Antivirusxp08[INACTIVE]

svrmxdf

By svrmxdf,
in Malware Removal

 Share Followers 0

Recommended Posts

svrmxdf

svrmxdf

Posted
Posted

My dad downloaded something on the internet that cause this program to download this is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:42:28 AM, on 8/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\All Users\Application Data\zeruhqpu\jmhudwnc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\tcfkzkfg.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Spyware Doctor\pctsGui.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sMrhc9vbj0e531] C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsgWebApp] C:\WINDOWS\system32\tcfkzkfg.exe

O4 - HKLM\..\Policies\Explorer\Run: [Xnm8l6kH0l] C:\Documents and Settings\All Users\Application Data\zeruhqpu\jmhudwnc.exe

O4 - Global Startup: MRI_DISABLED

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O21 - SSODL: DbHlp - {3DF48099-CE48-2FC3-6A96-0A0FDB31A337} - C:\Program Files\vykhpud\DbHlp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 6148 bytes

Please help me remove this annoying program

Link to post
Share on other sites
Andro1d

Andro1d

Posted
Posted

Hello and Welcome to the forums. :)

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please visit this web page for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Link to post
Share on other sites
svrmxdf

svrmxdf

Posted
  • Author
Posted

ComboFix 08-08-15.04 - Owner 2008-08-16 17:43:19.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2505 [GMT -7:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Owner\Application Data\rhc9vbj0e531

C:\Program Files\rhc9vbj0e531

C:\WINDOWS\a.bat

C:\WINDOWS\bdn.com

C:\WINDOWS\iTunesMusic.exe

C:\WINDOWS\mslagent

C:\WINDOWS\mssecu.exe

C:\WINDOWS\system32\5.tmp

C:\WINDOWS\system32\akttzn.exe

C:\WINDOWS\system32\anticipator.dll

C:\WINDOWS\system32\awtoolb.dll

C:\WINDOWS\system32\bdn.com

C:\WINDOWS\system32\dpcproxy.exe

C:\WINDOWS\system32\h@tkeysh@@k.dll

C:\WINDOWS\system32\hoproxy.dll

C:\WINDOWS\system32\hxiwlgpm.dat

C:\WINDOWS\system32\hxiwlgpm.exe

C:\WINDOWS\system32\msgp.exe

C:\WINDOWS\system32\mssecu.exe

C:\WINDOWS\system32\mtr2.exe

C:\WINDOWS\system32\mwin32.exe

C:\WINDOWS\system32\netode.exe

C:\WINDOWS\system32\newsd32.exe

C:\WINDOWS\system32\pphccvbj0e531.exe

C:\WINDOWS\system32\ps1.exe

C:\WINDOWS\system32\psoft1.exe

C:\WINDOWS\system32\regm64.dll

C:\WINDOWS\system32\Rundl1.exe

C:\WINDOWS\system32\smp

C:\WINDOWS\system32\smp\msrc.exe

C:\WINDOWS\system32\ssvchost.exe

C:\WINDOWS\system32\sysreq.exe

C:\WINDOWS\system32\taack.dat

C:\WINDOWS\system32\taack.exe

C:\WINDOWS\system32\temp#01.exe

C:\WINDOWS\system32\VBIEWER.OCX

C:\WINDOWS\system32\winlogonpc.exe

C:\WINDOWS\system32\winsystem.exe

C:\WINDOWS\system32\WINWGPX.EXE

.

((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))

.

2008-08-14 07:42 . 2008-08-14 07:42 <DIR> d-------- C:\Program Files\Trend Micro

2008-08-14 07:11 . 2008-08-14 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools

2008-08-14 07:11 . 2008-08-14 07:10 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys

2008-08-14 07:10 . 2008-08-14 07:11 <DIR> d-------- C:\Program Files\Common Files\PC Tools

2008-08-14 07:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-08-14 07:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

2008-08-14 07:03 . 2008-08-16 17:47 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-08-14 07:03 . 2008-08-14 07:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools

2008-08-14 07:03 . 2008-08-16 17:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-08-14 07:03 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-08-14 07:03 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-08-14 07:03 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-08-14 07:03 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-08-14 06:55 . 2008-08-14 06:55 <DIR> d-------- C:\Program Files\vykhpud

2008-08-14 06:55 . 2008-08-14 06:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zeruhqpu

2008-08-14 06:55 . 2008-08-14 06:55 86,016 --a------ C:\WINDOWS\system32\tcfkzkfg.exe

2008-08-13 17:44 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-11 06:46 . 2008-08-11 06:46 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

2008-08-11 06:40 . 2008-08-11 06:40 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

2008-08-10 22:26 . 2008-08-10 22:26 <DIR> d-------- C:\WINDOWS\Sun

2008-08-10 22:26 . 2008-08-16 17:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire

2008-08-10 22:26 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-10 22:23 . 2008-08-10 22:24 <DIR> d-------- C:\Program Files\LimeWire

2008-08-10 18:28 . 2008-08-10 18:28 2 --a------ C:\WINDOWS\msoffice.ini

2008-08-10 18:23 . 2008-08-11 06:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec

2008-08-10 14:34 . 2008-08-10 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec

2008-08-10 14:34 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-08-10 14:34 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

2008-08-10 14:33 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-08-10 14:33 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-08-10 14:33 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2008-08-10 14:33 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys

2008-08-10 14:33 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2008-08-10 14:33 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

2008-08-09 17:08 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-08-09 17:08 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-08-09 16:57 . 2008-06-23 09:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-08-09 16:57 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-08-09 16:57 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-08-09 16:57 . 2008-06-23 09:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-08-09 16:57 . 2008-06-23 09:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-08-09 16:57 . 2008-06-23 09:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-08-09 16:57 . 2008-06-23 09:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll

2008-08-09 16:57 . 2008-06-23 09:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-08-09 16:57 . 2008-06-23 02:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-08-09 16:54 . 2008-08-09 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad

2008-08-09 16:52 . 2008-08-09 16:52 <DIR> d-------- C:\Program Files\MSXML 6.0

2008-08-09 16:48 . 2008-08-09 16:48 <DIR> d-------- C:\Program Files\MSBuild

2008-08-09 16:44 . 2008-08-09 16:44 <DIR> d-------- C:\WINDOWS\system32\XPSViewer

2008-08-09 16:44 . 2008-08-09 16:44 <DIR> d-------- C:\Program Files\Reference Assemblies

2008-08-09 16:44 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2008-08-09 16:40 . 2007-12-04 11:38 550,912 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll

2008-08-09 16:40 . 2007-04-23 03:32 364,160 -----c--- C:\WINDOWS\system32\dllcache\update.sys

2008-08-09 16:40 . 2007-12-18 02:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys

2008-08-09 16:38 . 2007-04-16 08:52 984,576 -----c--- C:\WINDOWS\system32\dllcache\kernel32.dll

2008-08-09 16:38 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-08-09 16:38 . 2007-02-09 04:10 574,464 -----c--- C:\WINDOWS\system32\dllcache\ntfs.sys

2008-08-09 16:38 . 2007-03-17 06:43 292,864 -----c--- C:\WINDOWS\system32\dllcache\winsrv.dll

2008-08-09 16:38 . 2007-02-05 13:17 185,344 -----c--- C:\WINDOWS\system32\dllcache\upnphost.dll

2008-08-09 16:38 . 2007-04-25 07:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll

2008-08-09 16:36 . 2006-12-06 23:40 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll

2008-08-09 16:35 . 2006-06-21 22:06 1,435,648 -----c--- C:\WINDOWS\system32\dllcache\query.dll

2008-08-09 16:34 . 2006-11-27 07:54 539,136 -----c--- C:\WINDOWS\system32\dllcache\msftedit.dll

2008-08-09 16:34 . 2006-05-05 02:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys

2008-08-09 16:34 . 2006-11-27 07:54 433,152 -----c--- C:\WINDOWS\system32\dllcache\riched20.dll

2008-08-09 16:34 . 2006-06-22 03:47 181,248 -----c--- C:\WINDOWS\system32\dllcache\rasmans.dll

2008-08-09 16:34 . 2006-05-05 02:47 174,592 -----c--- C:\WINDOWS\system32\dllcache\rdbss.sys

2008-08-09 16:34 . 2006-06-01 11:47 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll

2008-08-09 16:34 . 2008-06-20 10:41 148,992 --a--c--- C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-08-09 16:34 . 2006-05-19 05:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll

2008-08-09 16:34 . 2006-05-19 05:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll

2008-08-09 16:34 . 2006-06-01 11:47 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll

2008-08-09 16:33 . 2006-03-16 17:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe

2008-08-09 16:31 . 2008-08-13 19:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2008-08-09 16:31 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe

2008-08-09 15:04 . 2008-08-09 15:04 <DIR> d-------- C:\WINDOWS\system32\Lang

2008-08-09 14:58 . 2008-08-09 14:58 <DIR> d-------- C:\WINDOWS\system32\RTCOM

2008-08-09 14:58 . 2004-12-01 11:54 163,840 --a------ C:\WINDOWS\system32\igfxres.dll

2008-08-09 14:57 . 2004-10-27 19:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS

2008-08-09 14:57 . 2008-08-09 14:52 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView

2008-08-09 14:57 . 2004-10-27 19:43 <DIR> d-------- C:\Documents and Settings\Owner\WINDOWS

2008-08-09 14:57 . 2008-08-09 14:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SampleView

2008-08-09 14:57 . 2008-08-14 08:42 <DIR> d-------- C:\Documents and Settings\Owner

2008-08-09 14:54 . 2008-08-09 14:54 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

2008-08-09 14:52 . 2005-01-09 20:32 181,938 --a------ C:\WINDOWS\Gateway.bmp

2008-08-09 14:52 . 2008-08-09 14:52 333 --a------ C:\WINDOWS\system32\$ncsp$.inf

2008-08-09 14:52 . 2008-08-09 14:52 0 --a------ C:\WINDOWS\system32\Gateway_832GM__.MRK

2008-08-09 14:51 . 2008-08-09 14:51 <DIR> d-------- C:\Program Files\Realtek

2008-08-09 14:51 . 2008-08-09 14:51 <DIR> d-------- C:\Program Files\MSN Encarta Plus

2008-08-09 14:50 . 2004-05-17 18:30 543,232 --a------ C:\WINDOWS\zHotkey.exe

2008-08-09 14:50 . 2003-05-26 19:19 532,544 --a------ C:\WINDOWS\PIC.dll

2008-08-09 14:50 . 2004-07-15 14:06 471,298 --a------ C:\WINDOWS\wallpg.exe

2008-08-09 14:50 . 2005-01-11 13:09 51,656 --a------ C:\WINDOWS\system32\OEMLOGO.bmp

2008-08-09 14:50 . 2003-09-19 09:09 36,864 --a------ C:\WINDOWS\ShowWnd.exe

2008-08-09 14:50 . 2001-07-02 20:36 24,576 --a------ C:\WINDOWS\HKNTDLL.dll

2008-08-09 14:50 . 2004-09-03 16:07 20,480 --a------ C:\WINDOWS\system32\Marker32.exe

2008-08-09 14:50 . 2000-08-07 11:57 5,280 --a------ C:\WINDOWS\hotbtnv.vxd

2008-08-09 14:50 . 2004-03-02 09:40 3,926 --a------ C:\WINDOWS\mHotkey.reg

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Program Files\Google

2008-08-09 14:48 . 2004-10-27 19:43 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Viewpoint

2008-08-09 14:47 . 2008-08-10 18:57 <DIR> d-------- C:\Program Files\Pure Networks

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Learn2.com

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\BigFix

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Ahead

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Real

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\CyberLink

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Common Files\Real

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Common Files\Nullsoft

2008-08-09 14:46 . 2008-08-10 18:28 <DIR> d-------- C:\Program Files\Common Files\AOL

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\My Music

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink

2008-08-09 14:46 . 2008-08-10 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL

2008-08-09 14:45 . 2008-08-09 14:45 <DIR> d-------- C:\Program Files\Microsoft Picture It! 10

2008-08-09 14:45 . 2008-08-09 14:45 <DIR> d-------- C:\Program Files\Intel

2008-08-09 14:44 . 2008-08-09 14:51 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

2008-08-09 14:43 . 2008-08-09 14:43 <DIR> d-------- C:\Program Files\Microsoft Works

2008-08-09 14:43 . 2008-08-10 22:26 <DIR> d-------- C:\Program Files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-09 21:46 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]

"MsgWebApp"="C:\WINDOWS\system32\tcfkzkfg.exe" [2008-08-14 06:55 86016]

"apiadm"="C:\WINDOWS\system32\efutkbyl.exe" [2008-08-16 17:49 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 11:04 59392]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 15:04 135168]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07 32768]

"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 18:23 369664]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-01 12:00 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 11:55 126976]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"SMrhc9vbj0e531"="C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe" [2008-08-16 09:42 790528]

"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216]

"lphccvbj0e531"="C:\WINDOWS\system32\lphccvbj0e531.exe" [2008-08-16 17:49 195072]

"CHotkey"="zHotkey.exe" [2004-05-17 18:30 543232 C:\WINDOWS\zHotkey.exe]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 17:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 15:20 77824 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"Xnm8l6kH0l"="C:\Documents and Settings\All Users\Application Data\zeruhqpu\jmhudwnc.exe" [2008-08-14 06:55 57344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED

BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2008-08-09 14:47:50 1742384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispBackgroundPage"= 1 (0x1)

"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"DbHlp"= {3DF48099-CE48-2FC3-6A96-0A0FDB31A337} - C:\Program Files\vykhpud\DbHlp.dll [2008-08-14 06:55 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

--a------ 2002-09-13 13:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

--a------ 2004-10-21 18:44 2744832 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]

--a------ 2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-14 07:10]

.

Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\ISP signup reminder 2.job

- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-10 12:00]

2008-08-09 C:\WINDOWS\Tasks\ISP signup reminder 3.job

- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-10 12:00]

2008-08-17 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-628528A354-Owner).job

- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe []

2008-08-17 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-628528A354-Owner).job

- C:\PROGRA~1\mcafee.com\agent []

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AOL Spyware Protection - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

MSConfigStartUp-URLLSTCK - C:\Program Files\Norton Internet Security\UrlLstCk.exe

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://latino.aol.com/

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-16 17:48:38

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\ehome\ehRecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\pphccvbj0e531.exe

C:\WINDOWS\system32\verclsid.exe

.

**************************************************************************

.

Completion time: 2008-08-16 17:52:21 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-17 00:52:17

Pre-Run: 232,678,744,064 bytes free

Post-Run: 233,116,819,456 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

299 --- E O F --- 2008-08-14 02:51:18

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:54:30 PM, on 8/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Documents and Settings\All Users\Application Data\zeruhqpu\jmhudwnc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\tcfkzkfg.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\unibsdup.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\pphccvbj0e531.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://latino.aol.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sMrhc9vbj0e531] C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [lphccvbj0e531] C:\WINDOWS\system32\lphccvbj0e531.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsgWebApp] C:\WINDOWS\system32\tcfkzkfg.exe

O4 - HKCU\..\Run: [apiadm] C:\WINDOWS\system32\efutkbyl.exe

O4 - HKLM\..\Policies\Explorer\Run: [Xnm8l6kH0l] C:\Documents and Settings\All Users\Application Data\zeruhqpu\jmhudwnc.exe

O4 - Global Startup: MRI_DISABLED

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O21 - SSODL: DbHlp - {3DF48099-CE48-2FC3-6A96-0A0FDB31A337} - C:\Program Files\vykhpud\DbHlp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 6225 bytes

Link to post
Share on other sites
Andro1d

Andro1d

Posted
Posted

Hello again,

Step 1

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\tcfkzkfg.exe
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
C:\WINDOWS\system32\efutkbyl.exe
C:\WINDOWS\system32\lphccvbj0e531.exe

Folder::
C:\Program Files\vykhpud
C:\Documents and Settings\All Users\Application Data\zeruhqpu
C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
C:\Program Files\rhc9vbj0e531

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgWebApp"=-
"apiadm"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMrhc9vbj0e531"=-
"lphccvbj0e531"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Xnm8l6kH0l"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Step 2

Open HijackThis, click Config, click Misc Tools

Click "Open Uninstall Manager"

Click "Save List" (generates uninstall_list.txt)

Click Save, copy and paste the results in your next post.

Link to post
Share on other sites
svrmxdf

svrmxdf

Posted
  • Author
Posted

ComboFix 08-08-15.04 - Owner 2008-08-17 13:48:14.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2590 [GMT -7:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

* Created a new restore point

FILE ::

C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

C:\WINDOWS\system32\efutkbyl.exe

C:\WINDOWS\system32\lphccvbj0e531.exe

C:\WINDOWS\system32\tcfkzkfg.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Application Data\zeruhqpu

C:\Documents and Settings\All Users\Application Data\zeruhqpu\jmhudwnc.exe

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\Owner\Application Data\rhc9vbj0e531

C:\Program Files\rhc9vbj0e531

C:\Program Files\rhc9vbj0e531\database.dat

C:\Program Files\rhc9vbj0e531\license.txt

C:\Program Files\rhc9vbj0e531\MFC71.dll

C:\Program Files\rhc9vbj0e531\MFC71ENU.DLL

C:\Program Files\rhc9vbj0e531\msvcp71.dll

C:\Program Files\rhc9vbj0e531\msvcr71.dll

C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe

C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe.local

C:\Program Files\rhc9vbj0e531\Uninstall.exe

C:\Program Files\vykhpud

C:\Program Files\vykhpud\DbHlp.dll

C:\WINDOWS\system32\blphccvbj0e531.scr

C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver

C:\WINDOWS\system32\efutkbyl.exe

C:\WINDOWS\system32\lphccvbj0e531.exe

C:\WINDOWS\system32\phccvbj0e531.bmp

C:\WINDOWS\system32\pphccvbj0e531.exe

C:\WINDOWS\system32\tcfkzkfg.exe

.

((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))

.

2008-08-17 13:16 . 2008-08-17 13:16 195,584 --a------ C:\WINDOWS\system32\sxwjqzqp.exe

2008-08-17 13:16 . 2008-08-17 13:16 73,728 --a------ C:\WINDOWS\system32\gxoniban.exe

2008-08-14 07:42 . 2008-08-14 07:42 <DIR> d-------- C:\Program Files\Trend Micro

2008-08-14 07:11 . 2008-08-14 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools

2008-08-14 07:11 . 2008-08-14 07:10 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys

2008-08-14 07:10 . 2008-08-14 07:11 <DIR> d-------- C:\Program Files\Common Files\PC Tools

2008-08-14 07:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-08-14 07:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

2008-08-14 07:03 . 2008-08-17 13:16 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-08-14 07:03 . 2008-08-14 07:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools

2008-08-14 07:03 . 2008-08-17 13:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-08-14 07:03 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-08-14 07:03 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-08-14 07:03 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-08-14 07:03 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-08-13 17:44 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-11 06:46 . 2008-08-11 06:46 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

2008-08-11 06:40 . 2008-08-11 06:40 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

2008-08-10 22:26 . 2008-08-10 22:26 <DIR> d-------- C:\WINDOWS\Sun

2008-08-10 22:26 . 2008-08-16 17:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire

2008-08-10 22:26 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-10 22:23 . 2008-08-10 22:24 <DIR> d-------- C:\Program Files\LimeWire

2008-08-10 18:28 . 2008-08-10 18:28 2 --a------ C:\WINDOWS\msoffice.ini

2008-08-10 18:23 . 2008-08-11 06:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec

2008-08-10 14:34 . 2008-08-10 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec

2008-08-10 14:34 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-08-10 14:34 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

2008-08-10 14:33 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-08-10 14:33 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-08-10 14:33 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2008-08-10 14:33 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys

2008-08-10 14:33 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2008-08-10 14:33 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

2008-08-09 17:08 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-08-09 17:08 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-08-09 16:57 . 2008-06-23 09:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-08-09 16:57 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-08-09 16:57 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-08-09 16:57 . 2008-06-23 09:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-08-09 16:57 . 2008-06-23 09:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-08-09 16:57 . 2008-06-23 09:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-08-09 16:57 . 2008-06-23 09:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll

2008-08-09 16:57 . 2008-06-23 09:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-08-09 16:57 . 2008-06-23 02:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-08-09 16:54 . 2008-08-09 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad

2008-08-09 16:52 . 2008-08-09 16:52 <DIR> d-------- C:\Program Files\MSXML 6.0

2008-08-09 16:48 . 2008-08-09 16:48 <DIR> d-------- C:\Program Files\MSBuild

2008-08-09 16:44 . 2008-08-09 16:44 <DIR> d-------- C:\WINDOWS\system32\XPSViewer

2008-08-09 16:44 . 2008-08-09 16:44 <DIR> d-------- C:\Program Files\Reference Assemblies

2008-08-09 16:44 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2008-08-09 16:40 . 2007-12-04 11:38 550,912 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll

2008-08-09 16:40 . 2007-04-23 03:32 364,160 -----c--- C:\WINDOWS\system32\dllcache\update.sys

2008-08-09 16:40 . 2007-12-18 02:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys

2008-08-09 16:38 . 2007-04-16 08:52 984,576 -----c--- C:\WINDOWS\system32\dllcache\kernel32.dll

2008-08-09 16:38 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-08-09 16:38 . 2007-02-09 04:10 574,464 -----c--- C:\WINDOWS\system32\dllcache\ntfs.sys

2008-08-09 16:38 . 2007-03-17 06:43 292,864 -----c--- C:\WINDOWS\system32\dllcache\winsrv.dll

2008-08-09 16:38 . 2007-02-05 13:17 185,344 -----c--- C:\WINDOWS\system32\dllcache\upnphost.dll

2008-08-09 16:38 . 2007-04-25 07:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll

2008-08-09 16:36 . 2006-12-06 23:40 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll

2008-08-09 16:35 . 2006-06-21 22:06 1,435,648 -----c--- C:\WINDOWS\system32\dllcache\query.dll

2008-08-09 16:34 . 2006-11-27 07:54 539,136 -----c--- C:\WINDOWS\system32\dllcache\msftedit.dll

2008-08-09 16:34 . 2006-05-05 02:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys

2008-08-09 16:34 . 2006-11-27 07:54 433,152 -----c--- C:\WINDOWS\system32\dllcache\riched20.dll

2008-08-09 16:34 . 2006-06-22 03:47 181,248 -----c--- C:\WINDOWS\system32\dllcache\rasmans.dll

2008-08-09 16:34 . 2006-05-05 02:47 174,592 -----c--- C:\WINDOWS\system32\dllcache\rdbss.sys

2008-08-09 16:34 . 2006-06-01 11:47 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll

2008-08-09 16:34 . 2008-06-20 10:41 148,992 --a--c--- C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-08-09 16:34 . 2006-05-19 05:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll

2008-08-09 16:34 . 2006-05-19 05:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll

2008-08-09 16:34 . 2006-06-01 11:47 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll

2008-08-09 16:33 . 2006-03-16 17:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe

2008-08-09 16:31 . 2008-08-13 19:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2008-08-09 16:31 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe

2008-08-09 15:04 . 2008-08-09 15:04 <DIR> d-------- C:\WINDOWS\system32\Lang

2008-08-09 14:58 . 2008-08-09 14:58 <DIR> d-------- C:\WINDOWS\system32\RTCOM

2008-08-09 14:58 . 2004-12-01 11:54 163,840 --a------ C:\WINDOWS\system32\igfxres.dll

2008-08-09 14:57 . 2004-10-27 19:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS

2008-08-09 14:57 . 2008-08-09 14:52 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView

2008-08-09 14:57 . 2004-10-27 19:43 <DIR> d-------- C:\Documents and Settings\Owner\WINDOWS

2008-08-09 14:57 . 2008-08-09 14:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SampleView

2008-08-09 14:57 . 2008-08-16 19:45 <DIR> d-------- C:\Documents and Settings\Owner

2008-08-09 14:54 . 2008-08-09 14:54 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

2008-08-09 14:52 . 2005-01-09 20:32 181,938 --a------ C:\WINDOWS\Gateway.bmp

2008-08-09 14:52 . 2008-08-09 14:52 333 --a------ C:\WINDOWS\system32\$ncsp$.inf

2008-08-09 14:52 . 2008-08-09 14:52 0 --a------ C:\WINDOWS\system32\Gateway_832GM__.MRK

2008-08-09 14:51 . 2008-08-09 14:51 <DIR> d-------- C:\Program Files\Realtek

2008-08-09 14:51 . 2008-08-09 14:51 <DIR> d-------- C:\Program Files\MSN Encarta Plus

2008-08-09 14:50 . 2004-05-17 18:30 543,232 --a------ C:\WINDOWS\zHotkey.exe

2008-08-09 14:50 . 2003-05-26 19:19 532,544 --a------ C:\WINDOWS\PIC.dll

2008-08-09 14:50 . 2004-07-15 14:06 471,298 --a------ C:\WINDOWS\wallpg.exe

2008-08-09 14:50 . 2005-01-11 13:09 51,656 --a------ C:\WINDOWS\system32\OEMLOGO.bmp

2008-08-09 14:50 . 2003-09-19 09:09 36,864 --a------ C:\WINDOWS\ShowWnd.exe

2008-08-09 14:50 . 2001-07-02 20:36 24,576 --a------ C:\WINDOWS\HKNTDLL.dll

2008-08-09 14:50 . 2004-09-03 16:07 20,480 --a------ C:\WINDOWS\system32\Marker32.exe

2008-08-09 14:50 . 2000-08-07 11:57 5,280 --a------ C:\WINDOWS\hotbtnv.vxd

2008-08-09 14:50 . 2004-03-02 09:40 3,926 --a------ C:\WINDOWS\mHotkey.reg

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Program Files\Google

2008-08-09 14:48 . 2004-10-27 19:43 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Viewpoint

2008-08-09 14:47 . 2008-08-10 18:57 <DIR> d-------- C:\Program Files\Pure Networks

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Learn2.com

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\BigFix

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Ahead

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Real

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\CyberLink

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Common Files\Real

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Common Files\Nullsoft

2008-08-09 14:46 . 2008-08-10 18:28 <DIR> d-------- C:\Program Files\Common Files\AOL

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\My Music

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink

2008-08-09 14:46 . 2008-08-10 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL

2008-08-09 14:45 . 2008-08-09 14:45 <DIR> d-------- C:\Program Files\Microsoft Picture It! 10

2008-08-09 14:45 . 2008-08-09 14:45 <DIR> d-------- C:\Program Files\Intel

2008-08-09 14:44 . 2008-08-09 14:51 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

2008-08-09 14:43 . 2008-08-09 14:43 <DIR> d-------- C:\Program Files\Microsoft Works

2008-08-09 14:43 . 2008-08-10 22:26 <DIR> d-------- C:\Program Files\Java

2008-08-09 14:43 . 2008-08-09 14:43 <DIR> d-------- C:\Program Files\Digital Media Reader

2008-08-09 14:43 . 2008-08-09 14:43 <DIR> d-------- C:\Program Files\Common Files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-09 21:46 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys

2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((( snapshot@2008-08-16_17.50.24.68 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-08-17 20:46:07 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat

+ 2008-08-17 20:46:07 32,768 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat

+ 2008-08-17 20:46:07 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]

"SrvAplApi"="C:\WINDOWS\system32\gxoniban.exe" [2008-08-17 13:16 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 11:04 59392]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 15:04 135168]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07 32768]

"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 18:23 369664]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-01 12:00 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 11:55 126976]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216]

"CHotkey"="zHotkey.exe" [2004-05-17 18:30 543232 C:\WINDOWS\zHotkey.exe]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 17:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 15:20 77824 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED

BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2008-08-09 14:47:50 1742384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

--a------ 2002-09-13 13:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

--a------ 2004-10-21 18:44 2744832 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]

--a------ 2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-14 07:10]

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\ISP signup reminder 2.job

- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-10 12:00]

2008-08-09 C:\WINDOWS\Tasks\ISP signup reminder 3.job

- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-10 12:00]

2008-08-17 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-628528A354-Owner).job

- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe []

2008-08-17 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-628528A354-Owner).job

- C:\PROGRA~1\mcafee.com\agent []

.

- - - - ORPHANS REMOVED - - - -

SSODL-DbHlp-{3DF48099-CE48-2FC3-6A96-0A0FDB31A337} - C:\Program Files\vykhpud\DbHlp.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-17 13:52:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-17 13:53:42

ComboFix-quarantined-files.txt 2008-08-17 20:53:39

ComboFix2.txt 2008-08-17 00:52:22

Pre-Run: 233,098,575,872 bytes free

Post-Run: 233,083,629,568 bytes free

265 --- E O F --- 2008-08-14 02:51:18

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:54:11 PM, on 8/17/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://latino.aol.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [srvAplApi] C:\WINDOWS\system32\gxoniban.exe

O4 - Global Startup: MRI_DISABLED

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 5521 bytes

Link to post
Share on other sites
svrmxdf

svrmxdf

Posted
  • Author
Posted

ComboFix 08-08-15.04 - Owner 2008-08-17 13:48:14.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2590 [GMT -7:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

* Created a new restore point

FILE ::

C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

C:\WINDOWS\system32\efutkbyl.exe

C:\WINDOWS\system32\lphccvbj0e531.exe

C:\WINDOWS\system32\tcfkzkfg.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Application Data\zeruhqpu

C:\Documents and Settings\All Users\Application Data\zeruhqpu\jmhudwnc.exe

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\Owner\Application Data\rhc9vbj0e531

C:\Program Files\rhc9vbj0e531

C:\Program Files\rhc9vbj0e531\database.dat

C:\Program Files\rhc9vbj0e531\license.txt

C:\Program Files\rhc9vbj0e531\MFC71.dll

C:\Program Files\rhc9vbj0e531\MFC71ENU.DLL

C:\Program Files\rhc9vbj0e531\msvcp71.dll

C:\Program Files\rhc9vbj0e531\msvcr71.dll

C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe

C:\Program Files\rhc9vbj0e531\rhc9vbj0e531.exe.local

C:\Program Files\rhc9vbj0e531\Uninstall.exe

C:\Program Files\vykhpud

C:\Program Files\vykhpud\DbHlp.dll

C:\WINDOWS\system32\blphccvbj0e531.scr

C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver

C:\WINDOWS\system32\efutkbyl.exe

C:\WINDOWS\system32\lphccvbj0e531.exe

C:\WINDOWS\system32\phccvbj0e531.bmp

C:\WINDOWS\system32\pphccvbj0e531.exe

C:\WINDOWS\system32\tcfkzkfg.exe

.

((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))

.

2008-08-17 13:16 . 2008-08-17 13:16 195,584 --a------ C:\WINDOWS\system32\sxwjqzqp.exe

2008-08-17 13:16 . 2008-08-17 13:16 73,728 --a------ C:\WINDOWS\system32\gxoniban.exe

2008-08-14 07:42 . 2008-08-14 07:42 <DIR> d-------- C:\Program Files\Trend Micro

2008-08-14 07:11 . 2008-08-14 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools

2008-08-14 07:11 . 2008-08-14 07:10 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys

2008-08-14 07:10 . 2008-08-14 07:11 <DIR> d-------- C:\Program Files\Common Files\PC Tools

2008-08-14 07:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-08-14 07:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

2008-08-14 07:03 . 2008-08-17 13:16 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-08-14 07:03 . 2008-08-14 07:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools

2008-08-14 07:03 . 2008-08-17 13:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-08-14 07:03 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-08-14 07:03 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-08-14 07:03 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-08-14 07:03 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-08-13 17:44 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-11 06:46 . 2008-08-11 06:46 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

2008-08-11 06:40 . 2008-08-11 06:40 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

2008-08-10 22:26 . 2008-08-10 22:26 <DIR> d-------- C:\WINDOWS\Sun

2008-08-10 22:26 . 2008-08-16 17:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire

2008-08-10 22:26 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-10 22:23 . 2008-08-10 22:24 <DIR> d-------- C:\Program Files\LimeWire

2008-08-10 18:28 . 2008-08-10 18:28 2 --a------ C:\WINDOWS\msoffice.ini

2008-08-10 18:23 . 2008-08-11 06:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec

2008-08-10 14:34 . 2008-08-10 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec

2008-08-10 14:34 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-08-10 14:34 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

2008-08-10 14:33 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-08-10 14:33 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-08-10 14:33 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2008-08-10 14:33 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys

2008-08-10 14:33 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2008-08-10 14:33 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

2008-08-09 17:08 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-08-09 17:08 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-08-09 16:57 . 2008-06-23 09:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-08-09 16:57 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-08-09 16:57 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-08-09 16:57 . 2008-06-23 09:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-08-09 16:57 . 2008-06-23 09:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-08-09 16:57 . 2008-06-23 09:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-08-09 16:57 . 2008-06-23 09:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll

2008-08-09 16:57 . 2008-06-23 09:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-08-09 16:57 . 2008-06-23 02:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-08-09 16:54 . 2008-08-09 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Geek Squad

2008-08-09 16:52 . 2008-08-09 16:52 <DIR> d-------- C:\Program Files\MSXML 6.0

2008-08-09 16:48 . 2008-08-09 16:48 <DIR> d-------- C:\Program Files\MSBuild

2008-08-09 16:44 . 2008-08-09 16:44 <DIR> d-------- C:\WINDOWS\system32\XPSViewer

2008-08-09 16:44 . 2008-08-09 16:44 <DIR> d-------- C:\Program Files\Reference Assemblies

2008-08-09 16:44 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2008-08-09 16:40 . 2007-12-04 11:38 550,912 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll

2008-08-09 16:40 . 2007-04-23 03:32 364,160 -----c--- C:\WINDOWS\system32\dllcache\update.sys

2008-08-09 16:40 . 2007-12-18 02:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys

2008-08-09 16:38 . 2007-04-16 08:52 984,576 -----c--- C:\WINDOWS\system32\dllcache\kernel32.dll

2008-08-09 16:38 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-08-09 16:38 . 2007-02-09 04:10 574,464 -----c--- C:\WINDOWS\system32\dllcache\ntfs.sys

2008-08-09 16:38 . 2007-03-17 06:43 292,864 -----c--- C:\WINDOWS\system32\dllcache\winsrv.dll

2008-08-09 16:38 . 2007-02-05 13:17 185,344 -----c--- C:\WINDOWS\system32\dllcache\upnphost.dll

2008-08-09 16:38 . 2007-04-25 07:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll

2008-08-09 16:36 . 2006-12-06 23:40 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll

2008-08-09 16:35 . 2006-06-21 22:06 1,435,648 -----c--- C:\WINDOWS\system32\dllcache\query.dll

2008-08-09 16:34 . 2006-11-27 07:54 539,136 -----c--- C:\WINDOWS\system32\dllcache\msftedit.dll

2008-08-09 16:34 . 2006-05-05 02:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys

2008-08-09 16:34 . 2006-11-27 07:54 433,152 -----c--- C:\WINDOWS\system32\dllcache\riched20.dll

2008-08-09 16:34 . 2006-06-22 03:47 181,248 -----c--- C:\WINDOWS\system32\dllcache\rasmans.dll

2008-08-09 16:34 . 2006-05-05 02:47 174,592 -----c--- C:\WINDOWS\system32\dllcache\rdbss.sys

2008-08-09 16:34 . 2006-06-01 11:47 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll

2008-08-09 16:34 . 2008-06-20 10:41 148,992 --a--c--- C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-08-09 16:34 . 2006-05-19 05:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll

2008-08-09 16:34 . 2006-05-19 05:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll

2008-08-09 16:34 . 2006-06-01 11:47 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll

2008-08-09 16:33 . 2006-03-16 17:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe

2008-08-09 16:31 . 2008-08-13 19:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2008-08-09 16:31 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe

2008-08-09 15:04 . 2008-08-09 15:04 <DIR> d-------- C:\WINDOWS\system32\Lang

2008-08-09 14:58 . 2008-08-09 14:58 <DIR> d-------- C:\WINDOWS\system32\RTCOM

2008-08-09 14:58 . 2004-12-01 11:54 163,840 --a------ C:\WINDOWS\system32\igfxres.dll

2008-08-09 14:57 . 2004-10-27 19:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS

2008-08-09 14:57 . 2008-08-09 14:52 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView

2008-08-09 14:57 . 2004-10-27 19:43 <DIR> d-------- C:\Documents and Settings\Owner\WINDOWS

2008-08-09 14:57 . 2008-08-09 14:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SampleView

2008-08-09 14:57 . 2008-08-16 19:45 <DIR> d-------- C:\Documents and Settings\Owner

2008-08-09 14:54 . 2008-08-09 14:54 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

2008-08-09 14:52 . 2005-01-09 20:32 181,938 --a------ C:\WINDOWS\Gateway.bmp

2008-08-09 14:52 . 2008-08-09 14:52 333 --a------ C:\WINDOWS\system32\$ncsp$.inf

2008-08-09 14:52 . 2008-08-09 14:52 0 --a------ C:\WINDOWS\system32\Gateway_832GM__.MRK

2008-08-09 14:51 . 2008-08-09 14:51 <DIR> d-------- C:\Program Files\Realtek

2008-08-09 14:51 . 2008-08-09 14:51 <DIR> d-------- C:\Program Files\MSN Encarta Plus

2008-08-09 14:50 . 2004-05-17 18:30 543,232 --a------ C:\WINDOWS\zHotkey.exe

2008-08-09 14:50 . 2003-05-26 19:19 532,544 --a------ C:\WINDOWS\PIC.dll

2008-08-09 14:50 . 2004-07-15 14:06 471,298 --a------ C:\WINDOWS\wallpg.exe

2008-08-09 14:50 . 2005-01-11 13:09 51,656 --a------ C:\WINDOWS\system32\OEMLOGO.bmp

2008-08-09 14:50 . 2003-09-19 09:09 36,864 --a------ C:\WINDOWS\ShowWnd.exe

2008-08-09 14:50 . 2001-07-02 20:36 24,576 --a------ C:\WINDOWS\HKNTDLL.dll

2008-08-09 14:50 . 2004-09-03 16:07 20,480 --a------ C:\WINDOWS\system32\Marker32.exe

2008-08-09 14:50 . 2000-08-07 11:57 5,280 --a------ C:\WINDOWS\hotbtnv.vxd

2008-08-09 14:50 . 2004-03-02 09:40 3,926 --a------ C:\WINDOWS\mHotkey.reg

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Program Files\Google

2008-08-09 14:48 . 2004-10-27 19:43 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com

2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Viewpoint

2008-08-09 14:47 . 2008-08-10 18:57 <DIR> d-------- C:\Program Files\Pure Networks

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Learn2.com

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\BigFix

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Program Files\Ahead

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint

2008-08-09 14:47 . 2008-08-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Real

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\CyberLink

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Common Files\Real

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Program Files\Common Files\Nullsoft

2008-08-09 14:46 . 2008-08-10 18:28 <DIR> d-------- C:\Program Files\Common Files\AOL

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\My Music

2008-08-09 14:46 . 2008-08-09 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink

2008-08-09 14:46 . 2008-08-10 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL

2008-08-09 14:45 . 2008-08-09 14:45 <DIR> d-------- C:\Program Files\Microsoft Picture It! 10

2008-08-09 14:45 . 2008-08-09 14:45 <DIR> d-------- C:\Program Files\Intel

2008-08-09 14:44 . 2008-08-09 14:51 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

2008-08-09 14:43 . 2008-08-09 14:43 <DIR> d-------- C:\Program Files\Microsoft Works

2008-08-09 14:43 . 2008-08-10 22:26 <DIR> d-------- C:\Program Files\Java

2008-08-09 14:43 . 2008-08-09 14:43 <DIR> d-------- C:\Program Files\Digital Media Reader

2008-08-09 14:43 . 2008-08-09 14:43 <DIR> d-------- C:\Program Files\Common Files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-09 21:46 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys

2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((( snapshot@2008-08-16_17.50.24.68 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-08-17 20:46:07 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat

+ 2008-08-17 20:46:07 32,768 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat

+ 2008-08-17 20:46:07 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]

"SrvAplApi"="C:\WINDOWS\system32\gxoniban.exe" [2008-08-17 13:16 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 11:04 59392]

"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 15:04 135168]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07 32768]

"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 18:23 369664]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-01 12:00 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 11:55 126976]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216]

"CHotkey"="zHotkey.exe" [2004-05-17 18:30 543232 C:\WINDOWS\zHotkey.exe]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 17:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 15:20 77824 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED

BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2008-08-09 14:47:50 1742384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

--a------ 2002-09-13 13:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

--a------ 2004-10-21 18:44 2744832 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]

--a------ 2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-14 07:10]

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\ISP signup reminder 2.job

- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-10 12:00]

2008-08-09 C:\WINDOWS\Tasks\ISP signup reminder 3.job

- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-10 12:00]

2008-08-17 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-628528A354-Owner).job

- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe []

2008-08-17 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-628528A354-Owner).job

- C:\PROGRA~1\mcafee.com\agent []

.

- - - - ORPHANS REMOVED - - - -

SSODL-DbHlp-{3DF48099-CE48-2FC3-6A96-0A0FDB31A337} - C:\Program Files\vykhpud\DbHlp.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-17 13:52:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-17 13:53:42

ComboFix-quarantined-files.txt 2008-08-17 20:53:39

ComboFix2.txt 2008-08-17 00:52:22

Pre-Run: 233,098,575,872 bytes free

Post-Run: 233,083,629,568 bytes free

265 --- E O F --- 2008-08-14 02:51:18

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:54:11 PM, on 8/17/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://latino.aol.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [srvAplApi] C:\WINDOWS\system32\gxoniban.exe

O4 - Global Startup: MRI_DISABLED

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 5521 bytes

Link to post
Share on other sites
svrmxdf

svrmxdf

Posted
  • Author
Posted

Adobe Flash Player ActiveX

Adobe Reader 6.0

AntivirXP08

BigFix

Digital Media Reader

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB935448)

Hotfix for Windows XP (KB952287)

Intel® Graphics Media Accelerator Driver

Java 2 Runtime Environment, SE v1.4.2

Java 6 Update 7

Learn2 Player (Uninstall Only)

LimeWire PRO 4.18.3

LiveUpdate (Symantec Corporation)

LiveUpdate (Symantec Corporation)

Microsoft .NET Framework 1.0 Hotfix (KB930494)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0

Microsoft .NET Framework 3.0

Microsoft .NET Framework 3.0

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Picture It! Premium 10

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

MSXML 4.0 SP2 (KB936181)

MSXML 6.0 Parser (KB933579)

Multimedia Keyboard Driver

Nero BurnRights

Nero OEM

Norton Security Center

PowerDVD

RealPlayer Basic

Realtek High Definition Audio Driver

Security Update for Microsoft .NET Framework 2.0 (KB928365)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

SoftV92 Data Fax Modem with SmartCP

Sonic Encoders

Spyware Doctor 6.0

Update for Windows XP (KB904942)

Update for Windows XP (KB932823-v3)

Update for Windows XP (KB951072-v2)

Viewpoint Media Player

Windows Communication Foundation

Windows Imaging Component

Windows Internet Explorer 7

Windows Presentation Foundation

Windows Workflow Foundation

Link to post
Share on other sites
Andro1d

Andro1d

Posted
Posted

Hello again,

Step 1

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step 2

Please go to Start > Control Panel > Add or Remove Programs and remove the following (if present):

Java 2 Runtime Environment, SE v1.4.2

Step 3

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.

2) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.

3) PC Tools AntiVirus - Free edition of the PC Tools AntiVirus program for Windows.

Once you install one of the above programs, please update its virus defintions and run a full PC scan. Please post the log as well.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program that has an autoprotect feature on, uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should have an autoprotect feature on at a time.

Step 4

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing