I don't see this file anymore.
Printable View
I don't see this file anymore.
None of those file scans look correct. It should either read "Nothing Found" after each scanner, or give the malware results.
Did the site give you a link to use after completion?
Those files that I had combofix look at look even more suspicious now. None have a company name or other expected info. I believe them to be bad, but would really like to see a proper online scan result first.
When I scanned with Jotti's, it showed: "Nothing Found" with every file. With VirusTotal, the File zcxxfilse.exe showed nothing except in Prevx1 V2 2009.01.08 Cloaked Malware
Also, when looking for this file:
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
the entire "Application Data" folder is missing!
File: zcxxfilse.exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: e26a9804057a4cafc7053bc1b1328200
Packers detected:
-
Scanner results
Scan taken on 09 Jan 2009 07:31:34 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
File: qjfrlys.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 21405dd01269a7700ae6380a9f10fd33
Packers detected:
PE_PATCH
Scanner results
Scan taken on 09 Jan 2009 07:39:38 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/EncPk-FE
VirusBuster
Found nothing
VBA32
Found nothing
C:\windll_v354.exe
I don't see this file anymore.
Just a note:
When I turned on all my scanning programs, a Spybot warning popped up asking me if I wanted to allow a registry change to:
c:\windows\mchost.exe. I said no, feeling it was a bad file. Is that why I don't see the folder "Application Data", which also had the file: \mchost.exe?
Sorry, I didn't have "show hidden files". It's stil there, but the extension: \mchost.exe is missing.
If spybot pops up asking permission for a registry change when we are fixing something, you need to answer 'allow.' In this case you did right.
I am pretty confident that those filoes need to go. I have done more researching on them and have found nothing good, so I think they should go.
1. Please open Notepad
- Click Start , then Run
- Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.Code:KillAll::
File::
C:\zcxxfilse.exe
c:\windows\windsvc.exe
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
c:\windows\mchost.exe
C:\windll_v354.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"settings"=-
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"settings"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
https://discussions.virtualdr.com/im.../2010/07/1.gif
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix 09-01-08.03 - Marty Rosengarten 2009-01-09 4:20:50.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3005 [GMT -5:00]
Running from: c:\documents and settings\Marty Rosengarten\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marty Rosengarten\Desktop\CFScript.txt
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: *disabled*
* Created a new restore point
FILE ::
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
C:\windll_v354.exe
c:\windows\mchost.exe
c:\windows\windsvc.exe
C:\zcxxfilse.exe
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
C:\windll_v354.exe
c:\windows\mchost.exe
c:\windows\windsvc.exe
C:\zcxxfilse.exe
.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.
2009-01-09 03:51 . 2009-01-09 03:51 <DIR> d-------- c:\program files\Avira
2009-01-09 03:51 . 2009-01-09 03:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-07 18:00 . 2009-01-07 18:00 <DIR> d-------- c:\documents and settings\Marty Rosengarten\Application Data\Grisoft
2009-01-07 18:00 . 2007-05-30 07:10 10,872 --a------ c:\windows\system32\drivers\AvgAsCln.sys
2009-01-06 14:14 . 2009-01-06 14:14 685,056 --a------ c:\windows\isRS-000.tmp
2009-01-06 14:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 00:40 . 2009-01-06 00:46 108,516,963 --ah----- C:\Maxthon.html
2009-01-06 00:38 . 2009-01-07 00:26 831,421,626 --ah----- C:\Opera.html
2009-01-06 00:36 . 2009-01-07 00:26 800,535,260 --ah----- C:\Mozilla.html
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 09:29 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Skype
2009-01-09 09:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-09 09:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-09 07:24 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-09 07:21 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\skypePM
2009-01-08 21:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 21:31 --------- d-----w c:\program files\Lavasoft
2009-01-06 19:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 23:20 --------- d-----w c:\program files\SpywareBlaster
2009-01-05 22:35 --------- d-----w c:\program files\fotoQuote
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-03 08:02 --------- d-----w c:\program files\CCleaner
2009-01-03 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-12-22 04:32 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Lasersoft Imaging
2008-12-17 12:58 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\FileZilla
2008-12-16 05:54 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\SmartFTP
2008-11-26 06:09 --------- d-----w c:\program files\RegCure
2008-11-25 08:53 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\LumaPix
2008-11-13 04:12 --------- d-----w c:\program files\MSXML 4.0
2008-10-26 17:18 273,264 ----a-w c:\windows\FotoFusionV4 Uninstaller.exe
2006-10-08 05:39 2,388 -c--a-w c:\program files\uninstalcwp2.log
2006-02-28 01:10 48,472 -c--a-w c:\documents and settings\Marty Rosengarten\Application Data\GDIPFONTCACHEV1.DAT
2005-09-10 00:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-10 00:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-10 00:55 35 -c--a-w c:\program files\SCSSDist.ini
2005-02-22 14:16 1,867 -c--a-w c:\documents and settings\Marty Rosengarten\CountCorners.vbs
2003-11-18 18:37 241,664 ----a-w c:\program files\npmusicn.dll
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-09-18 21:39 56 --sh--r c:\windows\system32\01758A4BD5.sys
2007-01-03 10:12 88 --sha-r c:\windows\system32\83BE6B67B2.sys
2008-09-18 21:39 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2009-01-08_21.47.15.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 17:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 22:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 15:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 14:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2009-01-08 22:48:05 60,780 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-09 07:24:26 60,780 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-08 22:48:05 399,522 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-09 07:24:26 399,522 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-09 09:26:54 16,384 ----atw c:\windows\temp\Perflib_Perfdata_214.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2008-07-17 2599224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-04-05 2177256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-15 180269]
"PrettyMay"="c:\program files\PrettyMay\PrettyMay.exe" [2008-04-23 2715648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
c:\documents and settings\Marty Rosengarten\Start Menu\Programs\Startup\
PANTONE(R) colorist.lnk - c:\program files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe [2003-10-28 98304]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 385024]
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe [2005-10-28 102400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg30.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *\0lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"dlmMgr"="c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
"Ink Monitor"=c:\program files\EPSON\Ink Monitor\InkMonitor.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"UpdReg"=c:\windows\UpdReg.EXE
"ehTray"=c:\windows\ehome\ehtray.exe
"P17Helper"=Rundll32 P17.dll,P17Helper
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"CTSysVol"=c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"WD Button Manager"=WDBtnMgr.exe
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Marty Rosengarten\\My Documents\\Download Start-up files\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Adobe\\Adobe Device Central CS3\\DeviceCentral.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Utilities\\ExtendScript Toolkit 2\\ExtendScript Toolkit 2.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS2\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Stock Photos CS3\\Adobe Stock Photos CS3.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\fotoQuote\\My Product Name\\FotoQuote Pro\\FotoQuote Pro.EXE"=
"c:\\Program Files\\BitPim\\bitpimw.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12283:TCP"= 12283:TCP:BitComet 12283 TCP
"12283:UDP"= 12283:UDP:BitComet 12283 UDP
"14461:TCP"= 14461:TCP:BitComet 14461 TCP
"14461:UDP"= 14461:UDP:BitComet 14461 UDP
"9881:TCP"= 9881:TCP:BitComet 9881 TCP
"9881:UDP"= 9881:UDP:BitComet 9881 UDP
"6346:TCP"= 6346:TCP:Shareaza
"8192:TCP"= 8192:TCP:BitComet 8192 TCP
"8192:UDP"= 8192:UDP:BitComet 8192 UDP
"13946:TCP"= 13946:TCP:BitComet 13946 TCP
"13946:UDP"= 13946:UDP:BitComet 13946 UDP
R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-01-24 14976]
S1 bf324a68;bf324a68;c:\windows\system32\drivers\bf324a68.sys --> c:\windows\system32\drivers\bf324a68.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-06-24 39048]
S4 HPFECP06;HPFECP06;c:\windows\system32\drivers\HPFECP06.SYS --> c:\windows\system32\drivers\HPFECP06.SYS [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SSMDRV
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cc29b3e-87f7-11dd-8746-00123f75a5ce}]
\Shell\AutoRun\command - "K:\Install FreeAgent Tools.exe" /run
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{NQQ5L861-82LC-FV28-BC5R-EK164PT2UCAG}]
"c:\windows\mchost.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
2009-01-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]
2009-01-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]
2009-01-09 c:\windows\Tasks\xoowsmum.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 04:27:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,8c,b1,ce,8b,d4,\
95,3a,df,c8,28,51,af,b0,29,a3,98,47,3e,94,42,f9,05,0c,ac,e2,63,26,f1,3f,c8,\
ff,68,ee,66,39,4d,4c,37,09,68,2e,e8,e1,00,eb,16,2b,de,93,6f,a7,d8,f1,53,5c,\
30,cb,0b,50,36
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,88,07,2e,fb,5f,\
4a,41,65,71,3b,04,66,8b,46,0d,96,b3,a0,99,47,c5,bc,ad,c3,6a,9c,d6,61,af,45,\
84,18,f6,f0,c8,99,32,51,72,0c,46,47,15,b0,92,4b,c7,ef,6f,73,50,f1,63,17,5d,\
00,d1,db,81,e7
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,fc,5b,be,ac,47,\
f9,03,be,25,da,ec,7e,55,20,c9,26,35,1b,df,d4,52,a1,2a,66,ff,7c,85,e0,43,d4,\
0e,fe,75,fc,e8,1f,11,c0,5b,16,25,da,ec,7e,55,20,c9,26,f0,51,45,93,a3,34,fb,\
05,2e,3e,e6,7d
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,9e,27,bd,7b,80,\
5e,84,23,3e,1e,9e,e0,57,5a,93,61,f1,53,38,89,3e,b6,04,0d,86,8c,21,01,be,91,\
eb,e7,54,a9,dc,6d,7f,38,e7,46,86,8c,21,01,be,91,eb,e7,53,a3,1a,f1,85,f2,e1,\
05,0d,5e,aa,c6
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,66,28,36,8a,ba,\
0b,29,59,cd,44,cd,b9,a6,33,6c,cd,c0,bd,dd,83,ce,84,82,54,f5,1d,4d,73,a8,13,\
5c,05,4a,83,6f,ec,ab,30,93,b8,cd,44,cd,b9,a6,33,6c,cd,ec,68,e2,e3,77,d8,a2,\
fe,5a,c9,36,91
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,1b,33,bb,68,ea,\
97,13,b6,b0,18,ed,a7,3f,8d,37,a4,58,a6,19,ef,5f,8c,56,2b,df,20,58,62,78,6b,\
cf,c8,af,e1,e0,2d,4d,fb,f7,66,b0,18,ed,a7,3f,8d,37,a4,d2,a5,da,5f,28,32,b2,\
96,76,3d,da,69
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6d,f3,4f,be,36,\
3b,dc,5b,31,77,e1,ba,b1,f8,68,02,b6,b0,20,d9,84,2c,22,a4,fb,a7,78,e6,12,2f,\
9a,ea,fc,71,2f,58,fd,2d,b2,24,fb,a7,78,e6,12,2f,9a,ea,62,9c,97,d7,bd,28,00,\
da,10,e7,f2,f7
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,07,8a,58,90,67,\
3a,47,32,83,6c,56,8b,a0,85,96,ab,e1,30,9c,50,1f,11,d7,1a,01,3a,48,fc,e8,04,\
4a,f1,5a,27,91,e6,4a,96,ca,c8,83,6c,56,8b,a0,85,96,ab,f2,f8,9a,48,0d,42,f4,\
9e,19,28,ba,ed
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,c2,8e,cc,0d,\
08,65,a0,51,fa,6e,91,28,9e,14,cc,68,c4,0f,40,00,79,4c,a7,f6,0f,4e,58,98,5b,\
89,c9,29,7d,90,c0,46,5c,bd,ba,51,fa,6e,91,28,9e,14,cc,a5,83,9e,f5,f7,55,78,\
13,6c,45,d5,9a
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,52,3f,07,df,a9,\
e9,ad,1b,b1,cd,45,5a,a8,c4,f8,b9,b5,35,26,df,7c,ce,7f,eb,3d,ce,ea,26,2d,45,\
aa,78,56,62,fb,03,7d,46,0b,3c,b1,cd,45,5a,a8,c4,f8,b9,ed,83,f8,8a,86,75,9b,\
6b,c7,ac,5d,6f
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,74,ea,1b,16,e9,\
a1,bb,42,e3,0e,66,d5,eb,bc,2f,6b,a5,98,55,d9,5b,ef,59,8e,2a,b7,cc,b5,b9,7f,\
41,e7,79,ae,b9,75,b9,fb,aa,ff,e3,0e,66,d5,eb,bc,2f,6b,1f,99,58,0d,6e,61,fc,\
2a,ea,ce,f2,63
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,64,e0,c7,10,f3,\
89,34,52,fa,ea,66,7f,d4,3b,6b,70,82,e4,61,be,6b,d4,36,84,6c,43,2d,1e,aa,22,\
2f,9c,a5,e6,c7,29,5a,df,3f,bc,fa,ea,66,7f,d4,3b,6b,70,71,3b,da,e5,06,73,eb,\
05,1c,d8,30,0f
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Memeo\AutoBackup\MemeoService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\dllhost.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-01-09 4:34:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 09:34:33
ComboFix2.txt 2009-01-09 02:49:49
Pre-Run: 97,919,279,104 bytes free
Post-Run: 97,904,234,496 bytes free
400 --- E O F --- 2008-12-22 02:36:50
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:47 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PrettyMay\PrettyMay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Marty Rosengarten\My Documents\Download Start-up files\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\MARTY ROSENGARTEN\Application Data\Mozilla\Profiles\default\azfimivy.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrettyMay] C:\Program Files\PrettyMay\PrettyMay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - Startup: PANTONE(R) colorist.lnk = C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
--
End of file - 13251 bytes
- Go to Start > Control Panel double-click on the Software icon > add/remove programs.
- Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
- Select it and click Remove.
- Then Download and install the newest version from here:
- http://www.java.com/en/download/manual.jsp
====
Can you please do the following.
===============
You will have to disable Spybot's Teatimer before we begin, as it will interfere with the fix. To do this can you start Spybot and go to the Mode button and select Advanced. Go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit".
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Do not forget to re-enable teatimer when we are done :).
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
===============
Scan with HijackThis and then place a check next to all the following, if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
After rebooting, please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.When the scan is done, in the Scan is completed window (below), any infection is displayed.
- Once the files are downloaded click on Next
- Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
- Extended
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK and, under select a target to scan, select My Computer
There is no option to clean/disinfect, however, we need to analyze the information on the report.
https://discussions.virtualdr.com/im.../2010/04/1.gif
https://discussions.virtualdr.com/im.../2010/04/2.gif
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
I don't understand something about the resetTeaTimer.bat. It brings up a page of code and I don't know where to double click to remove the entries.
It is wanting to open up instead of starting to download.
Took 3 tries for me to get it.
I Zipped it and attached it.