FHeTGhUX.exe
C:\WINDOWS\system32\Gnldn5V8.exe
C:\WINDOWS\system32\gRcMYrDy.exe
C:\WINDOWS\system32\gure4DZp.exe
C:\WINDOWS\system32\GvrHgfaN.exe
C:\WINDOWS\system32\Gxi0msZV.exe
C:\WINDOWS\system32\gylGOqql.exe
C:\WINDOWS\system32\iaXUKNRX.exe
C:\WINDOWS\system32\iCRf2fcZ.exe
C:\WINDOWS\system32\IcvfqC4J.exe
C:\WINDOWS\system32\JkjvFiE4.exe
C:\WINDOWS\system32\jnG0H7oP.exe
C:\WINDOWS\system32\KFQSGHfI.exe
C:\WINDOWS\system32\KQUnHDrW.exe
C:\WINDOWS\system32\LAt5BX42.exe
C:\WINDOWS\system32\lq2irTmC.exe
C:\WINDOWS\system32\lsQcBylH.exe
C:\WINDOWS\system32\luzeZykN.exe
C:\WINDOWS\system32\n1I6EJOf.exe
C:\WINDOWS\system32\N2vkykhJ.exe
C:\WINDOWS\system32\ncn.exe
C:\WINDOWS\system32\ndiV6MBf.exe
C:\WINDOWS\system32\nL2Qlsvx.exe
C:\WINDOWS\system32\nltuCek5.exe
C:\WINDOWS\system32\NnONUeIq.exe
C:\WINDOWS\system32\nvf66s6U.exe
C:\WINDOWS\system32\OdjAYIMa.exe
C:\WINDOWS\system32\oDZNoFeh.exe
C:\WINDOWS\system32\OqPnfIPf.exe
C:\WINDOWS\system32\pHrFClW8.exe
C:\WINDOWS\system32\PQzfDamm.exe
C:\WINDOWS\system32\pZ4d4jSq.exe
C:\WINDOWS\system32\Q22N3tjq.exe
C:\WINDOWS\system32\qdPkcMRi.exe
C:\WINDOWS\system32\qihqXB4x.exe
C:\WINDOWS\system32\QJCXYj5m.exe
C:\WINDOWS\system32\qlimqnjz.exe
C:\WINDOWS\System32\QQÒ½Éú.exe
C:\WINDOWS\system32\QRl0HpUy.exe
C:\WINDOWS\system32\rdGQfADR.exe
C:\WINDOWS\system32\rG2Xj1aS.exe
C:\WINDOWS\system32\RKh43XVk.exe
C:\WINDOWS\system32\rntaYYKT.exe
C:\WINDOWS\system32\Rp8zOZ3r.exe
C:\WINDOWS\system32\T1nKSEAC.exe
C:\WINDOWS\system32\TcoyiBGD.exe
C:\WINDOWS\system32\TfPF7qbl.exe
C:\WINDOWS\system32\tv4EBAYf.exe
C:\WINDOWS\system32\tVehfhYr.exe
C:\WINDOWS\system32\u1zbje7m.exe
C:\WINDOWS\system32\VhuTw0ot.exe
C:\WINDOWS\system32\W4KoNFAa.exe
C:\WINDOWS\system32\WBNPUbUn.exe
C:\WINDOWS\system32\WBrGHOhH.exe
C:\WINDOWS\system32\WCJxz3h3.exe
C:\WINDOWS\system32\Wh3XmbTg.exe
C:\WINDOWS\system32\wjMLXEVz.exe
C:\WINDOWS\system32\WNiqPJCD.exe
C:\WINDOWS\system32\WqavSCtp.exe
C:\WINDOWS\system32\WRKxa08a.exe
C:\WINDOWS\system32\WW55Hr5w.exe
C:\WINDOWS\system32\x0rNQcJR.exe
C:\WINDOWS\system32\X7tXhHiC.exe
c:\windows\system32\xcywzq.dll
C:\WINDOWS\system32\XH08rUv2.exe
C:\WINDOWS\system32\XK03blZm.exe
C:\WINDOWS\system32\YbF1ZsMs.exe
C:\WINDOWS\system32\zgXmjQjg.exe
C:\WINDOWS\system32\ZkaXf8fg.exe
C:\WINDOWS\system32\ZUsaCpMY.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\dosec\
C:\WINDOWS\EntSver.exe
C:\WINDOWS\system32\0FWc0Qfr.exe
C:\WINDOWS\system32\0QzQnbGA.exe
C:\WINDOWS\system32\14xxYQZr.exe
C:\WINDOWS\system32\1FEWu4ub.exe
C:\WINDOWS\system32\1WCXJYDM.exe
C:\WINDOWS\system32\3SbkShTw.exe
C:\WINDOWS\system32\3Tuzeob6.exe
C:\WINDOWS\system32\41o5pITe.exe
C:\WINDOWS\system32\5HG55RIq.exe
C:\WINDOWS\system32\5tIS6Cbv.exe
C:\WINDOWS\system32\6aZXD3EC.exe
C:\WINDOWS\system32\6jzLnfDK.exe
C:\WINDOWS\system32\74ldQVO4.exe
C:\WINDOWS\system32\7a7Sucub.exe
C:\WINDOWS\system32\7sVZ21IP.exe
C:\WINDOWS\system32\85BjdBWy.exe
C:\WINDOWS\system32\ALv5htMB.exe
C:\WINDOWS\system32\aQfx3Mj7.exe
C:\WINDOWS\system32\asXiaDns.exe
C:\WINDOWS\system32\AueI3gqj.exe
C:\WINDOWS\system32\aulWYdE1.exe
C:\WINDOWS\system32\b3OYiPob.exe
C:\WINDOWS\system32\bMYLazBj.exe
C:\WINDOWS\system32\BrWl7UZd.exe
C:\WINDOWS\system32\cCI15p3K.exe
C:\WINDOWS\system32\cdjMPjjC.exe
C:\WINDOWS\system32\CUw7YWFD.exe
C:\WINDOWS\system32\cZKGCXo4.exe
C:\WINDOWS\system32\EAZwEF1w.exe
C:\WINDOWS\system32\ECdoKuqK.exe
C:\WINDOWS\system32\EiwnxdnQ.exe
C:\WINDOWS\system32\EKwLNJBs.exe
C:\WINDOWS\system32\FHeTGhUX.exe
C:\WINDOWS\system32\Gnldn5V8.exe
C:\WINDOWS\system32\gRcMYrDy.exe
C:\WINDOWS\system32\gure4DZp.exe
C:\WINDOWS\system32\GvrHgfaN.exe
C:\WINDOWS\system32\Gxi0msZV.exe
C:\WINDOWS\system32\gylGOqql.exe
C:\WINDOWS\system32\iaXUKNRX.exe
C:\WINDOWS\system32\iCRf2fcZ.exe
C:\WINDOWS\system32\IcvfqC4J.exe
C:\WINDOWS\system32\JkjvFiE4.exe
C:\WINDOWS\system32\jnG0H7oP.exe
C:\WINDOWS\system32\KFQSGHfI.exe
C:\WINDOWS\system32\KQUnHDrW.exe
C:\WINDOWS\system32\LAt5BX42.exe
C:\WINDOWS\system32\lq2irTmC.exe
C:\WINDOWS\system32\lsQcBylH.exe
C:\WINDOWS\system32\luzeZykN.exe
C:\WINDOWS\system32\n1I6EJOf.exe
C:\WINDOWS\system32\N2vkykhJ.exe
C:\WINDOWS\system32\ncn.exe
C:\WINDOWS\system32\ndiV6MBf.exe
C:\WINDOWS\system32\nL2Qlsvx.exe
C:\WINDOWS\system32\nltuCek5.exe
C:\WINDOWS\system32\NnONUeIq.exe
C:\WINDOWS\system32\nvf66s6U.exe
C:\WINDOWS\system32\OdjAYIMa.exe
C:\WINDOWS\system32\oDZNoFeh.exe
C:\WINDOWS\system32\OqPnfIPf.exe
C:\WINDOWS\system32\pHrFClW8.exe
C:\WINDOWS\system32\PQzfDamm.exe
C:\WINDOWS\system32\pZ4d4jSq.exe
C:\WINDOWS\system32\Q22N3tjq.exe
C:\WINDOWS\system32\qdPkcMRi.exe
C:\WINDOWS\system32\qihqXB4x.exe
C:\WINDOWS\system32\QJCXYj5m.exe
C:\WINDOWS\system32\qlimqnjz.exe
C:\WINDOWS\system32\QRl0HpUy.exe
C:\WINDOWS\system32\rdGQfADR.exe
C:\WINDOWS\system32\rG2Xj1aS.exe
C:\WINDOWS\system32\RKh43XVk.exe
C:\WINDOWS\system32\rntaYYKT.exe
C:\WINDOWS\system32\Rp8zOZ3r.exe
C:\WINDOWS\system32\T1nKSEAC.exe
C:\WINDOWS\system32\TcoyiBGD.exe
C:\WINDOWS\system32\TfPF7qbl.exe
C:\WINDOWS\system32\tv4EBAYf.exe
C:\WINDOWS\system32\tVehfhYr.exe
C:\WINDOWS\system32\u1zbje7m.exe
C:\WINDOWS\system32\VhuTw0ot.exe
C:\WINDOWS\system32\W4KoNFAa.exe
C:\WINDOWS\system32\WBNPUbUn.exe
C:\WINDOWS\system32\WBrGHOhH.exe
C:\WINDOWS\system32\WCJxz3h3.exe
C:\WINDOWS\system32\Wh3XmbTg.exe
C:\WINDOWS\system32\wjMLXEVz.exe
C:\WINDOWS\system32\WNiqPJCD.exe
C:\WINDOWS\system32\WqavSCtp.exe
C:\WINDOWS\system32\WRKxa08a.exe
C:\WINDOWS\system32\WW55Hr5w.exe
C:\WINDOWS\system32\x0rNQcJR.exe
C:\WINDOWS\system32\X7tXhHiC.exe
c:\windows\system32\xcywzq.dll
C:\WINDOWS\system32\XH08rUv2.exe
C:\WINDOWS\system32\XK03blZm.exe
C:\WINDOWS\system32\YbF1ZsMs.exe
C:\WINDOWS\system32\zgXmjQjg.exe
C:\WINDOWS\system32\ZkaXf8fg.exe
C:\WINDOWS\system32\ZUsaCpMY.exe

