We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Hijack this log
Options
cepheus
Posts: 20,053 Forumite
Spent the last few days getting rid of a malicious virus, however this still pops up in Hijack this. Is this normal with money manager? Like to use it but don't want to start to unless I know it is safe,
Malwarebytes and AVG now say computer is clean.
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe
Rest of log
Logfile of HijackThis v1.98.2
Scan saved at 15:56:42, on 29/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Watford Electronics
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: JWord ƒvƒ‰ƒOƒCƒ" - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/intro/?partner=AP&type=lk&frm=iebutton&pver=2 (file missing)
O9 - Extra 'Tools' menuitem: JWord ƒvƒ‰ƒOƒCƒ"‚ɂ‚¢‚Ä - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/intro/?partner=AP&type=lk&frm=iebutton&pver=2 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O11 - Options group: [JWDSearch] JWord ƒvƒ‰ƒOƒCƒ"
O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
O16 - DPF: SpreadbetClient - http://195.20.122.71/SpreadbetClient.cab
O16 - DPF: SpreadbetClientSupportClasses - http://195.20.122.71/SpreadbetClientSupportClasses.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200179802440
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC8F5DB2-2A60-44B1-BFE1-0233CF6BA905}: NameServer = 78.143.192.10 78.143.192.20
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
Malwarebytes and AVG now say computer is clean.
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe
Rest of log
Logfile of HijackThis v1.98.2
Scan saved at 15:56:42, on 29/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Watford Electronics
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: JWord ƒvƒ‰ƒOƒCƒ" - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/intro/?partner=AP&type=lk&frm=iebutton&pver=2 (file missing)
O9 - Extra 'Tools' menuitem: JWord ƒvƒ‰ƒOƒCƒ"‚ɂ‚¢‚Ä - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/intro/?partner=AP&type=lk&frm=iebutton&pver=2 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O11 - Options group: [JWDSearch] JWord ƒvƒ‰ƒOƒCƒ"
O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
O16 - DPF: SpreadbetClient - http://195.20.122.71/SpreadbetClient.cab
O16 - DPF: SpreadbetClientSupportClasses - http://195.20.122.71/SpreadbetClientSupportClasses.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200179802440
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC8F5DB2-2A60-44B1-BFE1-0233CF6BA905}: NameServer = 78.143.192.10 78.143.192.20
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
0
Comments
-
sorry what was the name of the virus shown in Malwarebytes?
Can you post the Malwarebytes log file that showed the virus here.0 -
Your Highjack This is way out of date.
Scan again after Downloading
HIJACK THIS (Make sure you click 'DOWNLOAD THIS VERSION')
http://www.filehippo.com/download_hijackthis/2894/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)0 -
Well I ran it through AVG to start with the malware bytes, here is what AVG said
"C:\Documents and Settings\l\Local Settings\Temp\wgvyd.exe";"Trojan horse Generic17.CLHL";"Moved to Virus Vault"
"C:\Documents and Settings\l\Local Settings\Application Data\euqxinkmj\dsggxcotssd.exe";"Trojan horse Generic17.CLHL";"Moved to Virus Vault"
"C:\Documents and Settings\l\Application Data\Sun\Java\Deployment\cache\6.0\60\332a3d7c-7855afc3:\vmain.class";"Trojan horse Java/Downloader.Q";"Moved to Virus Vault"
"C:\Documents and Settings\l\Application Data\Sun\Java\Deployment\cache\6.0\60\332a3d7c-7855afc3";"Trojan horse Java/Downloader.Q";"Moved to Virus Vault"
"C:\Documents and Settings\l\Application Data\Sun\Java\Deployment\cache\6.0\58\fa8f07a-680bae2a:\vmain.class";"Trojan horse Java/Downloader.P";"Moved to Virus Vault"
"C:\Documents and Settings\l\Application Data\Sun\Java\Deployment\cache\6.0\58\fa8f07a-680bae2a";"Trojan horse Java/Downloader.P";"Moved to Virus Vault"
"C:\Documents and Settings\l\Application Data\Sun\Java\Deployment\cache\6.0\52\e649f74-59cf8b8a:\vmain.class";"Trojan horse Java/Downloader.N";"Moved to Virus Vault"
"C:\Documents and Settings\l\Application Data\Sun\Java\Deployment\cache\6.0\52\e649f74-59cf8b8a:\________vload.class";"Trojan horse Java/Downloader.O";"Moved to Virus Vault"
"C:\Documents and Settings\l\Application Data\Sun\Java\Deployment\cache\6.0\52\e649f74-59cf8b8a";"Trojan horse Java/Downloader.O";"Moved to Virus Vault"
with this warning plus about 100 tracking cookies
"HKU\S-1-5-21-1948790748-1637012360-2421829305-1007\Software\Microsoft\Windows\CurrentVersion\Run\\luhfhlln";"Found registry key with reference to infected file C:\Documents and Settings\l\Local Settings\Application Data\euqxinkmj\dsggxcotssd.exe";"Moved to Virus Vault"
Then Malwarebytes
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
29/05/2010 13:36:40
mbam-log-2010-05-29 (13-36-40).txt
Scan type: Full scan (C:\|E:\|)
Objects scanned: 233548
Time elapsed: 1 hour(s), 0 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\luhfhlln (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\documents and settings\l\application data\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\l\Application Data\sdra64.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
Files Infected:
C:\System Volume Information\_restore{094ED2EF-B4C2-48FA-B681-1FACB529B5DF}\RP1\A0000103.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\Documents and Settings\l\Application Data\sdra64.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\inst.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\l\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\l\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\l\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.0 -
Malwarebytes' Anti-Malware is out of date as well.
Update and rerun scan.0 -
[STRIKE]I would be tempted if I were in your shoes to unistall AVG and install avira and redo a scan as I don't think AVG is that great. What do people think?[/STRIKE]
Don't do this!0 -
The_Grandmaster wrote: »I would be tempted if I were in your shoes to unistall AVG and install avira and redo a scan as I don't think AVG is that great. What do people think?
Never install another av program until the machines proven to be clean:idea:0 -
Op ~ UPDATE malwarebytes and run another FULL scan
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)
Just so your aware, you have some really nasty infections:idea:0 -
-
The_Grandmaster wrote: »OK - I just personally don't trust AVG due to previous events and I've also seen a trojan on a usb not get detected too (on a paid AVG version).
I agree. I dont trust AVG either. But until the computers free of nasties its a bad idea to install proper av programs:idea:0 -
Someone is supposed to be helping me this on another site, but it takes a rather long time for an answer. Ran new and updated versions of AVG and Malwarebytes, then a variation of combofix he sent me
Here is the log, sorry if its longer than requested
lsass.exe is running, possible virus?
something keeps switching firewall off
ComboFix 10-05-28.08 - l 30/05/2010 15:02:18.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.191 [GMT 1:00]
Running from: c:\documents and settings\l\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\l\Application Data\91F745974D5CB59C2D6B38EDE47DA974
c:\documents and settings\l\Application Data\91F745974D5CB59C2D6B38EDE47DA974\enemies-names.txt
c:\documents and settings\l\Local Settings\Application Data\Windows Server
c:\documents and settings\l\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\l\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\system32\hlp.dat
Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ws2_32.dll
c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.
2010-05-30 14:12 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-05-30 09:53 . 2010-05-30 09:53
d
w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-30 08:26 . 2010-05-30 08:26
d
w- c:\documents and settings\l\Application Data\Sky-Banners
2010-05-30 08:26 . 2010-05-30 08:26
d
w- c:\documents and settings\l\Application Data\Street-Ads
2010-05-30 08:25 . 2010-05-30 08:25 50981 ----a-w- c:\windows\system32\ywusmpgbfp.exe
2010-05-30 08:25 . 2010-05-30 11:43
d
w- c:\documents and settings\l\Local Settings\Application Data\ldqokfhjs
2010-05-30 08:25 . 2010-05-30 08:25
d
w- c:\program files\$NtUninstallWTF1012$
2010-05-30 08:24 . 2010-05-30 08:24
d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-29 18:39 . 2010-05-29 18:39 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe
2010-05-28 16:07 . 2010-05-28 16:07
d
w- c:\documents and settings\Administrator\Local Settings\Application Data\Shareaza
2010-05-28 16:07 . 2010-05-28 16:07
d
w- c:\documents and settings\Administrator\Application Data\Shareaza
2010-05-28 16:05 . 2010-05-28 16:05
d
w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-05-28 07:26 . 2010-05-28 07:26
d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-27 18:54 . 2010-05-27 18:54 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-27 18:38 . 2010-05-27 18:38
d
w- c:\documents and settings\Administrator\Application Data\RCP 4
2010-05-27 18:38 . 2010-05-27 18:38
d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-27 16:20 . 2010-05-29 06:47
d
w- c:\documents and settings\l\Local Settings\Application Data\euqxinkmj
2010-05-27 16:19 . 2010-05-27 16:19
d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\hjeukikv.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\wsbugzzz.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 12:05 . 2009-11-07 16:00
d
w- c:\documents and settings\All Users\Application Data\avg9
2010-05-30 09:29 . 2005-04-01 10:09
d
w- c:\program files\Eraser
2010-05-29 18:40 . 2008-08-23 18:33
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 14:04 . 2005-10-30 09:29
d
w- c:\program files\Cryptainer ME
2010-05-25 19:43 . 2005-04-01 23:05
d
w- c:\documents and settings\l\Application Data\AdobeUM
2010-05-24 12:39 . 2009-10-04 18:42
d
w- c:\documents and settings\l\Application Data\vlc
2010-05-21 18:53 . 2009-01-14 17:43
d
w- c:\program files\ShareScope
2010-05-16 14:07 . 2005-09-29 17:23
d
w- c:\program files\Cryptainer LE
2010-05-15 17:07 . 2005-10-22 11:23
d
w- c:\program files\Google
2010-04-29 14:39 . 2008-08-23 18:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2008-08-23 18:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 15:01 . 2007-02-23 20:33
d
w- c:\documents and settings\l\Application Data\RCP 4
2010-04-23 16:21 . 2010-04-23 16:21
d
w- c:\documents and settings\l\Application Data\dvdcss
2010-04-21 07:20 . 2009-05-07 17:43 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-19 16:11 . 2005-03-18 19:54 139984 ----a-w- c:\documents and settings\l\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 09:45 . 2010-03-16 09:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 09:45 . 2007-03-20 19:22 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 09:44 . 2009-05-07 17:43 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15 . 2004-10-23 05:43 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-09-11 14:24 . 2009-09-11 14:23 6745696 ----a-w- c:\program files\Shareaza_2.4.0.0.exe
2008-05-31 21:33 . 2008-05-31 21:33 959079 ----a-w- c:\program files\mp3rt.zip
2008-04-06 12:23 . 2008-04-06 12:23 1484403 ----a-w- c:\program files\VirtualDub-1.8.0-AMD64.zip
2008-04-01 18:58 . 2008-04-01 18:58 2400784 ----a-w- c:\program files\WLinstaller.exe
2008-02-12 21:09 . 2008-04-06 16:13 948224 ----a-w- c:\program files\VirtualDub.exe
2008-02-08 17:30 . 2008-02-08 17:30 104446 ----a-w- c:\program files\lame_enc.zip
2008-02-03 19:21 . 2008-02-03 19:21 276128 ----a-w- c:\program files\stsetup.exe
2008-01-04 11:14 . 2008-01-04 11:14 2724328 ----a-w- c:\program files\ccsetup203.exe
2007-11-23 09:41 . 2007-11-23 09:41 32322536 ----a-w- c:\program files\SSGoldFull.EXE
2007-11-12 12:11 . 2007-11-23 09:43 179435 ----a-w- c:\program files\DesktopSupport.exe
2007-10-26 18:51 . 2007-10-26 18:51 1206366 ----a-w- c:\program files\wrar371.exe
2007-10-01 18:14 . 2007-10-01 18:14 2030080 ----a-w- c:\program files\codec.exe
2007-09-21 15:16 . 2007-09-21 15:11 357424 ----a-w- c:\program files\msicuu2.exe
2007-08-11 14:19 . 2007-08-11 14:18 1632120 ----a-w- c:\program files\RARRecoveryToolboxSetup.exe
2007-08-11 14:03 . 2007-08-11 14:03 1514141 ----a-w- c:\program files\rarrepair.zip
2007-07-22 15:57 . 2007-07-22 15:56 824901 ----a-w- c:\program files\oggcodecs_0.71.0946.exe
2007-03-17 19:38 . 2007-03-17 19:38 23510720 ----a-w- c:\program files\dotnetfx.exe
2007-03-17 19:30 . 2007-03-17 19:30 5485576 ----a-w- c:\program files\PaintDotNet_3_01_BetaNews.exe
2007-01-13 20:43 . 2007-01-13 20:43 13157641 ----a-w- c:\program files\averywizardenglish.exe
2007-01-10 21:26 . 2007-01-10 21:26 801263 ----a-w- c:\program files\0pe.exe
2006-12-30 15:18 . 2006-12-30 15:13 4477566 ----a-w- c:\program files\quickzip.exe
2006-05-30 21:40 . 2006-05-30 21:39 2044269 ----a-w- c:\program files\ieSpellSetup220647.exe
2006-03-25 23:02 . 2006-03-25 23:02 627615 ----a-w- c:\program files\setfd11.zip
2006-03-13 20:00 . 2006-03-13 20:00 6113439 ----a-w- c:\program files\pci_filerecovery.exe
2006-03-13 09:01 . 2006-03-13 09:01 407314 ----a-w- c:\program files\xtsti.exe
2006-01-05 18:48 . 2006-01-05 18:47 4687793 ----a-w- c:\program files\Setup_FreeConverter.exe
2006-01-02 11:26 . 2006-01-02 11:26 11817800 ----a-w- c:\program files\GoogleEarthSetup.exe
2006-01-01 21:55 . 2006-01-01 21:55 7975936 ----a-w- c:\program files\avwinsfx.exe
2006-01-01 21:52 . 2006-01-01 21:52 541279 ----a-w- c:\program files\ccsetup126.exe
2005-12-28 14:10 . 2005-12-28 14:10 363008 ----a-w- c:\program files\switchsetup.exe
2005-12-14 19:52 . 2005-12-14 19:52 4140470 ----a-w- c:\program files\Biostar M6TWG for quantax motherboard.exe
2005-10-30 09:20 . 2005-10-30 09:20 2794626 ----a-w- c:\program files\cryme.exe
2005-10-29 12:03 . 2005-10-29 12:03 2731104 ----a-w- c:\program files\DeepBurner1.exe
2005-10-29 12:03 . 2005-10-29 12:03 2789704 ----a-w- c:\program files\cryle encryption software.exe
2005-10-22 22:05 . 2005-10-22 22:05 363008 ----a-w- c:\program files\music convertor.exe
2005-10-22 21:47 . 2005-10-22 21:47 1157763 ----a-w- c:\program files\Convert Mp3 to WAV.exe
2005-10-09 08:58 . 2005-10-09 08:57 1026632 ----a-w- c:\program files\winamp51_lite.exe
2005-09-30 20:29 . 2005-09-30 20:28 635569 ----a-w- c:\program files\XviD-1.0.3-20122004.exe
2005-09-30 20:17 . 2005-09-30 20:17 2889614 ----a-w- c:\program files\gnu.zip
2005-09-30 20:15 . 2005-09-30 20:15 4166891 ----a-w- c:\program files\gnupg-1.4.2.tar.gz
2005-09-30 20:12 . 2005-09-30 20:12 2891177 ----a-w- c:\program files\gnupg-1.4.2.tar.bz2
2005-09-30 18:12 . 2005-09-30 18:12 5040816 ----a-w- c:\program files\eugold encryption2.exe
2005-09-29 16:06 . 2005-09-29 16:06 2789704 ----a-w- c:\program files\encryption cryle.exe
2005-09-29 15:39 . 2005-09-29 15:39 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-08-02 13:22 . 2008-05-31 21:29 9687445 ----a-w- c:\program files\S-AIO Series - All In One Advanced Files Repair.exe
2005-08-02 13:22 . 2008-05-31 21:29 3426 ----a-w- c:\program files\info.txt
2005-07-15 13:23 . 2005-07-15 13:23 47 ----a-w- c:\program files\setup.lid
2005-07-15 13:23 . 2005-07-15 13:23 334 ----a-w- c:\program files\layout.bin
2005-07-15 13:23 . 2005-07-15 13:23 95 ----a-w- c:\program files\DATA.TAG
2005-07-15 13:23 . 2005-07-15 13:23 78 ----a-w- c:\program files\SETUP.INI
2005-07-15 13:23 . 2005-07-15 13:23 409925 ----a-w- c:\program files\_sys1.cab
2005-07-15 13:23 . 2005-07-15 13:23 114308 ----a-w- c:\program files\_user1.cab
2005-05-29 14:40 . 2005-05-29 14:40 895488 ----a-w- c:\program files\iview397.exe
2005-05-28 17:46 . 2005-05-28 17:46 2995547 ----a-w- c:\program files\everesthome200.exe
2005-05-28 13:47 . 2005-05-28 13:47 0 ----a-w- c:\program files\gnupg-1.4.1.tar.bz2
2005-05-27 20:18 . 2005-05-27 20:18 6859666 ----a-w- c:\program files\PGPfreeware602i.exe
2005-05-27 18:42 . 2005-05-27 18:42 2417824 ----a-w- c:\program files\winzip90.exe
2005-05-27 17:47 . 2005-05-27 17:47 1272856
w- c:\program files\USBKEY_Novatech.zip
2005-05-27 17:38 . 2005-05-27 17:38 12430567
w- c:\program files\wmew98radeon4123056.exe
2005-05-18 08:15 . 2005-05-18 08:15 1759003 ----a-w- c:\program files\auction selling.exe
2005-04-15 12:41 . 2005-04-15 12:41 90161 ----a-w- c:\program files\setup.ins
2005-04-01 11:51 . 2005-04-01 11:51 183169 ----a-w- c:\program files\hijackthis.zip
2005-04-01 09:58 . 2005-04-01 09:57 3833616 ----a-w- c:\program files\RecoverMyFiles-Setup.exe
2005-04-01 09:53 . 2005-04-01 09:53 2811211 ----a-w- c:\program files\Eraser57Setup.zip
2005-04-01 09:38 . 2005-04-01 09:38 1704539 ----a-w- c:\program files\12wash.exe
2005-03-31 14:33 . 2005-03-31 14:27 20798256 ----a-w- c:\program files\AdbeRdr70_enu_full.exe
2005-03-31 14:27 . 2005-03-31 14:25 6811904 ----a-w- c:\program files\psa2011se_us.exe
2005-03-31 14:25 . 2005-03-31 14:25 494704 ----a-w- c:\program files\ytb01_efgsip.exe
2005-03-31 10:33 . 2005-03-31 10:32 10511904 ----a-w- c:\program files\RealPlayer10-5GOLD.exe
2005-03-31 09:23 . 2005-03-31 09:23 11306068 ----a-w- c:\program files\avg70free_308a468.exe
2005-03-30 13:29 . 2005-03-30 13:28 508240 ----a-w- c:\program files\ie6setupOe.exe
2005-03-30 10:59 . 2005-03-30 10:59 6093917 ----a-w- c:\program files\msjavx86.exe
2001-06-08 14:57 . 2007-11-23 09:43 20789 ----a-w- c:\program files\Email Help.HLP
2001-01-10 11:23 . 2007-11-23 09:43 162304 ----a-w- c:\program files\UNWISE.EXE
1999-01-29 14:54 . 2007-11-23 09:43 144896 ----a-w- c:\program files\SSCE5232.dll
1999-01-29 14:24 . 2007-11-23 09:43 58 ----a-w- c:\program files\Userdic.tlx
1999-01-29 12:55 . 2007-11-23 09:43 313693 ----a-w- c:\program files\sscebr2.clx
1997-06-02 12:44 . 1997-06-02 12:44 317092 ----a-w- c:\program files\_INST32I.EX_
1997-06-02 12:20 . 1997-06-02 12:20 280152 ----a-w- c:\program files\_INST16.EX_
1997-06-02 12:17 . 1997-06-02 12:17 8192 ----a-w- c:\program files\_ISDEL.EXE
1997-06-02 12:17 . 1997-06-02 12:17 11264 ----a-w- c:\program files\_SETUP.DLL
2002-07-31 19:55 . 2006-12-22 18:54 108 --sh--w- c:\windows\WSYS049.SYS
.
Sigcheck
[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\user32.dll
[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1CFAD44-0E8F-49F3-A628-723EF12E305D}]
2010-05-25 05:38 309248 ----a-w- c:\windows\system32\hjeukikv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\l\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-9 111376]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
C2CMonitor.lnk - c:\program files\ClickToConvert\C2CMonitor.exe [2009-9-15 412160]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-1-9 200704]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-1 51984]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-5-30 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 09:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe"=
"c:\\Program Files\\JavaSoft\\JRE\\1.3.1_02\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\ClickToConvert\\Convert.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:Shareaza tcp
"6346:UDP"= 6346:UDP:Shareaza udp
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/05/2009 18:43 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/05/2009 18:43 242896]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [28/01/2007 11:36 6144]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/03/2010 10:44 308064]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [10/03/2005 16:44 75925]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [21/05/2004 01:30 114944]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [10/03/2005 16:44 36583]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [10/03/2005 16:44 10005]
S0 gftkx;gftkx; [x]
S0 xrvaxp;xrvaxp; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/03/2010 19:55 136176]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [10/03/2005 16:51 9510]
.
Contents of the 'Scheduled Tasks' folder
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 18:55]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 18:55]
2010-05-30 c:\windows\Tasks\User_Feed_Synchronization-{F1245EAA-49CD-4A2C-855C-50EF2839FD39}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
Supplementary Scan
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Lookup on Merriam Webster - [URL]file://c:\program[/URL] files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - [URL]file://c:\program[/URL] files\ieSpell\wikipedia.HTM
IE: {{34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/intro/?partner=AP&type=lk&frm=iebutton&pver=2
Trusted Zone: deal4free.com\www
DPF: ADVFN 4v4 - hxxp://www.advfn.com/p.php?pid=loadercab
DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
DPF: SpreadbetClient - hxxp://195.20.122.71/SpreadbetClient.cab
DPF: SpreadbetClientSupportClasses - hxxp://195.20.122.71/SpreadbetClientSupportClasses.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{F30E81B2-865B-9382-B215-119A64AA1CB0} - c:\windows\system32\gceuabbaqjmrfc.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 15:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82AB8D01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85a9f28
\Driver\ACPI -> ACPI.sys @ 0xf83bccb8
\Driver\atapi -> atapi.sys @ 0xf835c852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf820ebb0
PacketIndicateHandler -> NDIS.sys @ 0xf81fda0d
SendHandler -> NDIS.sys @ 0xf8211b40
user & kernel MBR OK
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1292)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ssoftsrv.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-30 15:21:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 14:20
ComboFix2.txt 2010-05-29 17:27
Pre-Run: 72,535,937,024 bytes free
Post-Run: 72,507,330,560 bytes free
- - End Of File - - B017A753762E3845D6107F7D019D18100
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.6K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards