Sounds like fun... but your computer will work just fine without explorer.exe, it's just a little harder to control it without that nice user interface.
And none of us are young enough to search for trojans from the C:\ prompt. What follows assumes that you got to Daniweb from another machine. Fine, but back to yours now.
Let's avoid using explorer for a while. Task manager has nothing to do with it so you can use it to launch pgms, you just go File > New Task(Run) and enter: iexplore.exe
From your C prompt [you mean a black cmd window?] it would be [paste this in]:
C:\"Program Files\Internet Explorer\iexplore.exe"
And either way an IE browser window should pop open. Now the neat thing is the quite large amount of interchangeability between IE and Windows Explorer - you can surf from WE and you can navigate about your folders from IE. So...
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder in your Program Files. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Select the Cleaner icon, press Run Cleaner.
::: To use IE as a file explorer just type C:\ in the address bar and then check the dropdown menu [from the lil blue down arrow], choose Pgm Files. A bunch of pgm icons will appear in IE, dclick Program Files icon, dclick CCleaner icon, dclick CCleaner.exe
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Who needs WE?
Btw, in TM you don't get New Task (Run) if you are on Networking tab. Dunno why...
Windows explorer and desktop icons won't stay loaded
I am running XP and was not practicing safe computer sex. Now windows explorer won't stay open for more than a few seconds and I cannot search for malware. I can open Task Manager and occasionally I have enough time to start up some programs like Eset NOD 32. I can also get to the C prompt but don't know enough DOS to search for malware files. Can someone give me hand solving this problem?
Gerbil,
Thanks for your reply and offer to help. I was able to follow all of your instructions with the exception of the Panda Active Scan which would not work on two different computers. I will post the Highjack This! file below but I have learned a bit more. My NOD 32 scan reports Win32/Adware.Virtumonde application and two files in System32 folder: ddccyvu.dll and rqolj.dll as threats which should be deleted. As soon as I delete these files they come back almost immediately and are picked up as a threat by NOD32 again. In addition, after deleting these two files the first time, windows explorer and my desktop icons have returned and seem to be stable. However, my computer is running extremely slowly now.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:38 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1109130448\ee\AOLSoftware.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\The Weather Channel FW\Desktop
Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\program files\common
files\aol\1109130448\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP
Scheduler.exe
C:\Program Files\Common Files\AOL\1109130448\EE\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\AOL\1109130448\EE\AOLDesktop.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IEPro\MiniDM.exe
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Trend Micro\HijackThis\imabunny.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini:
UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr
.exe
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF}
- C:\Program Files\IEPro\iepro.dll
O2 - BHO: Yahoo! Toolbar Helper -
{02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SeekNewLive Bar -
{0CB66BA8-5E1F-4963-93D1-E1D6B78F0212} - C:\Program
Files\SNLBar\SNLBar.dll
O2 - BHO: (no name) - {32F05659-3AF7-48BB-B161-1D78F3152BED} -
C:\WINDOWS\system32\ddccyvu.dll
O2 - BHO: SSVHelper Class -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO -
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program
Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D05A1A55-48BD-44FE-9B7B-05943ADCF12F} -
C:\WINDOWS\system32\rqolj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar -
{DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program
Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper
Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common
Files\AOL\1109130448\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe"
/WAITSERVICE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt
Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network
Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer]
KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM
FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI
Multimedia\main\ATIDtct.EXE"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel
FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [H/PC Connection Agent] "C:\PROGRAM
FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [H/PC Connection Agent] "C:\PROGRAM
FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User
'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [H/PC Connection Agent] "C:\PROGRAM
FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe
C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [H/PC Connection Agent] "C:\PROGRAM
FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'Default
user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe
C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters
(User 'Default user')
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common
Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk =
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk =
C:\Program Files\CU VPN\vpngui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program
Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and
Settings\All Users\Application
Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: IE7Pro Preferences -
{0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program
Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences -
{0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program
Files\IEPro\iepro.dll
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ATI TV -
{44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI
Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://www.demonoid.com
O15 - Trusted Zone: http://www.mininova.org
O15 - Trusted Zone: http://www.passportimages.com
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C}
(VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9}
(asusTek_sysctrl Class) -
http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows
Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro
ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/a
ctivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec
AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter
Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL
Content Update) -
http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/bor
ris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} -
http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu
web_site.cab?1121317761572
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec
RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
(MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/m
uweb_site.cab?1150254016292
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial
cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}
(ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
(get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O17 -
HKLM\System\CCS\Services\Tcpip\..\{5E36A1DF-48F6-4EC1-BDB2-5F
CF01A6B56E}: Domain = listenup.com
O18 - Protocol: bwfile-8876480 -
{9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program
Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ddccyvu - C:\WINDOWS\SYSTEM32\ddccyvu.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC -
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown
owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries
Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. -
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco
Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program
Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) -
SEIKO EPSON CORPORATION - C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\nmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program
Files\Eset\nod32krn.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt
Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink
Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -
America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 15371 bytes
Hifi... could you please post that hijackthis log with Format Unwrapped in notepad, please?