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-10 20:37 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 15:00 . 2008-06-09 23:40 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-09 08:05 . 2008-06-09 08:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-09 08:00 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-09 07:57 . 2008-06-09 07:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-09 07:52 . 2008-06-09 07:52 <DIR> d-------- C:\_OTMoveIt
2008-06-08 17:38 . 2008-06-08 17:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 17:38 . 2008-06-08 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 13:06 . 2008-06-08 13:07 <DIR> d-------- C:\Documents and Settings\a\Application Data\Media Player Classic
2008-06-07 12:35 . 2008-06-07 12:35 <DIR> d-------- C:\Documents and Settings\a\Application Data\Malwarebytes
2008-06-07 12:34 . 2008-06-07 12:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 12:34 . 2008-06-07 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 12:34 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 12:34 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-07 11:52 . 2008-06-07 11:53 <DIR> d-------- C:\Program Files\ERUNT
2008-06-03 20:20 . 2008-06-03 20:20 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-06-03 20:20 . 2004-07-21 00:27 102,400 --a------ C:\WINDOWS\scrub2k.exe
2008-06-03 20:20 . 2004-07-21 00:27 423 --a------ C:\WINDOWS\hpw1200k.ini
2008-06-03 20:18 . 2008-06-03 20:22 383,111 --a------ C:\WINDOWS\hpbj1200.his
2008-06-03 20:18 . 2008-06-03 20:23 23,403 --a------ C:\WINDOWS\mariner.his
2008-06-03 20:18 . 2008-06-03 20:22 18,647 --a------ C:\WINDOWS\hpbj1200.ini
2008-06-03 20:18 . 2008-06-03 20:23 5,683 --a------ C:\WINDOWS\mariner.ini
2008-06-01 12:16 . 2008-06-01 12:15 225,384 -r-hs---- C:\WINDOWS\dosec
2008-05-31 12:29 . 2008-05-31 12:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-31 12:29 . 2008-05-31 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 12:28 . 2008-05-31 12:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 20:46 . 2008-05-29 20:46 245,003 --a------ C:\WINDOWS\system32\i56cnBWF.exe
2008-05-29 20:45 . 2008-05-29 20:45 247,923 --a------ C:\WINDOWS\system32\akpxx48X.exe
2008-05-29 20:44 . 2008-05-29 20:44 249,383 --a------ C:\WINDOWS\system32\utaos1dY.exe
2008-05-29 20:42 . 2008-05-29 20:42 249,383 --a------ C:\WINDOWS\system32\horpI7AJ.exe
2008-05-29 20:41 . 2008-05-29 20:41 249,383 --a------ C:\WINDOWS\system32\KIVyaL0E.exe
2008-05-29 20:40 . 2008-05-29 20:40 242,083 --a------ C:\WINDOWS\system32\kpv4RoZ6.exe
2008-05-29 20:39 . 2008-05-29 20:39 247,923 --a------ C:\WINDOWS\system32\vvI3hzfI.exe
2008-05-29 20:38 . 2008-05-29 20:38 249,383 --a------ C:\WINDOWS\system32\ghMnjQ3G.exe
2008-05-29 20:37 . 2008-05-29 20:37 249,383 --a------ C:\WINDOWS\system32\nO5w86lu.exe
2008-05-29 20:36 . 2008-05-29 20:36 249,383 --a------ C:\WINDOWS\system32\QR33pkOi.exe
2008-05-29 20:35 . 2008-05-29 20:35 249,383 --a------ C:\WINDOWS\system32\oAfYGD8z.exe
2008-05-29 20:34 . 2008-05-29 20:34 247,923 --a------ C:\WINDOWS\system32\NsAt5ihH.exe
2008-05-29 20:33 . 2008-05-29 20:33 247,923 --a------ C:\WINDOWS\system32\3nQkAfti.exe
2008-05-29 20:32 . 2008-05-29 20:32 243,543 --a------ C:\WINDOWS\system32\uGjHjqFY.exe
2008-05-29 20:31 . 2008-05-29 20:31 249,383 --a------ C:\WINDOWS\system32\Bd8Q2KCd.exe
2008-05-29 20:30 . 2008-05-29 20:30 249,383 --a------ C:\WINDOWS\system32\XnkHErI3.exe
2008-05-29 20:29 . 2008-05-29 20:29 245,003 --a------ C:\WINDOWS\system32\gAoXUv5k.exe
2008-05-29 20:28 . 2008-05-29 20:28 249,383 --a------ C:\WINDOWS\system32\IEh0cFuI.exe
2008-05-29 20:27 . 2008-05-29 20:27 249,383 --a------ C:\WINDOWS\system32\DiVCopNa.exe
2008-05-29 20:26 . 2008-05-29 20:26 243,543 --a------ C:\WINDOWS\system32\0Lbponlm.exe
2008-05-29 20:25 . 2008-05-29 20:25 249,383 --a------ C:\WINDOWS\system32\ry1hKSHB.exe
2008-05-29 20:24 . 2008-05-29 20:24 247,923 --a------ C:\WINDOWS\system32\gcdIrDv8.exe
2008-05-29 20:23 . 2008-05-29 20:23 246,463 --a------ C:\WINDOWS\system32\abxegsQE.exe
2008-05-29 20:22 . 2008-05-29 20:22 249,383 --a------ C:\WINDOWS\system32\ik6FKcjB.exe
2008-05-29 20:21 . 2008-05-29 20:21 249,383 --a------ C:\WINDOWS\system32\MhHvCQY7.exe
2008-05-29 20:20 . 2008-05-29 20:20 249,383 --a------ C:\WINDOWS\system32\JABvaBWr.exe
2008-05-29 20:19 . 2008-05-29 20:19 249,383 --a------ C:\WINDOWS\system32\cRFr4DK0.exe
2008-05-29 20:18 . 2008-05-29 20:18 245,003 --a------ C:\WINDOWS\system32\gfex6ZWT.exe
2008-05-29 20:17 . 2008-05-29 20:17 249,383 --a------ C:\WINDOWS\system32\VcDCtgDo.exe
2008-05-29 20:16 . 2008-05-29 20:16 247,923 --a------ C:\WINDOWS\system32\TwtVngbf.exe
2008-05-29 20:15 . 2008-05-29 20:15 249,383 --a------ C:\WINDOWS\system32\DCSBkFEM.exe
2008-05-29 20:14 . 2008-05-29 20:14 242,083 --a------ C:\WINDOWS\system32\yAYCI28R.exe
2008-05-29 20:13 . 2008-05-29 20:13 247,923 --a------ C:\WINDOWS\system32\EuwfeimO.exe
2008-05-29 20:12 . 2008-05-29 20:12 249,383 --a------ C:\WINDOWS\system32\WSMLISnK.exe
2008-05-29 20:11 . 2008-05-29 20:11 247,923 --a------ C:\WINDOWS\system32\lmC8m1Vh.exe
2008-05-29 20:10 . 2008-05-29 20:10 249,383 --a------ C:\WINDOWS\system32\kc2srXLK.exe
2008-05-29 20:09 . 2008-05-29 20:09 247,923 --a------ C:\WINDOWS\system32\zh3pudz5.exe
2008-05-29 20:07 . 2008-05-29 20:07 249,383 --a------ C:\WINDOWS\system32\MyXfbFiX.exe
2008-05-29 20:06 . 2008-05-29 20:06 249,383 --a------ C:\WINDOWS\system32\GtOndiXu.exe
2008-05-29 20:05 . 2008-05-29 20:05 249,383 --a------ C:\WINDOWS\system32\twZRYCk8.exe
2008-05-29 20:04 . 2008-05-29 20:04 249,383 --a------ C:\WINDOWS\system32\DXRzbFZm.exe
2008-05-29 20:03 . 2008-05-29 20:03 249,383 --a------ C:\WINDOWS\system32\ZTwpvDdK.exe
2008-05-29 20:02 . 2008-05-29 20:02 243,543 --a------ C:\WINDOWS\system32\oCkPFPrV.exe
2008-05-29 20:00 . 2008-05-29 20:00 249,383 --a------ C:\WINDOWS\system32\y1tKANug.exe
2008-05-29 19:59 . 2008-05-29 19:59 249,383 --a------ C:\WINDOWS\system32\coO2qvEY.exe
2008-05-29 19:58 . 2008-05-29 19:58 247,923 --a------ C:\WINDOWS\system32\o6F08WAt.exe
2008-05-29 19:57 . 2008-05-29 19:57 249,383 --a------ C:\WINDOWS\system32\GDBFpUaD.exe
2008-05-29 19:56 . 2008-05-29 19:56 249,383 --a------ C:\WINDOWS\system32\u4muZxtd.exe
2008-05-29 19:55 . 2008-05-29 19:55 247,923 --a------ C:\WINDOWS\system32\FSHxkygl.exe
2008-05-29 19:54 . 2008-05-29 19:54 246,463 --a------ C:\WINDOWS\system32\idxddAyR.exe
2008-05-29 19:53 . 2008-05-29 19:53 249,383 --a------ C:\WINDOWS\system32\kdYGlwWl.exe
2008-05-29 19:52 . 2008-05-29 19:52 249,383 --a------ C:\WINDOWS\system32\m7QxlQhx.exe
2008-05-29 19:51 . 2008-05-29 19:51 249,383 --a------ C:\WINDOWS\system32\nlTUMdOS.exe
2008-05-29 19:50 . 2008-05-29 19:50 246,463 --a------ C:\WINDOWS\system32\58v3pXYy.exe
2008-05-29 19:49 . 2008-05-29 19:49 247,923 --a------ C:\WINDOWS\system32\RLxKeUii.exe
2008-05-29 19:47 . 2008-05-29 19:47 249,383 --a------ C:\WINDOWS\system32\DwHpjmtB.exe
2008-05-29 19:46 . 2008-05-29 19:46 249,383 --a------ C:\WINDOWS\system32\ZP8rg1pq.exe
2008-05-29 19:45 . 2008-05-29 19:45 247,923 --a------ C:\WINDOWS\system32\IlgWx55L.exe
2008-05-29 19:44 . 2008-05-29 19:44 249,383 --a------ C:\WINDOWS\system32\kvwsVFke.exe
2008-05-29 19:43 . 2008-05-29 19:43 247,923 --a------ C:\WINDOWS\system32\xBRQGw1V.exe
2008-05-29 19:42 . 2008-05-29 19:42 247,923 --a------ C:\WINDOWS\system32\qbYNx7Tw.exe
2008-05-29 19:41 . 2008-05-29 19:41 236,243 --a------ C:\WINDOWS\system32\pFTASKox.exe
2008-05-29 19:40 . 2008-05-29 19:40 249,383 --a------ C:\WINDOWS\system32\lVCu57pH.exe
2008-05-29 19:39 . 2008-05-29 19:39 246,463 --a------ C:\WINDOWS\system32\AQDzcIlz.exe
2008-05-29 19:38 . 2008-05-29 19:38 247,923 --a------ C:\WINDOWS\system32\iI1hIUne.exe
2008-05-29 19:37 . 2008-05-29 19:37 249,383 --a------ C:\WINDOWS\system32\ByUrITDw.exe
2008-05-29 19:36 . 2008-05-29 19:36 240,623 --a------ C:\WINDOWS\system32\XkxhasIl.exe
2008-05-29 19:35 . 2008-05-29 19:35 242,083 --a------ C:\WINDOWS\system32\RcGWseIG.exe
2008-05-29 19:34 . 2008-05-29 19:34 249,383 --a------ C:\WINDOWS\system32\1ORg3tus.exe
2008-05-29 19:32 . 2008-05-29 19:32 249,383 --a------ C:\WINDOWS\system32\E0JG4do2.exe
2008-05-29 19:31 . 2008-05-29 19:31 247,923 --a------ C:\WINDOWS\system32\2ZgFPUzr.exe
2008-05-29 19:30 . 2008-05-29 19:30 249,383 --a------ C:\WINDOWS\system32\jGawaHX2.exe
2008-05-29 19:29 . 2008-05-29 19:29 249,383 --a------ C:\WINDOWS\system32\gWLB5bNI.exe
2008-05-29 19:27 . 2008-05-29 19:27 249,383 --a------ C:\WINDOWS\system32\mx4hrrVT.exe
2008-05-29 19:25 . 2008-05-29 19:25 247,923 --a------ C:\WINDOWS\system32\xDoJwIqQ.exe
2008-05-29 19:24 . 2008-05-29 19:24 249,383 --a------ C:\WINDOWS\system32\LDoQYFBD.exe
2008-05-29 19:23 . 2008-05-29 19:23 249,383 --a------ C:\WINDOWS\system32\2NUdJXag.exe
2008-05-29 19:22 . 2008-05-29 19:22 246,463 --a------ C:\WINDOWS\system32\VY0ixMuS.exe
2008-05-29 19:21 . 2008-05-29 19:21 249,383 --a------ C:\WINDOWS\system32\JvrYuGPN.exe
2008-05-29 19:20 . 2008-05-29 19:20 249,383 --a------ C:\WINDOWS\system32\Trtss0pU.exe
2008-05-29 19:19 . 2008-05-29 19:19 249,383 --a------ C:\WINDOWS\system32\oHN74rHB.exe
2008-05-29 19:18 . 2008-05-29 19:18 249,383 --a------ C:\WINDOWS\system32\pbfIVcg7.exe
2008-05-29 19:17 . 2008-05-29 19:17 246,463 --a------ C:\WINDOWS\system32\jKupkwNY.exe
2008-05-29 19:16 . 2008-05-29 19:16 249,383 --a------ C:\WINDOWS\system32\u0NirbEO.exe
2008-05-29 19:15 . 2008-05-29 19:15 247,923 --a------ C:\WINDOWS\system32\d1fTptlc.exe
2008-05-29 19:14 . 2008-05-29 19:14 247,923 --a------ C:\WINDOWS\system32\6fmK5x3a.exe
2008-05-29 19:13 . 2008-05-29 19:13 249,383 --a------ C:\WINDOWS\system32\oxuLXRKO.exe
2008-05-29 19:12 . 2008-05-29 19:12 249,383 --a------ C:\WINDOWS\system32\C16lkoVN.exe
2008-05-29 19:11 . 2008-05-29 19:11 249,383 --a------ C:\WINDOWS\system32\ctmFcGUg.exe
2008-05-29 19:10 . 2008-05-29 19:10 249,383 --a------ C:\WINDOWS\system32\e1vG80Jo.exe
2008-05-29 19:09 . 2008-05-29 19:09 247,923 --a------ C:\WINDOWS\system32\iJDYiT2K.exe
2008-05-29 19:08 . 2008-05-29 19:08 249,383 --a------ C:\WINDOWS\system32\wcscbcXS.exe
2008-05-29 19:07 . 2008-05-29 19:07 245,003 --a------ C:\WINDOWS\system32\T0YHjG04.exe
2008-05-29 19:06 . 2008-05-29 19:06 249,383 --a------ C:\WINDOWS\system32\sMcKrYOM.exe
2008-05-29 19:05 . 2008-05-29 19:05 249,383 --a------ C:\WINDOWS\system32\CgcB1PSo.exe
2008-05-29 19:04 . 2008-05-29 19:04 245,003 --a------ C:\WINDOWS\system32\svScJ6vB.exe
2008-05-29 19:03 . 2008-05-29 19:03 247,923 --a------ C:\WINDOWS\system32\UPHhqpDV.exe
2008-05-29 19:02 . 2008-05-29 19:02 243,543 --a------ C:\WINDOWS\system32\JjKWKVzE.exe
2008-05-29 19:01 . 2008-05-29 19:01 247,923 --a------ C:\WINDOWS\system32\YJQCYFlK.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 21:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-09 12:00 --------- d-----w C:\Program Files\Java
2008-06-08 22:19 48,640 --sh--r C:\WINDOWS\system32\wmoptimizer.dll
2008-05-28 15:54 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-05-20 13:43 --------- d-----w C:\Program Files\iTunes
2008-05-20 13:36 --------- d-----w C:\Program Files\Last.fm
2008-05-11 11:30 431,495 --sh--r C:\WINDOWS\English.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-05-06 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-06 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-06 05:29 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-06 05:28 --------- d-----w C:\Program Files\Roxio
2008-05-06 05:24 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-05-06 05:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-06 05:15 --------- d-----w C:\Program Files\Research In Motion
2008-05-06 05:15 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-05-03 14:45 221,184 ----a-w C:\WINDOWS\system32\tapi.exe
2008-05-03 00:08 --------- d-----w C:\Program Files\Autobahn
2008-05-02 18:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-30 02:12 --------- d-----w C:\Documents and Settings\a\Application Data\BitTorrent
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 11:01 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-02-17 16:17 3,452 ----a-w C:\Program Files\BlockedSenders.txt
2006-02-17 16:17 254 ----a-w C:\Program Files\SafeSenders.txt
.

------- Sigcheck -------

2004-08-04 04:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 04:56 14336 28b84d2e2bdb2e3410b3491ad41f71a4 C:\WINDOWS\system32\svchost.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-09_15.17.24.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-21 06:44:29 3,066,880 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\mshtml.dll
+ 2008-04-21 06:44:29 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\wininet.dll
+ 2008-04-21 06:24:01 3,067,392 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\mshtml.dll
+ 2008-04-21 06:24:02 666,624 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\wininet.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB950759\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB950759\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\updspapi.dll
+ 2008-05-07 04:55:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll
- 2008-06-09 18:58:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 00:52:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2008-02-16 09:32:03 1,024,000 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-04-21 06:56:54 1,024,000 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-02-16 09:32:03 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-04-21 06:56:54 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2008-02-16 09:32:03 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-04-21 06:56:55 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2008-02-16 09:32:03 1,024,000 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-04-21 06:56:54 1,024,000 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-02-16 09:32:03 151,040 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-04-21 06:56:54 151,040 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-02-16 09:32:03 1,054,208 -c----w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-04-21 06:56:55 1,054,208 -c----w C:\WINDOWS\system32\dllcache\danim.dll
- 2008-02-16 09:32:04 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-21 06:56:55 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-02-16 09:32:04 205,312 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-21 06:56:55 205,312 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-02-16 09:32:04 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-21 06:56:55 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-02-15 09:07:53 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-04-17 10:46:59 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-02-16 09:32:04 251,904 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-04-21 06:56:56 251,904 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-02-16 09:32:04 96,256 -c----w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-04-21 06:56:56 96,256 -c----w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-02-16 09:32:04 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-21 06:56:56 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-02-16 09:32:06 3,066,880 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-21 06:56:57 3,066,880 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-02-16 09:32:06 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-21 06:56:57 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-02-16 09:32:06 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-21 06:56:57 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-02-16 09:32:07 532,480 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-21 06:56:58 532,480 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-02-16 09:32:07 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-21 06:56:58 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-02-16 09:32:08 1,499,136 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-04-21 06:56:58 1,499,136 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-02-16 09:32:08 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-04-21 06:56:58 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2008-02-16 09:32:08 618,496 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-21 06:56:58 618,496 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-02-16 09:32:09 666,112 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-21 06:56:59 666,624 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-02-16 09:32:04 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-21 06:56:55 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-02-16 09:32:04 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-21 06:56:55 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-02-16 09:32:04 55,808 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-21 06:56:55 55,808 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-02-16 09:32:04 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-04-21 06:56:56 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-02-16 09:32:04 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-04-21 06:56:56 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2008-02-16 09:32:04 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-21 06:56:56 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-02-16 09:32:06 3,066,880 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-21 06:56:57 3,066,880 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-02-16 09:32:06 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-21 06:56:57 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-02-16 09:32:06 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-21 06:56:57 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-02-16 09:32:07 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-21 06:56:58 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-02-16 09:32:07 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-21 06:56:58 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2008-02-16 09:32:08 1,499,136 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-04-21 06:56:58 1,499,136 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-02-16 09:32:08 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-04-21 06:56:58 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-10-16 21:10:58 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-02-16 09:32:08 618,496 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-21 06:56:58 618,496 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 17:57 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 17:57 512000]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2005-12-20 02:57 409600]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2005-12-20 02:56 98304]
"TpShocks"="TpShocks.exe" [2005-11-07 15:14 106496 C:\WINDOWS\system32\TpShocks.exe]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-02-05 05:36 106496]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-02-05 05:36 395264]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 13:33 48800]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-12-21 21:45 85744]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:56 158208]
"HPWNTOOLBOX"="C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe" [2004-07-21 11:35 327680]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 19:52:34 799496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_g729a"= sl_g729a.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxLiveShare9"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"<NO NAME>"= :apisvc
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 19:58]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 13:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\Drivers\IBMBLDID.sys [2005-11-08 13:27]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 16:18]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-02-05 05:36]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2004-08-04 04:05]
S2 3800hk;°®¹úÕß°²È«Íø;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 ASP State Services;ASP State Services;C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_states\aspnet [2006-01-01 00:00]
S2 beocai;beocai;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 buyreoaky;DCOM++++ Servers Lancher;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 cwnlee;cwnlee;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 jqnjci;jqnjci;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 ManeagersSecurity;Manegers Administrativ Service;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 MSOLAP;SQL Server Analysis Services;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 oyqhhg;oyqhhg;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 QQÒ½Éú;QQQQÒ½Éú;C:\WINDOWS\System32\QQÒ½Éú.exe []
S2 rheqed;rheqed;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 umawxz;umawxz;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 WMOptimizer;Windows Media Optimizer;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 xcywzqERVEsss;xcywzqERVEsss;C:\WINDOWS\system32\SVCHOST.EXE [2004-08-04 04:56]
S2 xukybz;xukybz;C:\WINDOWS\system32\svchost.exe [2004-08-04 04:56]
S2 yqnjcixf;yqnjcixf;C:\WINDOWS\system32\DRIvers\owspth.SYS []
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;C:\WINDOWS\system32\DRIVERS\el574nd4.sys [2001-08-17 16:10]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2004-06-27 03:50]
S4 English;English;C:\WINDOWS\English.exe [2008-05-11 07:30]
S4 NC;NC;C:\WINDOWS\system32\nc.exe []
S4 NSQ;NSQ;C:\WINDOWS\System32\NSQ.exe []
S4 RedGirl;RedGirl;C:\WINDOWS\System32\RedGirl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
MSDTCSERVEsss REG_MULTI_SZ MSDTCSERVEsss
MSOLAP REG_MULTI_SZ MSOLAP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
3800hk

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2006-02-17 17:52:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 00:19:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet005\SERVICES\Microsoftpvsy]
"ImagePath"="C:\WINDOWS\dosec"

[HKEY_LOCAL_MACHINE\system\ControlSet005\SERVICES\ASP State Services]
"ImagePath"="C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_states\aspnet"

[HKEY_LOCAL_MACHINE\system\ControlSet005\SERVICES\Microsoftpvsy]
"ImagePath"="C:\WINDOWS\dosec"
.
Completion time: 2008-06-13 0:25:04
ComboFix-quarantined-files.txt 2008-06-13 04:24:47
ComboFix2.txt 2008-06-09 19:19:02

Pre-Run: 11,101,519,872 bytes free
Post-Run: 11,076,218,880 bytes free

618 --- E O F --- 2008-06-11 12:02:55


_________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:27, on 2008-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0118995668
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: QQQQÒ½Éú (QQÒ½Éú) - Unknown owner - C:\WINDOWS\System32\QQÒ½Éú.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 9804 bytes
rayoliveira
Active Member
 
Posts: 8
Joined: June 2nd, 2008, 4:27 pm

Re: nagging infection, please help

Unread postby Bio-Hazard » June 14th, 2008, 4:39 pm

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\WINDOWS\English.exe
C:\WINDOWS\System32\NSQ.exe
C:\WINDOWS\System32\QQÒ½Éú.exe
C:\WINDOWS\system32\DRIvers\owspth.SYS
C:\WINDOWS\system32\nc.exe
C:\WINDOWS\System32\RedGirl.exe
C:\WINDOWS\system32\i56cnBWF.exe
C:\WINDOWS\system32\akpxx48X.exe
C:\WINDOWS\system32\utaos1dY.exe
C:\WINDOWS\system32\horpI7AJ.exe
C:\WINDOWS\system32\KIVyaL0E.exe
C:\WINDOWS\system32\kpv4RoZ6.exe
C:\WINDOWS\system32\vvI3hzfI.exe
C:\WINDOWS\system32\ghMnjQ3G.exe
C:\WINDOWS\system32\nO5w86lu.exe
C:\WINDOWS\system32\QR33pkOi.exe
C:\WINDOWS\system32\oAfYGD8z.exe
C:\WINDOWS\system32\NsAt5ihH.exe
C:\WINDOWS\system32\3nQkAfti.exe
C:\WINDOWS\system32\uGjHjqFY.exe
C:\WINDOWS\system32\Bd8Q2KCd.exe
C:\WINDOWS\system32\XnkHErI3.exe
C:\WINDOWS\system32\gAoXUv5k.exe
C:\WINDOWS\system32\IEh0cFuI.exe
C:\WINDOWS\system32\DiVCopNa.exe
C:\WINDOWS\system32\0Lbponlm.exe
C:\WINDOWS\system32\ry1hKSHB.exe
C:\WINDOWS\system32\gcdIrDv8.exe
C:\WINDOWS\system32\abxegsQE.exe
C:\WINDOWS\system32\ik6FKcjB.exe
C:\WINDOWS\system32\MhHvCQY7.exe
C:\WINDOWS\system32\JABvaBWr.exe
C:\WINDOWS\system32\cRFr4DK0.exe
C:\WINDOWS\system32\gfex6ZWT.exe
C:\WINDOWS\system32\VcDCtgDo.exe
C:\WINDOWS\system32\TwtVngbf.exe
C:\WINDOWS\system32\DCSBkFEM.exe
C:\WINDOWS\system32\yAYCI28R.exe
C:\WINDOWS\system32\EuwfeimO.exe
C:\WINDOWS\system32\WSMLISnK.exe
C:\WINDOWS\system32\lmC8m1Vh.exe
C:\WINDOWS\system32\kc2srXLK.exe
C:\WINDOWS\system32\zh3pudz5.exe
C:\WINDOWS\system32\MyXfbFiX.exe
C:\WINDOWS\system32\GtOndiXu.exe
C:\WINDOWS\system32\twZRYCk8.exe
C:\WINDOWS\system32\DXRzbFZm.exe
C:\WINDOWS\system32\ZTwpvDdK.exe
C:\WINDOWS\system32\oCkPFPrV.exe
C:\WINDOWS\system32\y1tKANug.exe
C:\WINDOWS\system32\coO2qvEY.exe
C:\WINDOWS\system32\o6F08WAt.exe
C:\WINDOWS\system32\GDBFpUaD.exe
C:\WINDOWS\system32\u4muZxtd.exe
C:\WINDOWS\system32\FSHxkygl.exe
C:\WINDOWS\system32\idxddAyR.exe
C:\WINDOWS\system32\kdYGlwWl.exe
C:\WINDOWS\system32\m7QxlQhx.exe
C:\WINDOWS\system32\nlTUMdOS.exe
C:\WINDOWS\system32\58v3pXYy.exe
C:\WINDOWS\system32\RLxKeUii.exe
C:\WINDOWS\system32\DwHpjmtB.exe
C:\WINDOWS\system32\ZP8rg1pq.exe
C:\WINDOWS\system32\IlgWx55L.exe
C:\WINDOWS\system32\kvwsVFke.exe
C:\WINDOWS\system32\xBRQGw1V.exe
C:\WINDOWS\system32\qbYNx7Tw.exe
C:\WINDOWS\system32\pFTASKox.exe
C:\WINDOWS\system32\lVCu57pH.exe
C:\WINDOWS\system32\AQDzcIlz.exe
C:\WINDOWS\system32\iI1hIUne.exe
C:\WINDOWS\system32\ByUrITDw.exe
C:\WINDOWS\system32\XkxhasIl.exe
C:\WINDOWS\system32\RcGWseIG.exe
C:\WINDOWS\system32\1ORg3tus.exe
C:\WINDOWS\system32\E0JG4do2.exe
C:\WINDOWS\system32\2ZgFPUzr.exe
C:\WINDOWS\system32\jGawaHX2.exe
C:\WINDOWS\system32\gWLB5bNI.exe
C:\WINDOWS\system32\mx4hrrVT.exe
C:\WINDOWS\system32\xDoJwIqQ.exe
C:\WINDOWS\system32\LDoQYFBD.exe
C:\WINDOWS\system32\2NUdJXag.exe
C:\WINDOWS\system32\VY0ixMuS.exe
C:\WINDOWS\system32\JvrYuGPN.exe
C:\WINDOWS\system32\Trtss0pU.exe
C:\WINDOWS\system32\oHN74rHB.exe
C:\WINDOWS\system32\pbfIVcg7.exe
C:\WINDOWS\system32\jKupkwNY.exe
C:\WINDOWS\system32\u0NirbEO.exe
C:\WINDOWS\system32\d1fTptlc.exe
C:\WINDOWS\system32\6fmK5x3a.exe
C:\WINDOWS\system32\oxuLXRKO.exe
C:\WINDOWS\system32\C16lkoVN.exe
C:\WINDOWS\system32\ctmFcGUg.exe
C:\WINDOWS\system32\e1vG80Jo.exe
C:\WINDOWS\system32\iJDYiT2K.exe
C:\WINDOWS\system32\wcscbcXS.exe
C:\WINDOWS\system32\T0YHjG04.exe
C:\WINDOWS\system32\sMcKrYOM.exe
C:\WINDOWS\system32\CgcB1PSo.exe
C:\WINDOWS\system32\svScJ6vB.exe
C:\WINDOWS\system32\UPHhqpDV.exe
C:\WINDOWS\system32\JjKWKVzE.exe
C:\WINDOWS\system32\YJQCYFlK.exe
Folder::
C:\WINDOWS\dosec
Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet005\SERVICES\Microsoftpvsy]



Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into ComboFix.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


Logs/Information to Post in Reply

Please post the following logs/Information in your reply
  • Combofix Log
  • kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 136 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware