Trojan Found Misleadapp!sd6 - Request Help

gpro

By gpro,
in Malware Removal

 Share Followers 0

Recommended Posts

gpro

gpro

Posted
Posted

Here are logs from Combofix.exe and Hijackthis. Also ran malware bytes quick scan which yielded no infections. I've successfully removed other viruses before using Hijackthis and Ewido as well Killbox but not sure how to proceed with Combofix. Thanks for any help you can provide.

ComboFix 09-04-04.01 - Owner 2009-04-08 14:15:14.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1490 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files\UDC6_0001_D10M2905NetInstaller.exe

c:\windows\Tasks\eogeqfpf.job

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))

.

2009-04-08 09:13 . 2009-04-08 09:13 <DIR> d-------- C:\VundoFix Backups

2009-03-23 08:51 . 2009-03-23 08:52 <DIR> d-------- c:\program files\QuickZip4

2009-03-22 23:52 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys

2009-03-22 23:52 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys

2009-03-22 23:52 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys

2009-03-22 23:52 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys

2009-03-22 23:51 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys

2009-03-22 23:50 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys

2009-03-22 23:50 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys

2009-03-22 23:50 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys

2009-03-14 13:29 . 2009-03-14 13:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-14 13:26 . 2009-03-14 13:26 <DIR> d-------- c:\program files\Bonjour

2009-03-14 13:15 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

2009-03-11 14:42 . 2009-03-11 14:42 <DIR> d-------- C:\LXKZ42

2009-03-11 14:30 . 2009-03-11 14:31 2,191 --a------ c:\windows\system32\Lexmark Z42 Series ColorFine.AD2

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-08 18:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-04-08 13:53 --------- d-----w c:\program files\Spyware Doctor

2009-04-04 13:33 --------- d-----w c:\program files\XoftSpySE

2009-04-01 13:21 10,240 --sha-w c:\program files\Thumbs.db

2009-04-01 12:28 --------- d-----w c:\program files\Safari

2009-03-29 15:35 --------- d-----w c:\program files\Microsoft Silverlight

2009-03-23 03:55 --------- d-----w c:\program files\Common Files\PC Tools

2009-03-17 02:10 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks

2009-03-14 17:29 --------- d-----w c:\program files\iTunes

2009-03-14 17:29 --------- d-----w c:\program files\iPod

2009-03-14 17:29 --------- d-----w c:\program files\Common Files\Apple

2009-03-14 17:24 --------- d-----w c:\program files\QuickTime

2009-03-11 18:53 --------- d-----w c:\program files\Common Files\Adobe

2009-03-11 18:04 --------- d-----w c:\documents and settings\All Users\Application Data\NETg

2009-03-06 15:52 --------- d-----w c:\program files\AVS4YOU

2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys

2009-03-04 16:52 --------- d-----w c:\program files\OneSuiteFax

2009-03-04 16:52 --------- d-----w c:\documents and settings\Owner\Application Data\XMedius

2009-02-24 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools

2009-02-19 23:40 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-16 19:47 --------- d-----w c:\program files\Portrait Professional 8

2009-02-13 16:59 --------- d-----w c:\documents and settings\Owner\Application Data\Anthropics

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-01-07 14:12 30 -c--a-w c:\program files\Exiferupdate.ini

2005-07-01 03:54 52 ----a-w c:\program files\Save Windows and Programs (No Data or Documents).BDF

2005-07-01 03:54 52 ----a-w c:\program files\Save Data and Documents Only.BDF

2002-09-11 14:26 63,730 ----a-w c:\program files\viewsonicinstruct_xp.pdf

2008-05-25 14:04 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-05-25 14:04 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-05-25 14:04 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-05-25 14:04 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-05-25 14:04 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2007-03-14 01:47 0 -csha-w c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Acme.PCHButton"="c:\progra~1\HPINST~1\Pavilion\XPHNABP4EN\plugin\bin\PCHButton.exe" [2004-01-21 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]

"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

"nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2006-01-31 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

"VIDC.PIXL"= pclepixl.dll

"VIDC.NTN1"= NUVision.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SymWSC"=2 (0x2)

"Symantec Core LC"=2 (0x2)

"SBService"=2 (0x2)

"SAVScan"=2 (0x2)

"navapsvc"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccPwdSvc"=3 (0x3)

"ccProxy"=2 (0x2)

"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"RegistryMechanic"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

"c:\\Program Files\\Microtek\\ScanWizard Pro\\LANServer.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\OneSuiteFax\\Client\\SendFax.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56100:TCP"= 56100:TCP:PandoRest Listening Port

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-22 130424]

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-22 51520]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-22 38208]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-03-22 159600]

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]

R3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [2005-05-27 155264]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-22 33088]

S1 dxapii;dxapii;c:\windows\system32\drivers\dxapii.sys --> c:\windows\system32\drivers\dxapii.sys [?]

S2 A4SII300;A4SII300;c:\windows\system32\drivers\A4SII300.SYS --> c:\windows\system32\drivers\A4SII300.SYS [?]

S2 mrtRate;mrtRate; [x]

S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]

S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-03-22 64392]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-04-05 348752]

S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

S4 getPlusĀ® Helper;getPlusĀ® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-20 33752]

S4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [2008-08-05 835208]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.

Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-07 c:\windows\Tasks\Schedule Task Weekly.job

- c:\program files\Registry Easy\RE.exe []

2005-09-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-05-31 01:04]

2009-04-06 c:\windows\Tasks\SyncBack 2008.job

- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 12:00]

2009-04-06 c:\windows\Tasks\SyncBack 2008.job

- c:\program files\2BrightSparks\SyncBack [2009-04-08 09:01]

2009-04-07 c:\windows\Tasks\SyncBack 2008_backup.job

- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 12:00]

2009-04-07 c:\windows\Tasks\SyncBack 2009_backup.job

- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 12:00]

2009-04-08 c:\windows\Tasks\SyncBack photography.job

- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 12:00]

2009-04-06 c:\windows\Tasks\SyncBack photos.job

- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 12:00]

2009-04-06 c:\windows\Tasks\SyncBack vintage_photos.job

- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 12:00]

2009-04-06 c:\windows\Tasks\XoftSpy.job

- c:\program files\XoftSpy\XoftSpy.exe []

2009-04-08 c:\windows\Tasks\XoftSpySE 2.job

- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]

2009-04-04 c:\windows\Tasks\XoftSpySE.job

- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

mStart Page = hxxp://my.yahoo.com

mSearch Bar =

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Translate Page into English

LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

Trusted Zone: arvixe.com\www

Trusted Zone: blogspot.com\www

Trusted Zone: capitalone.com\www

Trusted Zone: dfas.mil\mypay

Trusted Zone: dom.com\www

Trusted Zone: google.com\www

Trusted Zone: millersalbums.com\www

Trusted Zone: navyfcu.org\www

Trusted Zone: paypal.com\www

Trusted Zone: yahoo.com\my

DPF: Microsoft XML Parser for Java

DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} - hxxp://merillat.view22.com/release_3_9_177/View22RTEv4.cab

DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yp9b7nkr.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/?rd=nux

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-08 14:17:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,40,0a,e9,c8,3d,

45,eb,da,2e,e8,e1,00,eb,16,2b,de,d3,67,1b,52,24,f9,51,cd,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,4f,54,09,9e,87,

bb,92,c0,46,47,15,b0,92,4b,c7,ef,12,66,13,80,8f,67,ad,be,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,b7,b0,27,34,2c,

34,69,b1,7a,45,05,fd,91,e8,6f,31,fe,fd,00,19,94,cb,d7,bb,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,60,ee,77,a9,86,

83,46,22,6b,65,49,6a,7e,99,74,f7,88,35,1b,52,4e,25,f4,21,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,f1,4a,27,2e,1e,

32,0c,58,e9,02,6c,fa,fb,1d,47,57,25,8e,ab,cf,57,ab,a0,ad,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,65,a8,39,dd,fc,

d5,7e,1c,50,93,e5,ab,ec,6a,4e,ab,51,7a,f1,c2,2a,7a,24,8e,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,60,b4,53,b6,84,

c5,d7,65,97,20,4e,9a,c7,f1,35,ee,a8,ea,44,6e,87,53,e5,0e,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,7b,f9,75,fb,5d,

cd,89,31,aa,52,c6,00,84,3c,26,64,35,3e,3a,41,a2,30,d6,97,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,13,18,bb,ff,d1,

35,0f,c3,b2,46,9a,e2,1b,fe,1b,94,34,d8,89,e0,6a,94,f3,b3,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,2b,e5,8c,27,00,

1c,88,06,37,a4,aa,c3,a6,15,56,0a,ba,cc,33,3d,7f,d2,b0,04,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,53,6c,d4,b5,8d,

1c,70,74,f8,31,0f,a9,5f,a0,ec,fb,d8,96,dd,10,99,0f,c5,cf,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,e7,0d,4c,66,59,

b3,00,8f,05,73,21,dd,54,d8,4a,c5,95,a4,7b,3d,b2,f5,22,a6,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(616)

c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

.

Completion time: 2009-04-08 14:21:06

ComboFix-quarantined-files.txt 2009-04-08 18:19:48

Pre-Run: 47,582,756,864 bytes free

Post-Run: 47,759,839,232 bytes free

281 --- E O F --- 2009-03-21 21:22:10

=========================== Hijackthis log starts here============================

Logfile of HijackThis v1.99.1

Scan saved at 3:28:42 PM, on 4/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\java.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\WINDOWS\system32\ps2.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Safari\Safari.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\Program Files\Spyware Doctor\pctsGui.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABP4EN\plugin\bin\PCHButton.exe

O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O15 - Trusted Zone: www.arvixe.com

O15 - Trusted Zone: http://www.capitalone.com

O15 - Trusted Zone: www.dom.com

O15 - Trusted Zone: www.millersalbums.com

O15 - Trusted Zone: http://www.navyfcu.org

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.mpix.com/customer/uploading/act...geUploader5.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/Uploading/act...geUploader3.cab

O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://merillat.view22.com/release_3_9_177/View22RTEv4.cab

O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 0
Go to topic listing