Don't worry about reposting the hijackthis log, Hifi, just keep that formatting in mind for future notepad posts.
It appears that you have a vundo infection, or traces of one, so...
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post the contents of C:\vundofix.txt, C:\combofix.txt plus a new HijackThis log run in normal mode.
Hi Gerbil,
Thanks for the help. Seems to have fixed the problem. Here is Combofix and HJT logfiles.
ComboFix 08-04-08.7 - CEZ 2008-04-09 9:00:30.1 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.316 [GMT -6:00]
Running from: D:\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\start.exe
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\ddccyvu.dll
C:\WINDOWS\SYSTEM32\jloqr.ini
C:\WINDOWS\SYSTEM32\jloqr.ini2
C:\WINDOWS\system32\rqolj.dll
C:\WINDOWS\Web\default.htt
.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.
2008-04-09 07:49 . 2008-04-09 07:49 d--hs---- C:\FOUND.000
2008-04-08 22:04 . 2008-04-08 22:04 8 --a------ C:\WINDOWS\SYSTEM32\3d3dcc52
2008-04-06 20:15 . 2008-04-06 20:15 d-------- C:\Program Files\Panda Security
2008-04-06 19:22 . 2008-04-06 19:22 d-------- C:\Program Files\Trend Micro
2008-04-06 18:11 . 2008-04-06 18:11 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-06 17:22 . 2008-04-06 17:22 d-------- C:\Program Files\CCleaner
2008-03-28 11:37 . 2008-04-09 09:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 11:37 . 2008-03-28 11:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 10:18 . 2008-03-28 10:18 d-------- C:\Program Files\Swf2Avi
2008-03-28 10:16 . 2008-03-28 10:16 d-------- C:\Documents and Settings\CEZ\Application Data\MiniDm
2008-03-24 21:38 . 2008-03-24 21:38 d-------- C:\Documents and Settings\CEZ\Application Data\Downloaded Installations
2008-03-17 07:20 . 2008-03-17 07:20 d-------- C:\Documents and Settings\CEZ\Application Data\SlySoft
2008-03-17 07:10 . 2008-03-17 07:10 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-03-17 07:00 . 2008-03-17 07:00 24 ---hs---- C:\WINDOWS\SB7CC85B5.tmp
2008-03-11 22:00 . 2008-03-11 22:00 d-------- C:\Documents and Settings\CEZ\Application Data\IEPro
2008-03-11 21:59 . 2008-03-11 21:59 d-------- C:\Program Files\IEPro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 16:13 --------- d-----w C:\Program Files\iPod
2008-02-26 16:12 --------- d-----w C:\Program Files\iTunes
2008-02-16 05:49 284,944 ----a-w C:\Documents and Settings\CEZ\Application Data\GDIPFONTCACHEV1.DAT
2008-02-16 03:52 --------- d-----w C:\Program Files\Bonjour
2008-02-16 03:07 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-11 04:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2008-01-09 16:19 966,656 ----a-w C:\WINDOWS\SYSTEM32\btrez.dll
2007-05-08 04:31 92,064 ----a-w C:\Documents and Settings\CEZ\mqdmmdm.sys
2007-05-08 04:31 9,232 ----a-w C:\Documents and Settings\CEZ\mqdmmdfl.sys
2007-05-08 04:31 79,328 ----a-w C:\Documents and Settings\CEZ\mqdmserd.sys
2007-05-08 04:31 66,656 ----a-w C:\Documents and Settings\CEZ\mqdmbus.sys
2007-05-08 04:31 6,208 ----a-w C:\Documents and Settings\CEZ\mqdmcmnt.sys
2007-05-08 04:31 5,936 ----a-w C:\Documents and Settings\CEZ\mqdmwhnt.sys
2007-05-08 04:31 4,048 ----a-w C:\Documents and Settings\CEZ\mqdmcr.sys
2007-05-08 04:31 25,600 ----a-w C:\Documents and Settings\CEZ\usbsermptxp.sys
2007-05-08 04:31 22,768 ----a-w C:\Documents and Settings\CEZ\usbsermpt.sys
2007-01-19 14:39 87,608 ----a-w C:\Documents and Settings\CEZ\Application Data\ezpinst.exe
2007-01-19 14:39 47,360 ----a-w C:\Documents and Settings\CEZ\Application Data\pcouffin.sys
2006-04-14 02:35 111 ----a-w C:\Documents and Settings\CEZ\Application Data\fusioncache.dat
2004-10-09 06:49 271 --sh--w C:\Program Files\desktop.ini
2004-10-09 06:49 23,357 ---h--w C:\Program Files\folder.htt
2004-08-19 22:13 64,512 ---ha-w C:\Documents and Settings\CEZ\Application Data\rbap450.dll
2003-08-30 07:41 431 ----a-w C:\Program Files\Microsoft Publisher 98.lnk
2002-12-02 16:35 81,920 ----a-w C:\Program Files\CALENDAR CREATOR 7.mdb
2003-03-03 06:08 32 --sha-w C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat
2003-03-03 06:08 32 --sha-w C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat
2006-12-05 02:43 5,642 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-09-26 06:29 88 --sh--r C:\WINDOWS\SYSTEM32\E2A317C6E3.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78F0212}]
2007-04-20 08:27 49152 --a------ C:\Program Files\SNLBar\SNLBar.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-07-29 21:54 69705]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-03-07 10:00 724080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 06:23 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 09:19 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2002-12-04 14:16 1194496]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 14:33 99480]
"HostManager"="C:\Program Files\Common Files\AOL\1109130448\ee\AOLSoftware.exe" [2007-10-08 14:50 41824]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-21 19:59 949376]
"atwtusb"="atwtusb.exe" [2001-08-20 18:48 167936 C:\WINDOWS\SYSTEM32\Atwtusb.exe]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17 699120]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 15:42 321088]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"AolAcsDaemon1"="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE" [2007-10-11 04:20 42368]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" [2004-02-03 13:42 401491]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2001-08-23 12:00 30208]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
C:\Documents and Settings\CEZ\Start Menu\Programs\Startup\
AOL Desktop.lnk - C:\Program Files\Common Files\AOL\Launch\aollaunch.exe [2007-05-25 10:16:09 42032]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-12-09 09:12:42 135680]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-07-24 15:45:57 110592]
University of Colorado at Boulder VPN Client.lnk - C:\Program Files\CU VPN\vpngui.exe [2007-09-24 13:48:22 1528880]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-09 09:19:03 784912]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-09-11 12:26:12 576104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
""= 00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
""= 00000000
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-04 09:19 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyvu]
ddccyvu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"MSACM.CEGSM"= mobilev.acm
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^File-Ex.lnk]
backup=C:\WINDOWS\pss\File-Ex.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SYSTEMSUITE.LNK]
backup=C:\WINDOWS\pss\SYSTEMSUITE.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^CEZ^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\CEZ\Start Menu\Programs\Red Chair Software\Anapod Explorer\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^CEZ^Start Menu^Programs^Startup^WinFax Application Port Starter.lnk]
backup=C:\WINDOWS\pss\WinFax Application Port Starter.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^CEZ^Start Menu^Programs^Startup^WinFax PRO Controller.lnk]
backup=C:\WINDOWS\pss\WinFax PRO Controller.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-r------- 2006-10-23 05:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2004-02-03 13:42 401491 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide-The-IP]
C:\Program Files\Hide The IP\HideTheIP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-06-14 10:05 6856704 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton Internet Security\osCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
--a------ 2007-03-28 19:52 617576 C:\Program Files\RFA Platinum\rfagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--a------ 2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2004-08-04 00:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDhelper"=2 (0x2)
"GBPoll"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"Speed Disk service"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MDM"=2 (0x2)
"Fax"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Adobe Version Cue CS2"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"NBService"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"InCDsrv"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor5.0"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"NProtectService"=2 (0x2)
"SCardSvr"=3 (0x3)
"Bonjour Service"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
"LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"RemoteCenter"=C:\Program Files\Creative\SBLive\RemoteCenter\Rc\RcMan.EXE
"Creative Launcher"=C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"ALiUSBfix"=C:\WINDOWS\SYSTEM32\GREENMK.EXE
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder
"PaperPort PTD"=c:\paprport\pptd40nt.exe
"Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"Adobe Version Cue CS2"="c:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
"Logitech Utility"=Logi_MwX.Exe
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"dvd43"=C:\Program Files\dvd43\dvd43_tray.exe
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"InCD"=C:\Program Files\Nero\Nero 7\InCD\InCD.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"AtiPTA"=atiptaxx.exe
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"DU Meter"=C:\PROGRAM FILES\DU METER\DUMETER.EXE
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"SchedulingAgent"=mstask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1109130448\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Common Files\\AOL\\1109130448\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\WINDOWS\\System32\\fxsclnt.exe"=
"C:\\Program Files\\LapLink Gold\\laplink.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\CU VPN\\vpnclient.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\1109130448\\ee\\AOLDesktop.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2007-09-15 08:41]
R1 tsircmir;LapLink Mirror Driver Miniport;C:\WINDOWS\system32\Drivers\tsircmir.sys [2004-09-29 15:19]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 00:53]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CHECKIT\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R2 TSISER;TSISER;C:\WINDOWS\system32\drivers\TSISER.sys [2004-09-29 16:23]
R2 TSISTRMX;Traveling Software Stream Driver;C:\WINDOWS\system32\drivers\TSISTRMX.sys [2004-09-29 15:18]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;C:\WINDOWS\system32\drivers\TSIKBF5.sys [2004-09-29 15:17]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;C:\WINDOWS\system32\drivers\TSIMSF5.sys [2004-09-29 15:18]
S1 TSIRCINK;Traveling Software Install Driver;C:\WINDOWS\system32\drivers\TSIRCINK.sys [2004-09-29 15:18]
S3 LLUSBFLT;LLUSBFLT;C:\WINDOWS\system32\drivers\llusbflt.sys [2004-09-29 16:23]
S3 PLUsbbc2;Laplink USB Cable Driver;C:\WINDOWS\system32\Drivers\usbbc2.sys [2004-06-03 00:51]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 utblfilt;utblfilt;C:\WINDOWS\system32\drivers\utblfilt.sys [2001-05-23 02:42]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-07 18:53]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-04-06 15:58:58 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-01 00:36:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 09:08:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1109130448\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\AOL\1109130448\EE\AOLDesktop.exe
.
**************************************************************************
.
Completion time: 2008-04-09 9:21:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 15:20:56
Pre-Run: 186,894,876,672 bytes free
Post-Run: 187,471,429,632 bytes free
.
2008-03-19 15:37:58 --- E O F ---
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:57 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\AOL\1109130448\ee\AOLSoftware.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\program files\common files\aol\1109130448\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1109130448\EE\aolsoftware.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\AOL\1109130448\EE\AOLDesktop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\imabunny.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SeekNewLive Bar - {0CB66BA8-5E1F-4963-93D1-E1D6B78F0212} - C:\Program Files\SNLBar\SNLBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109130448\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk = C:\Program Files\CU VPN\vpngui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://www.demonoid.com
O15 - Trusted Zone: http://www.mininova.org
O15 - Trusted Zone: http://www.passportimages.com
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121317761572
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150254016292
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E36A1DF-48F6-4EC1-BDB2-5FCF01A6B56E}: Domain = listenup.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ddccyvu - ddccyvu.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 14963 bytes
Vundofix did not find anything?
=C:\FOUND.000 - these are remnants from running chkdsk - you must have had a crash, chkdsk found file scraps and put them here. You can delete this folder.
=Delete:
C:\WINDOWS\SB7CC85B5.tmp
=Check the properties of these files for the owner:
C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat
C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat
C:\WINDOWS\SYSTEM32\E2A317C6E3.sys
=What is in this folder?:
C:\WINDOWS\SYSTEM32\3d3dcc52
=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O20 - Winlogon Notify: ddccyvu - ddccyvu.dll (file missing)
While doing this, you should also fix those three O15 entries - there is no need to have any sites as Trusted, if they are safe they will pass all your IE security protocols anyway; they may as well be subject to the same checks as any other site.
Fix this one also:
O2 - BHO: SeekNewLive Bar - {0CB66BA8-5E1F-4963-93D1-E1D6B78F0212} - C:\Program Files\SNLBar\SNLBar.dll
... and delete this folder:
C:\Program Files\SNLBar\
Good Morning Gerbil,
The dat and sys files show "everyone" as the owner. I couldn't find Windows\System32\3d3dcc52. I fixed HJT entries you mentioned. I couldn't delete Program Files\SNLBar\. I found the Vundofix logfile which is shown below. And, thank-you, thank-you, thank-you.
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 10:48:41 AM 3/30/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\cbxus.dll
C:\WINDOWS\SYSTEM32\fnhrkwhe.dll
C:\WINDOWS\SYSTEM32\suxbc.ini2
C:\WINDOWS\SYSTEM32\wvurqol.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\cbxus.dll
C:\WINDOWS\SYSTEM32\cbxus.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\fnhrkwhe.dll
C:\WINDOWS\SYSTEM32\fnhrkwhe.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\suxbc.ini2
C:\WINDOWS\SYSTEM32\suxbc.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\wvurqol.dll
C:\WINDOWS\SYSTEM32\wvurqol.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V7.0.3
Scan started at 8:12:04 AM 4/9/2008
Listing files found while scanning....
C:\Program Files\PowerISO\PWRISOSH.DLL
Beginning removal...
VundoFix V7.0.3
Scan started at 6:36:16 PM 4/9/2008
Listing files found while scanning....
No infected files were found.
Hello, Hifi.
Rename these files:
C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat > C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat.old
C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat > C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat.old
=C:\WINDOWS\SYSTEM32\3d3dcc52 - did you use the search function when trying to find this? That way you would see hidden folders... if you can't find it, don't worry about it.
=Deleting C:\Program Files\SNLBar\... Sorry , I was a bit brief on the instruction for this one; go CP, Add/Remove pgms and remove it from there, then you will be able to delete the folder.
You may have to delete the file in it first.
=Delete this file, you may have to do it from safe mode...
C:\WINDOWS\SYSTEM32\wvurqol.dll
-now please run Vundofix again; CHECK the log, if it cannot delete any files it finds rerun it until it does the job.
