0

Hi All,

I've been facing the same problem as mentioned in one of the threads related to deletion of spools.exe, after I heroically deleted the spools.exe file from my System32\drivers folder.

I use a Windows Xp Home Edition with SP2 and do not have anti virus solutions installed.

I was searching for a key for a software yesterday when I accidentally ran the file to land in hell.

Also I am a newbie so didn't know where to begin from.

Apologies and Thanks in advance.

4
Contributors
37
Replies
40
Views
8 Years
Discussion Span
Last Post by plastered
Featured Replies
  • Please Run the [B][URL="http://www.eset.com/onlinescan/"][COLOR=Green]ESET Online Scanner[/COLOR][/URL][/B] and post the ScanLog with your post for assistance. [INDENT][list][*] You will need to use [B]Internet Explorer[/B] to complete this scan. [*] You will need to temporarily [I]Disable[/I] your current Anti-virus program. [*] Be sure the option to [I]Remove found threats[/I] is[B] Un-checked[/B] at … Read More

0

hi, there are free stuff on the web.. like AVG anti-virus, or you can download also malware bytes... check if any of these stuff can help you..

0

It's what happens when you download cracks. I doubt that you accidentally ran the file after deliberately searching for it though :D

0

Hi,

I tried hoping for a miracle with the anti-virus software but to no effect. Thank you though.

True, I was searching for a .txt file or just the serial number but the darn thing happened to be a .exe file.

Regardless could you let me know as to what I should do now? I've lost my Dvd drive to and the USB ports making me all the more crippled as I cannot back up data.

Please advice.

1

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

Kaspersky Online Scanner Panda Active Scan Trend Micro HouseCall F-Secure Online Virus Scanner

==

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Hi,

I've been trying to scan all day yesterday. Using the Kaspersky Online Scanner. It functions and scans but then gets struck. The last time it got struck at 77% and shot my temperature boiling. I am trying to scan again.

Meanwhile is there anything I can do.

0

Have you tried all those links?

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

====

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Yes, I tried with all of the online scanner. Only KOS was a hit as it didn't prompt me to install anything. None of the .exe function. The Malware setup also didn't install. I am trying to scan again using KOS.

I have downloaded the HijackThis tool but cannot install it as I don't know which program to select from the list when asked for.

What shall I do now?

Thank you.

0

Finally after two sleepless night I've been able to complete a scan of the Critical Areas of the computer using the Kaspersky Online Scanner. The results are as follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 26, 2009 18:49:02
Records in database: 1701953
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 102795
Threat name: 9
Infected objects: 17
Suspicious objects: 0
Duration of the scan: 02:07:42


File name Threatname Threats count

C:\Program Files\Internet Explorer\setupapi.dll
Infected: Trojan.Win32.Agent.abas 1

C:\Program Files\Mozilla Firefox\setupapi.dll
Infected: Trojan.Win32.Agent.abas 1

C:\WINDOWS\system32\cbXOHxVm.dll
Infected: Trojan.Win32.Monder.arys 1

C:\WINDOWS\system32\crypts.dll
Infected: Trojan-Downloader.Win32.Injecter.bzs 1

C:\WINDOWS\system32\mlJAqPig.dll
Infected: Trojan.Win32.Monderb.afet 1

C:\WINDOWS\system32\nvsvc32.exe
Infected: Trojan-Downloader.Win32.Agent.aofm 1

C:\WINDOWS\system32\tuvUMFyw.dll
Infected: Trojan.Win32.Agent.bknt 1

C:\WINDOWS\system32\userinit.exe
Infected: Backdoor.Win32.Delf.ntc 1

C:\WINDOWS\Temp\15AA.tmp
Infected: Backdoor.Win32.KeyStart.s 1

C:\WINDOWS\Temp\2691.tmp
Infected: Backdoor.Win32.KeyStart.s 1

C:\WINDOWS\Temp\7D64.tmp
Infected: Backdoor.Win32.KeyStart.s 1

C:\WINDOWS\Temp\8CC63119.exe
Infected: Trojan-Dropper.Win32.Agent.wcc 1

C:\WINDOWS\Temp\93BD013A.exe
Infected: Trojan-Dropper.Win32.Agent.wcc 1

C:\WINDOWS\Temp\B56F.tmp
Infected: Backdoor.Win32.KeyStart.s 1

C:\WINDOWS\Temp\F3DF.tmp
Infected: Backdoor.Win32.KeyStart.s 1

C:\WINDOWS\Temp\FA00.tmp
Infected: Backdoor.Win32.KeyStart.s 1

C:\WINDOWS\Temp\FFA5.tmp
Infected: Backdoor.Win32.KeyStart.s 1

The selected area was scanned.

0

Open Device Manager and on the VIEW Tab, select the Show hidden
devices
option.
Go down to non plug and play drivers and see if there is one called
TDSSserv and disable it.

==

Reboot if found and try to run MBA-M and hijackthis as per my previous instructions.

0

I did not find any entry of the name you mentioned under the non plug and play devices.

I can download the application but when it asks to what to open it with what do I select?

Thank you.

0

You just need to double click on the file you downloaded and it should self install. Just follow the prompts.

0

I apologize for not explaining properly. When I double click on the icon, the installer doesnt run. It instead pops up with the "Open with" window.

The exe file that is downloaded doesn't run automatically on being clicked like it should normally.

0

Whoa!! That was super sweet!!! I Installed the HJT tool and the following is the report.

===============================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:32:28, on 2009-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\p_protect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\3C77.tmp
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=userinit.exe

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe

O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\HP_Owner\cftmon.exe

O4 - HKLM\..\Run: [6c277455] rundll32.exe "C:\WINDOWS\system32\etmwikcr.dll",b

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-7602198224-8575323747-518570951-4349\service.exe

O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe

O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\HP_Owner\cftmon.exe

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23

O17 - HKLM\System\CS1\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6496 bytes

==============================================

Thank you so very much. I am going to attach the Malware report in the next post.

Attachments
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:32:28, on 2009-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\p_protect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\3C77.tmp
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\HP_Owner\cftmon.exe
O4 - HKLM\..\Run: [6c277455] rundll32.exe "C:\WINDOWS\system32\etmwikcr.dll",b
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-7602198224-8575323747-518570951-4349\service.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\HP_Owner\cftmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6496 bytes
0

sfc /scannow

will restore the spools.exe

still got to get rid of the infection though, so do as crunchie says

0

I completed the scan using the Malwarebytes Anti-Malware software. Here is the log for the same.

This log is before the actions were completed.
============================================

Malwarebytes' Anti-Malware 1.33
Database version: 1702
Windows 5.1.2600 Service Pack 2

2009-01-29 02:12:20
MBAM Log

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 199660
Time elapsed: 1 hour(s), 37 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 13
Registry Values Infected: 8
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 60

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cbXOHxVm.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\mlJAqPig.dll (Trojan.Vundo) -> No action taken.

C:\Program Files\Mozilla Firefox\setupapi.dll (Spyware.Passwords) -> No action taken.

C:\Program Files\Internet Explorer\setupapi.dll (Spyware.Passwords) -> No action taken.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljaqpig (Trojan.Vundo) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c277455 (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Downloader) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxohxvm -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxohxvm -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath (Hijack.Service) -> Bad: (C:\WINDOWS\system32\drivers\spools.exe) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cbXOHxVm.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\mVxHOXbc.ini (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\mVxHOXbc.ini2 (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\etmwikcr.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\rckiwmte.ini (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\tonadgwy.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\ywgdanot.ini (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\mlJAqPig.dll (Trojan.Vundo) -> No action taken.

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\3GI1PFHH\upd105320[1] (Trojan.Vundo.H) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\3GI1PFHH\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\aasuper0[2].htm (Backdoor.Rustock) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\aasuper1[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\gdwxxky[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\bhreefftg[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\gdwxxky[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\cvescpddqn[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\bhreefftg[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\aasuper3[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\cvescpddqn[2].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\hroolyc[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\1H3K3AAM\cvescpddqn[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\1H3K3AAM\cvescpddqn[2].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\apstpldr.dll[1].htm (Adware.BHO) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\tdmaxbo[1].htm (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\bhreefftg[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\aasuper1[2].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\sczzzaaooc[1].txt (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\gdwxxky[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\gdwxxky[2].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\hroolyc[2].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\aasuper3[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\hroolyc[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\bhreefftg[1].htm (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\divx20[1] (Trojan.Vundo) -> No action taken.

C:\Program Files\Mozilla Firefox\setupapi.dll (Spyware.Passwords) -> No action taken.

C:\Program Files\Internet Explorer\setupapi.dll (Spyware.Passwords) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102893.exe (Trojan.TinyDownloader705) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102895.exe (Trojan.TinyDownloader705) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102898.dll (Spyware.Passwords) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102899.dll (Spyware.Passwords) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102907.exe (Trojan.TinyDownloader705) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102909.exe (Trojan.Downloader) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102912.exe (Trojan.TinyDownloader705) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102913.exe (Trojan.Downloader) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102914.exe (Trojan.Downloader) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102915.exe (Trojan.Downloader) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102917.exe (Trojan.Dropper) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102890.exe (Trojan.Downloader) -> No action taken.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102908.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\Temp\8CC63119.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\Temp\93BD013A.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\tuvUMFyw.dll (Adware.BHO) -> No action taken.

C:\WINDOWS\system32\nvsvc32.exe (Spyware.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\27af3eb5.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\b9061be1.sys (Rootkit.Agent) -> No action taken.

C:\RECYCLER\S-1-5-21-7602198224-8575323747-518570951-4349\service.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> No action taken.

0

I'll clear the entries using the software and then post the log back again.

0

Hi again,

I restarted the computer and things look better. The log is here.

=================================================

Malwarebytes' Anti-Malware 1.33
Database version: 1702
Windows 5.1.2600 Service Pack 2

2009-01-29 02:31:50
mbam-log-2009-01-29 (02-31-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 199660
Time elapsed: 1 hour(s), 37 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 13
Registry Values Infected: 8
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 60

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Internet Explorer\setupapi.dll (Spyware.Passwords) -> Delete on reboot.

C:\Program Files\Mozilla Firefox\setupapi.dll (Spyware.Passwords) -> Delete on reboot.

C:\WINDOWS\system32\cbXOHxVm.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\mlJAqPig.dll (Trojan.Vundo) -> Delete on reboot.


Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljaqpig (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.


Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c277455 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Downloader) -> Quarantined and deleted successfully.


Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxohxvm -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxohxvm -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath (Hijack.Service) -> Bad: (C:\WINDOWS\system32\drivers\spools.exe) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.


Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\3GI1PFHH\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\3GI1PFHH\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\aasuper0[2].htm (Backdoor.Rustock) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\aasuper1[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\gdwxxky[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\bhreefftg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\cvescpddqn[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\gdwxxky[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\aasuper3[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\bhreefftg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\cvescpddqn[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\hroolyc[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\1H3K3AAM\cvescpddqn[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\1H3K3AAM\cvescpddqn[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\aasuper1[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.


C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\apstpldr.dll[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\bhreefftg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\sczzzaaooc[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\tdmaxbo[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\gdwxxky[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\gdwxxky[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\hroolyc[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\aasuper3[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\bhreefftg[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\hroolyc[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\Internet Explorer\setupapi.dll (Spyware.Passwords) -> Delete on reboot.

C:\Program Files\Mozilla Firefox\setupapi.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-7602198224-8575323747-518570951-4349\service.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102890.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102893.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102895.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102898.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102899.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102907.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102908.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102909.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102912.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102913.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102914.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102915.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102917.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\8CC63119.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\93BD013A.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cbXOHxVm.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\27af3eb5.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\b9061be1.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\etmwikcr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mVxHOXbc.ini (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\mVxHOXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mlJAqPig.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\nvsvc32.exe (Spyware.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rckiwmte.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tonadgwy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tuvUMFyw.dll (Adware.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ywgdanot.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.


==============================================

Things seem to be working now. What do we do next? And thank you again.

Attachments
Malwarebytes' Anti-Malware 1.33
Database version: 1702
Windows 5.1.2600 Service Pack 2

2009-01-29 02:31:50
mbam-log-2009-01-29 (02-31-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 199660
Time elapsed: 1 hour(s), 37 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 13
Registry Values Infected: 8
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 60

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Internet Explorer\setupapi.dll (Spyware.Passwords) -> Delete on reboot.

C:\Program Files\Mozilla Firefox\setupapi.dll (Spyware.Passwords) -> Delete on reboot.

C:\WINDOWS\system32\cbXOHxVm.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\mlJAqPig.dll (Trojan.Vundo) -> Delete on reboot.


Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljaqpig (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcc74274-1ce3-467f-a725-56f46b17f4f3} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.


Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c277455 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Downloader) -> Quarantined and deleted successfully.


Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxohxvm  -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxohxvm -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath (Hijack.Service) -> Bad: (C:\WINDOWS\system32\drivers\spools.exe) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.


Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\3GI1PFHH\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\3GI1PFHH\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\aasuper0[2].htm (Backdoor.Rustock) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\aasuper1[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\D3V7RSJB\gdwxxky[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\bhreefftg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\cvescpddqn[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JHU13YQM\gdwxxky[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\aasuper3[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\bhreefftg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\cvescpddqn[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\hroolyc[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHW63WTG\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\1H3K3AAM\cvescpddqn[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\1H3K3AAM\cvescpddqn[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\aasuper1[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.


C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\apstpldr.dll[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\bhreefftg[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\sczzzaaooc[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2LPNSD0D\tdmaxbo[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\gdwxxky[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\gdwxxky[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\B3660CYB\hroolyc[2].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\aasuper3[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\bhreefftg[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\hroolyc[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\KQZ22BX7\tdmaxbo[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\Internet Explorer\setupapi.dll (Spyware.Passwords) -> Delete on reboot.

C:\Program Files\Mozilla Firefox\setupapi.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-7602198224-8575323747-518570951-4349\service.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D514F293-3393-4B54-A419-06CB4556323F}\RP139\A0102890.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D5
0

Please re-run hijackthis again, select Do a system scan and save a logfile. When notepad opens, go to the Format Tab and de-select Word Wrap.
Highlight the entire text and post the log back here.

0

Here is the result of the scan using HJT.

=================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:57, on 2009-01-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\p_protect.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23

O17 - HKLM\System\CS1\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5691 bytes
================================================

0

I've attached the log as it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:36:45, on 2009-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\p_protect.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5655 bytes

Attachments
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:36:45, on 2009-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\p_protect.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5655 bytes
0

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\p_protect.exe

============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\drivers\spools.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

The following is the result of the scan of file p_protect.exe by Virus Total

==================================================

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - Win32.VirTool.DelfInject.gen!AG.8
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
McAfee+Artemis - - Generic!Artemis
Microsoft - - -
NOD32 - - -
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - Trojan.DL.Win32.Direct.jr
SecureWeb-Gateway - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Additional information
MD5: 51dc9ab9752107bff6427dfd384e45a3
SHA1: 8555fec756b98c320b3a8ec66b4e1317bcfd084d
SHA256: 8f90cbc857f8e1d04003ebf90cc0cd1069256899d1e0fbd6a4672f2bc679a320
SHA512: 2f9b47aa47440dbd9634325ba5f9e62fee16796e7ab35d41ddd7d971827a86d621540f5bd7a144d070ac01ded60d6786ee04aedcc70f37f121febe19a446c4b1

==================================================

I'll follow the rest of the step and reply back in a moment.

0

I did not find any Spools.exe in the System32 folder even after making the hidden files and folders visible. I'll post the log for HJT now.

==================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:48, on 2009-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\p_protect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5004 bytes


===============================================

I wanted to know what the processes Userinit.exe and Spoolsv.exe are? As in are they threats? Because the former I definitely didn't observe on my Task Manager when my system was in better condition, not so sure about the latter. Also I see multiple number of Svchost.exe running for Local Service, Network Service and System.

===============================================

The computer seems to be normal now. I haven't run into any problem since the fix. But is was something that is still nagging me. When I checked the System32 folder, I could many of the application files have lost their icons. I mean for example if you have a Launcher application whose files you delete then the Application Launcher icon becomes a white box with three dots on it right. I was getting worried about it. I'll try to post a screen shot.

Thank you.

Attachments
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:48, on 2009-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\p_protect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{35D307E8-6B83-4F28-9479-8EC657B823F4}: NameServer = 192.168.1.1,218.248.240.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5004 bytes
0


I wanted to know what the processes Userinit.exe and Spoolsv.exe are? As in are they threats? Because the former I definitely didn't observe on my Task Manager when my system was in better condition, not so sure about the latter. Also I see multiple number of Svchost.exe running for Local Service, Network Service and System.

All legitimate.


The computer seems to be normal now. I haven't run into any problem since the fix. But is was something that is still nagging me. When I checked the System32 folder, I could many of the application files have lost their icons. I mean for example if you have a Launcher application whose files you delete then the Application Launcher icon becomes a white box with three dots on it right. I was getting worried about it. I'll try to post a screen shot.

Thank you.

All ok. Mine is the same.

====

Can you please do the following.

===============

Look for, and delete, any program segments (prefetches) that might be present, and are associated with the 'problems' we're trying to remove from your PC. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

p_protect.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\system32\p_protect.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\p_protect.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

Can't kill the damn thing, keeps coming back in a flash. I tried in safe mode to. It just doesn't want to die. I also searched for "prefetch" but the only result that showed was the application from System32 which again I tried deleting to no avail.

0

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator privileges.


[*]Open the Avenger folder and double click Avenger.exe to launch the programme.
[*]Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\WINDOWS\system32\p_protect.exe
  • Note: the above code was created specifically for this user. If you are not this user, do

NOT follow these directions as they could damage the workings of your system.


[*]Ensure the following:

  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.

[*]Press the Execute key.
[*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
[*]Post the log back here please. (it can also be found at C:\avenger.txt)
[*]Post new hijackthis log.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.