-
Linabbs's blog- ZA采用升級安裝或者導入舊版ZA的配置文件到新版導致程序列表假死的Bug。
- 裝了ZA,如何使你的開機速度快點
- 如何設置查看局域網內被設入internet區機器的共享資源
- ZA也可以做到低資源占用!
- 關于za for vista(在VISTA下用ZA的人過來看看)
- CheckPoint Integrity Desktop v6.5.063.207 KeyGen
- 戰術攻防之近距離搏擊篇(ARP)攻擊
- 還在使用老版ZA的朋友們注意:ZoneAlarm防火墻產品有多個本地權限提升存在漏洞
- Knowledge Base / KB Extended (KE) 內容列表及說明
- 關于《利用ZA專家規則,允許/禁止端口》的一點補充和說明
Jan
21
Help! Random pop-ups when ie and ff is inactive.
Filed Under Virus |
This just occured today.
Here’s a log from RSIT.
Logfile of random’s system information tool 1.05 (written by random/random)
Run by Compaq_Owner at 2009-01-11 13:47:23
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 133 GB (73%) free of 183 GB
Total RAM: 958 MB (26% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:47 PM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\GetModule\GetModule33.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\VundoFix.exe
C:\Documents and Settings\Compaq_Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Compaq_Owner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY…RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY…RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY…RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY…RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY…RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY…RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY…RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe,C:\WINDO WS\system32\twext.exe,
O2 - BHO: {aab3038c-7baf-5c59-f884-a709b4aba650} - {056aba4b-907a-488f-95c5-fab7c8303baa} - C:\WINDOWS\system32\tbisml.dll
O2 - BHO: (no name) - {29AFA3A5-688A-40AB-BFBB-65332E2478B6} - C:\WINDOWS\system32\qoMgfeCr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ac6fd856] rundll32.exe "C:\WINDOWS\system32\kjabltpj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [GetModule33] C:\Program Files\GetModule\GetModule33.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} - http://www.playwhat.com/solidPlugin/solidstateion.cab
O20 - AppInit_DLLs: tbisml.dll
O20 - Winlogon Notify: ljJYSjIx - C:\WINDOWS\SYSTEM32\ljJYSjIx.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
–
End of file - 9224 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\xmggivje.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{056aba4b-907a-488f-95c5-fab7c8303baa}]
C:\WINDOWS\system32\tbisml.dll [2009-01-11 123392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{29AFA3A5-688A-40AB-BFBB-65332E2478B6}]
C:\WINDOWS\system32\qoMgfeCr.dll [2009-01-11 282624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2008-11-08 251504]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2008-11-08 657904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2008-11-08 251504]
{FE063DB9-4EC0-403e-8DD8-394C54984B2C} - Ask Toolbar - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL [2008-11-16 245760]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-03-08 16010240]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-01-24 7311360]
"nwiz"=nwiz.exe /install []
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2005-07-23 237568]
""= []
"PCDrProfiler"= []
"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2006-02-16 249856]
"Reminder"=C:\Windows\Creator\Remind_XP.exe [2004-12-14 663552]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPwuSchd2.exe [2005-02-17 49152]
"regcmdcons"=c:\hp\bin\cloaker.exe [1999-11-07 27136]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2008-05-28 570664]
"DAEMON Tools-1033"=C:\Program Files\D-Tools\daemon.exe [2004-08-22 81920]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"ac6fd856"=C:\WINDOWS\system32\kjabltpj.dll [2009-01-11 80896]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-26 68856]
"Aim6"= []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2008-01-22 152872]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-15 342848]
"GetModule33"=C:\Program Files\GetModule\GetModule33.exe [2009-01-08 367616]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
PalStart.lnk - C:\Program Files\Paltalk Messenger\palstart.exe
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup
Xfire.lnk - C:\Program Files\Xfire\xfire.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="tbisml.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljJYSjIx]
C:\WINDOWS\system32\ljJYSjIx.dll [2009-01-11 36352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\ljJYSjIx.dll [2009-01-11 36352]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\qoMgfeCr
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e0 9be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Syste m]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explor er]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explo rer]
"AllowLegacyWebView"=
"AllowUnhashedWebView"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@x psp2res.dll,-22019"
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe"="C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:EnabledNA"
"C:\WINDOWS\TEMP\init.exe"="C:\WINDOWS\TEMP\init.exe:*:Enabled:ENABLE"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@x psp2res.dll,-22019"
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe"="C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{8584a2b0-d2ae-11dd-b8c5-001731a5ccf2}]
shell\AutoRun\command - J:\LaunchU3.exe -a
======List of files/folders created in the last 1 months======
2009-01-11 13:43:45 —-D—- C:\VundoFix Backups
2009-01-11 13:43:45 —-A—- C:\VundoFix.txt
2009-01-11 13:36:41 —-D—- C:\ComboFix
2009-01-11 13:36:13 —-D—- C:\Qoobox
2009-01-11 13:36:05 —-A—- C:\WINDOWS\system32\CF4075.exe
2009-01-11 13:24:58 —-SH—- C:\WINDOWS\system32\jptlbajk.ini
2009-01-11 13:24:54 —-A—- C:\WINDOWS\system32\kjabltpj.dll
2009-01-11 13:22:56 —-A—- C:\WINDOWS\system32\vrotypph.dll
2009-01-11 13:22:56 —-A—- C:\WINDOWS\system32\tbisml.dll
2009-01-11 13:22:28 —-A—- C:\WINDOWS\system32\a74c1c28-.txt
2009-01-11 13:21:54 —-ASH—- C:\WINDOWS\system32\rCefgMoq.ini2
2009-01-11 13:21:54 —-ASH—- C:\WINDOWS\system32\rCefgMoq.ini
2009-01-11 13:21:50 —-A—- C:\WINDOWS\system32\qoMgfeCr.dll
2009-01-11 13:16:46 —-A—- C:\WINDOWS\system32\pmnljJYO.dll
2009-01-11 13:16:45 —-D—- C:\Documents and Settings\Compaq_Owner\Application Data\GetModule
2009-01-11 13:16:38 —-D—- C:\Program Files\iCheck
2009-01-11 13:16:38 —-D—- C:\Program Files\GetModule
2009-01-11 13:16:37 —-A—- C:\WINDOWS\system32\ljJYSjIx.dll
2008-12-26 10:54:29 —-A—- C:\WINDOWS\unvise32.exe
2008-12-26 10:54:23 —-D—- C:\Program Files\DivXLand
2008-12-23 23:42:28 —-D—- C:\Program Files\BatchDPG
2008-12-23 23:32:29 —-D—- C:\Program Files\eRightSoft
2008-12-23 23:23:55 —-D—- C:\Program Files\AviSynth 2.5
2008-12-23 20:23:31 —-D—- C:\Program Files\PhotoFiltre
2008-12-22 16:10:25 —-D—- C:\WINDOWS\A8B9466986544126BD28D0D2412CDED6.TMP
2008-12-18 17:38:14 —-D—- C:\WINDOWS\system32\CatRoot_bak
2008-12-15 03:14:06 —-HDC—- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-15 03:13:31 —-HDC—- C:\WINDOWS\$NtUninstallKB955839$
2008-12-15 03:05:17 —-HDC—- C:\WINDOWS\$NtUninstallKB957097$
2008-12-15 03:02:38 —-HDC—- C:\WINDOWS\$NtUninstallKB954600$
2008-12-15 03:02:20 —-HDC—- C:\WINDOWS\$NtUninstallKB955069$
2008-12-15 03:02:15 —-HDC—- C:\WINDOWS\$NtUninstallKB956802$
======List of files/folders modified in the last 1 months======
2009-01-11 13:47:36 —-D—- C:\Program Files\Trend Micro
2009-01-11 13:43:08 —-D—- C:\Program Files\Mozilla Firefox
2009-01-11 13:42:11 —-D—- C:\Documents and Settings\Compaq_Owner\Application Data\DNA
2009-01-11 13:40:20 —-D—- C:\WINDOWS\temp
2009-01-11 13:37:41 —-D—- C:\WINDOWS
2009-01-11 13:37:35 —-D—- C:\WINDOWS\system32
2009-01-11 13:36:14 —-D—- C:\WINDOWS\ERDNT
2009-01-11 13:35:41 —-D—- C:\WINDOWS\Prefetch
2009-01-11 13:19:31 —-D—- C:\WINDOWS\system32\CatRoot2
2009-01-11 13:16:49 —-SD—- C:\WINDOWS\Tasks
2009-01-11 13:16:38 —-D—- C:\Program Files
2009-01-11 13:16:31 —-A—- C:\WINDOWS\system32\~.exe
2009-01-11 12:46:46 —-SHD—- C:\WINDOWS\system32\twain_32
2009-01-10 23:36:35 —-D—- C:\WINDOWS\system32\FxsTmp
2009-01-10 23:30:46 —-D—- C:\Program Files\DNA
2009-01-10 23:28:57 —-D—- C:\WINDOWS\system32\config
2009-01-10 23:28:35 —-D—- C:\WINDOWS\system32\wbem
2009-01-10 23:28:34 —-D—- C:\WINDOWS\Registration
2009-01-10 23:28:21 —-D—- C:\Documents and Settings\Compaq_Owner\Application Data\Xfire
2009-01-10 23:28:11 —-A—- C:\WINDOWS\SchedLgU.Txt
2009-01-09 17:46:12 —-D—- C:\WINDOWS\system32\Lang
2009-01-09 14:19:50 —-D—- C:\WINDOWS\Minidump
2009-01-02 11:52:18 —-D—- C:\Program Files\Tales of Pirates Online
2008-12-30 18:37:46 —-A—- C:\WINDOWS\NeroDigital.ini
2008-12-30 01:58:13 —-AD—- C:\WINDOWS\CREATOR
2008-12-26 13:59:02 —-D—- C:\Documents and Settings\Compaq_Owner\Application Data\U3
2008-12-25 13:54:51 —-HD—- C:\WINDOWS\inf
2008-12-24 21:40:54 —-A—- C:\WINDOWS\ModemLog_Agere Systems PCI-SV92PP Soft Modem.txt
2008-12-24 21:40:41 —-SD—- C:\WINDOWS\Downloaded Program Files
2008-12-22 16:10:27 —-SHD—- C:\WINDOWS\Installer
2008-12-22 08:43:16 —-SD—- C:\Program Files\Xfire
2008-12-22 03:01:05 —-RSHD—- C:\WINDOWS\system32\dllcache
2008-12-22 03:00:28 —-HD—- C:\WINDOWS\$hf_mig$
2008-12-18 17:45:42 —-D—- C:\WINDOWS\system32\CatRoot
2008-12-15 03:22:40 —-A—- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-15 03:21:11 —-D—- C:\Program Files\Internet Explorer
2008-12-15 03:21:10 —-D—- C:\WINDOWS\msagent
2008-12-15 03:15:00 —-A—- C:\WINDOWS\imsins.BAK
2008-12-15 03:14:58 —-HDC—- C:\WINDOWS\$NtUninstallKB899587$
2008-12-15 03:14:54 —-D—- C:\WINDOWS\system32\drivers
2008-12-15 03:14:53 —-HDC—- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-15 03:14:49 —-HDC—- C:\WINDOWS\$NtUninstallKB927802$
2008-12-15 03:14:43 —-HDC—- C:\WINDOWS\$NtUninstallKB952954$
2008-12-15 03:14:37 —-HDC—- C:\WINDOWS\$NtUninstallKB943460$
2008-12-15 03:14:32 —-D—- C:\Program Files\Messenger
2008-12-15 03:14:31 —-HDC—- C:\WINDOWS\$NtUninstallKB946648$
2008-12-15 03:14:25 —-HDC—- C:\WINDOWS\$NtUninstallKB956803$
2008-12-15 03:14:15 —-HDC—- C:\WINDOWS\$NtUninstallKB928255$
2008-12-15 03:14:02 —-HDC—- C:\WINDOWS\$NtUninstallKB911927$
2008-12-15 03:13:57 —-HDC—- C:\WINDOWS\$NtUninstallKB901017$
2008-12-15 03:13:51 —-HDC—- C:\WINDOWS\$NtUninstallKB899591$
2008-12-15 03:13:40 —-HDC—- C:\WINDOWS\$NtUninstallKB923723$
2008-12-15 03:13:09 —-HDC—- C:\WINDOWS\$NtUninstallKB933729$
2008-12-15 03:12:58 —-HDC—- C:\WINDOWS\$NtUninstallKB956391$
2008-12-15 03:12:47 —-HDC—- C:\WINDOWS\$NtUninstallKB957095$
2008-12-15 03:12:36 —-HDC—- C:\WINDOWS\$NtUninstallKB893756$
2008-12-15 03:12:25 —-HDC—- C:\WINDOWS\$NtUninstallKB923980$
2008-12-15 03:12:09 —-HDC—- C:\WINDOWS\$NtUninstallKB911280$
2008-12-15 03:11:58 —-HDC—- C:\WINDOWS\$NtUninstallKB911562$
2008-12-15 03:11:45 —-HDC—- C:\WINDOWS\$NtUninstallKB938828$
2008-12-15 03:11:34 —-D—- C:\WINDOWS\WinSxS
2008-12-15 03:11:31 —-HDC—- C:\WINDOWS\$NtUninstallKB924667$
2008-12-15 03:11:20 —-HDC—- C:\WINDOWS\$NtUninstallKB900485$
2008-12-15 03:11:08 —-HDC—- C:\WINDOWS\$NtUninstallKB924270$
2008-12-15 03:10:50 —-HDC—- C:\WINDOWS\$NtUninstallKB931261$
2008-12-15 03:10:31 —-D—- C:\WINDOWS\system32\en-US
2008-12-15 03:09:46 —-HDC—- C:\WINDOWS\$NtUninstallKB927891$
2008-12-15 03:09:31 —-HDC—- C:\WINDOWS\$NtUninstallKB950974$
2008-12-15 03:09:21 —-HDC—- C:\WINDOWS\$NtUninstallKB951698$
2008-12-15 03:09:07 —-HDC—- C:\WINDOWS\$NtUninstallKB954211$
2008-12-15 03:08:46 —-HDC—- C:\WINDOWS\$NtUninstallKB946026$
2008-12-15 03:08:33 —-HDC—- C:\WINDOWS\$NtUninstallKB956841$
2008-12-15 03:08:06 —-HDC—- C:\WINDOWS\$NtUninstallKB925398_WMP64$
2008-12-15 03:07:47 —-HDC—- C:\WINDOWS\$NtUninstallKB910437$
2008-12-15 03:07:37 —-D—- C:\Program Files\Windows Media Player
2008-12-15 03:07:36 —-HDC—- C:\WINDOWS\$NtUninstallKB911564$
2008-12-15 03:07:09 —-HDC—- C:\WINDOWS\$NtUninstallKB925902$
2008-12-15 03:07:00 —-HDC—- C:\WINDOWS\$NtUninstallKB920670$
2008-12-15 03:06:50 —-HDC—- C:\WINDOWS\$NtUninstallKB918439$
2008-12-15 03:06:42 —-D—- C:\Config.Msi
2008-12-15 03:06:05 —-HDC—- C:\WINDOWS\$NtUninstallKB890046$
2008-12-15 03:05:59 —-HDC—- C:\WINDOWS\$NtUninstallKB926436$
2008-12-15 03:05:54 —-HDC—- C:\WINDOWS\$NtUninstallKB920872$
2008-12-15 03:05:46 —-HDC—- C:\WINDOWS\$NtUninstallKB930178$
2008-12-15 03:05:40 —-HDC—- C:\WINDOWS\$NtUninstallKB914388$
2008-12-15 03:05:34 —-HDC—- C:\WINDOWS\$NtUninstallKB905414$
2008-12-15 03:05:27 —-HDC—- C:\WINDOWS\$NtUninstallKB950762$
2008-12-15 03:05:23 —-HDC—- C:\WINDOWS\$NtUninstallKB932168$
2008-12-15 03:05:12 —-HDC—- C:\WINDOWS\$NtUninstallKB923191$
2008-12-15 03:05:07 —-HDC—- C:\WINDOWS\$NtUninstallKB922582$
2008-12-15 03:04:59 —-HDC—- C:\WINDOWS\$NtUninstallKB918118$
2008-12-15 03:04:52 —-HDC—- C:\WINDOWS\$NtUninstallKB926255$
2008-12-15 03:04:46 —-HDC—- C:\WINDOWS\$NtUninstallKB888302$
2008-12-15 03:04:43 —-HDC—- C:\WINDOWS\$NtUninstallKB929399$
2008-12-15 03:04:32 —-HDC—- C:\WINDOWS\$NtUninstallKB939683$
2008-12-15 03:04:17 —-HDC—- C:\WINDOWS\$NtUninstallKB951066$
2008-12-15 03:04:11 —-HDC—- C:\WINDOWS\$NtUninstallKB900725$
2008-12-15 03:04:03 —-HDC—- C:\WINDOWS\$NtUninstallKB920213$
2008-12-15 03:03:57 —-HDC—- C:\WINDOWS\$NtUninstallKB935840$
2008-12-15 03:03:51 —-HDC—- C:\WINDOWS\$NtUninstallKB943485$
2008-12-15 03:03:46 —-HDC—- C:\WINDOWS\$NtUninstallKB945553$
2008-12-15 03:03:40 —-HDC—- C:\WINDOWS\$NtUninstallKB886185$
2008-12-15 03:03:36 —-HDC—- C:\WINDOWS\$NtUninstallKB916595$
2008-12-15 03:03:29 —-HDC—- C:\WINDOWS\$NtUninstallKB951748$
2008-12-15 03:03:14 —-HDC—- C:\WINDOWS\$NtUninstallKB950749$
2008-12-15 03:03:04 —-HDC—- C:\WINDOWS\$NtUninstallKB938464$
2008-12-15 03:03:00 —-HDC—- C:\WINDOWS\$NtUninstallKB932823-v3$
2008-12-15 03:02:52 —-HDC—- C:\WINDOWS\$NtUninstallKB908531$
2008-12-15 03:02:45 —-HDC—- C:\WINDOWS\$NtUninstallKB905749$
2008-12-15 03:02:34 —-HDC—- C:\WINDOWS\$NtUninstallKB958644$
2008-12-15 03:02:28 —-HDC—- C:\WINDOWS\$NtUninstallKB913580$
2008-12-15 03:02:11 —-HDC—- C:\WINDOWS\$NtUninstallKB896428$
2008-12-15 03:01:57 —-HDC—- C:\WINDOWS\$NtUninstallKB935839$
2008-12-15 03:01:52 —-HDC—- C:\WINDOWS\$NtUninstallKB943055$
2008-12-15 03:01:45 —-HDC—- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-12-15 03:01:25 —-HDC—- C:\WINDOWS\$NtUninstallKB920683$
2008-12-15 03:01:20 —-HDC—- C:\WINDOWS\$NtUninstallKB953356$
2008-12-15 03:01:15 —-HDC—- C:\WINDOWS\$NtUninstallKB914389$
2008-12-15 03:01:09 —-HDC—- C:\WINDOWS\$NtUninstallKB944653$
2008-12-15 03:01:00 —-HDC—- C:\WINDOWS\$NtUninstallKB890859$
2008-12-13 15:19:46 —-D—- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2008-12-13 01:40:02 —-A—- C:\WINDOWS\system32\mshtml.dll
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-11-08 17801]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2006-01-25 1149888]
R3 BCM43XX;Linksys Wireless-G PCI Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-06-26 610816]
R3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\LINKSY~1\GTNDIS5.SYS []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-08 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-03-08 4246016]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-01-24 3535520]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-03 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-03 13056]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-03-31 27008]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 XDva219;XDva219; \??\C:\WINDOWS\system32\XDva219.sys []
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 TIEHDUSB;TIEHDUSB; C:\WINDOWS\system32\drivers\tiehdusb.sys [2004-02-04 49536]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-03-24 73728]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-01-24 131139]
R2 PLFlash DeviceIoControl Service;PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [2006-12-19 81920]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2008-01-22 275752]
S2 WMP54GSSVC;WMP54GSSVC; C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe [2005-07-04 53307]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-08 137200]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2008-04-08 800040]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
—————–EOF—————–
Welcome to linabbs ohayomeimei 
Wow! It got you good too.
Please visit the following webpage for instructions for downloading and running ComboFix
How to use ComboFix
Download ComboFix by sUBs from here, saving the file to your desktop.
Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.
Close all open programs and windows
Double click ComboFix.exe and follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.
I know, right? In a matter of 30 minutes too.
>.>
Here’s the combo fix log.
ComboFix 09-01-10.03 - Compaq_Owner 2009-01-11 14:10:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.336 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Compaq_Owner\Application Data\gadcom
c:\documents and settings\Compaq_Owner\Application Data\gadcom\gadcom.exe
c:\documents and settings\Compaq_Owner\Application Data\GetModule
c:\documents and settings\Compaq_Owner\Application Data\GetModule\dicik.gz
c:\documents and settings\Compaq_Owner\Application Data\GetModule\kwdik.gz
c:\documents and settings\Compaq_Owner\Application Data\GetModule\ofadik.gz
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\program files\GetModule
c:\program files\GetModule\GetModule33.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\system32\~.exe
c:\windows\system32\jptlbajk.ini
c:\windows\system32\kjabltpj.dll
c:\windows\system32\ljJYSjIx.dll
c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\qoMgfeCr.dll
c:\windows\system32\rCefgMoq.ini
c:\windows\system32\rCefgMoq.ini2
c:\windows\system32\rdocurs.dll
c:\windows\system32\tbisml.dll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe
c:\windows\system32\vrotypph.dll
c:\windows\system32\wpv801231601469.cpx
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.
2009-01-11 13:43 . 2009-01-11 13:43 <DIR> d——– C:\VundoFix Backups
2009-01-11 13:16 . 2009-01-11 13:16 46,080 –a—— c:\windows\system32\pmnljJYO.dll
2008-12-30 00:01 . 2008-12-30 00:05 <DIR> d——– c:\documents and settings\Compaq_Owner\dwhelper
2008-12-26 10:54 . 2008-12-26 10:54 <DIR> d——– c:\program files\DivXLand
2008-12-26 10:54 . 1999-12-17 10:13 86,016 –a—— c:\windows\unvise32.exe
2008-12-23 23:42 . 2008-12-23 23:42 <DIR> d——– c:\program files\BatchDPG
2008-12-23 23:32 . 2008-12-23 23:32 <DIR> d——– c:\program files\eRightSoft
2008-12-23 23:32 . 2005-02-12 17:00 186,880 -rahs—- c:\windows\system32\RLOgg.ax
2008-12-23 23:32 . 2005-01-17 17:26 179,200 -rahs—- c:\windows\system32\DiracSplitter.ax
2008-12-23 23:32 . 2005-02-05 17:00 92,672 -rahs—- c:\windows\system32\RLVorbisDec.ax
2008-12-23 23:32 . 2005-02-22 10:55 81,920 -rahs—- c:\windows\system32\aac_parser.ax
2008-12-23 23:32 . 2005-02-12 17:00 67,584 -rahs—- c:\windows\system32\RLTheoraDec.ax
2008-12-23 23:32 . 2005-02-12 17:00 51,712 -rahs—- c:\windows\system32\RLSpeexDec.ax
2008-12-23 23:23 . 2008-12-23 23:23 <DIR> d——– c:\program files\AviSynth 2.5
2008-12-23 20:23 . 2008-12-23 20:25 <DIR> d——– c:\program files\PhotoFiltre
2008-12-22 16:10 . 2008-12-22 16:10 <DIR> d——– c:\windows\A8B9466986544126BD28D0D2412CDED6.TMP
2008-12-19 12:57 . 2008-12-19 12:57 <DIR> d——– c:\windows\system32\config\systemprofile\Application Data\Xfire
2008-12-18 17:38 . 2008-12-18 17:45 <DIR> d——– c:\windows\system32\CatRoot_bak
2008-12-11 15:37 . 2008-12-11 15:37 42,320 –a—— c:\windows\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 19:17 ——— d—–w c:\program files\DNA
2009-01-11 19:17 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\DNA
2009-01-11 18:47 ——— d—–w c:\program files\Trend Micro
2009-01-11 04:28 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\Xfire
2009-01-02 17:02 0 —-a-w c:\program files\temp01
2009-01-02 16:52 ——— d—–w c:\program files\Tales of Pirates Online
2008-12-26 18:59 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\U3
2008-12-22 13:43 ——— d-s—w c:\program files\Xfire
2008-12-20 16:49 24,392 —-a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2008-12-06 03:51 ——— d—–w c:\program files\TI Education
2008-12-06 03:51 ——— d—–w c:\program files\Common Files\TI Shared
2008-12-06 03:46 ——— d—–w c:\program files\Common Files\Wise Installation Wizard
2008-12-04 00:24 ——— d—–w c:\program files\Common Files\DirectX
2008-12-03 23:55 ——— d–h–w c:\program files\InstallShield Installation Information
2008-12-03 23:55 ——— d—–w c:\program files\Outspark
2008-12-03 21:39 ——— d—–w c:\program files\MAIET
2008-12-03 20:07 ——— d—–w c:\documents and settings\LocalService\Application Data\Xfire
2008-12-03 19:35 ——— d—–w c:\program files\Common Files\INCA Shared
2008-12-03 19:34 ——— d–h–w c:\documents and settings\Compaq_Owner\Application Data\ijjigame
2008-12-03 19:22 ——— d—–w c:\program files\NHN USA
2008-11-29 18:58 ——— d—–w c:\program files\Safari
2008-11-29 18:58 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2008-11-29 18:57 ——— d—–w c:\program files\Bonjour
2008-11-29 18:49 ——— d—–w c:\program files\QuickTime
2008-11-29 18:48 ——— d—–w c:\program files\Apple Software Update
2008-11-28 16:43 ——— d—–w c:\program files\AskTBar
2008-11-16 19:31 ——— d—–w c:\program files\D-Tools
2008-11-16 19:20 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\Ahead
2008-11-16 18:49 717,296 —-a-w c:\windows\system32\drivers\sptd.sys
2008-11-16 18:49 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\DAEMON Tools
2008-11-16 16:43 ——— d—–w c:\documents and settings\All Users\Application Data\Ahead
2008-11-16 16:42 ——— d—–w c:\program files\Common Files\Ahead
2008-11-16 16:39 ——— d—–w c:\program files\Nero
2008-11-16 16:39 ——— d—–w c:\documents and settings\All Users\Application Data\Nero
2008-11-16 16:33 ——— d—–w c:\program files\Ahead
2008-11-16 00:25 ——— d—–w c:\program files\Codec
2008-11-15 01:58 ——— d—–w c:\program files\ESTsoft
2008-11-15 01:58 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\ESTsoft
2008-11-08 21:10 23,040 —-a-w c:\documents and settings\Compaq_Owner\~.exe
2008-11-01 20:08 396,288 —-a-w C:\HijackThis.exe
2008-07-16 15:50 23 -c–a-w c:\documents and settings\Compaq_Owner\jagex_runescape_preferences.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\program files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [2008-11-16 57344]
[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-26 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-05-26 27136]
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-12-11 2990416]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-05-26 36903]
PalStart.lnk - c:\program files\Paltalk Messenger\palstart.exe [2006-05-17 30720]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\docume~1\COMPAQ~1\LOCALS~1\ Temp\init.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=tbisml.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0×0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Temp\\init.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"18567:TCP"= 18567:TCP:*isabled:SolidNetworkManager
"18567:UDP"= 18567:UDP:*isabled:SolidNetworkManager
"53574:TCP"= 53574:TCP:*isabled:SolidNetworkManager
"53574:UDP"= 53574:UDP:*isabled:SolidNetworkManager
"4661:TCP"= 4661:TCP:*isabled:SolidNetworkManager
"4661:UDP"= 4661:UDP:*isabled:SolidNetworkManager
"54796:TCP"= 54796:TCP:*isabled:SolidNetworkManager
"54796:UDP"= 54796:UDP:*isabled:SolidNetworkManager
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys –> c:\windows\system32\XDva219.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{8584a2b0-d2ae-11dd-b8c5-001731a5ccf2}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the ‘Scheduled Tasks’ folder
2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-01-11 c:\windows\Tasks\xmggivje.job
- c:\windows\system32\rundll32.exe [2004-08-04 06:00]
.
- - - - ORPHANS REMOVED - - - -
BHO-{056aba4b-907a-488f-95c5-fab7c8303baa} - c:\windows\system32\tbisml.dll
BHO-{29AFA3A5-688A-40AB-BFBB-65332E2478B6} - c:\windows\system32\qoMgfeCr.dll
HKCU-Run-GetModule33 - c:\program files\GetModule\GetModule33.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-PCDrProfiler - (no file)
.
——- Supplementary Scan ——-
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 14:16:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\init.exe [1692] 0×84FDFAE8
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
———————— Other Running Processes ————————
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-01-11 14:21:43 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2009-01-11 19:21:36
ComboFix2.txt 2008-11-01 22:26:47
Pre-Run: 143,261,163,520 bytes free
Post-Run: 147,811,639,296 bytes free
221 — E O F — 2008-12-22 08:01:11
Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;
Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.linabbs.com/malware-virus-removal/80421-active-help-random-pop-ups-when-ie-ff-inactive.html#post437625
Collect::
c:\windows\system32\pmnljJYO.dll
File::
c:\windows\Tasks\xmggivje.job
DirLook::
c:\program files\temp01
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Driver::
XDva219
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it’s done. A log will open when it’s complete. Post the contents of that log here.
Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!
This is the new log.
But I never got prompted to upload any zip file..
ComboFix 09-01-10.03 - Compaq_Owner 2009-01-11 15:11:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.641 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\Tasks\xmggivje.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\init.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\pmnljJYO.dll
c:\windows\Tasks\xmggivje.job
—– BITS: Possible infected sites —–
hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
——-\Legacy_XDVA219
——-\Service_XDva219
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.
2009-01-11 13:43 . 2009-01-11 13:43 <DIR> d——– C:\VundoFix Backups
2008-12-30 00:01 . 2008-12-30 00:05 <DIR> d——– c:\documents and settings\Compaq_Owner\dwhelper
2008-12-26 10:54 . 2008-12-26 10:54 <DIR> d——– c:\program files\DivXLand
2008-12-26 10:54 . 1999-12-17 10:13 86,016 –a—— c:\windows\unvise32.exe
2008-12-23 23:42 . 2008-12-23 23:42 <DIR> d——– c:\program files\BatchDPG
2008-12-23 23:32 . 2008-12-23 23:32 <DIR> d——– c:\program files\eRightSoft
2008-12-23 23:32 . 2005-02-12 17:00 186,880 -rahs—- c:\windows\system32\RLOgg.ax
2008-12-23 23:32 . 2005-01-17 17:26 179,200 -rahs—- c:\windows\system32\DiracSplitter.ax
2008-12-23 23:32 . 2005-02-05 17:00 92,672 -rahs—- c:\windows\system32\RLVorbisDec.ax
2008-12-23 23:32 . 2005-02-22 10:55 81,920 -rahs—- c:\windows\system32\aac_parser.ax
2008-12-23 23:32 . 2005-02-12 17:00 67,584 -rahs—- c:\windows\system32\RLTheoraDec.ax
2008-12-23 23:32 . 2005-02-12 17:00 51,712 -rahs—- c:\windows\system32\RLSpeexDec.ax
2008-12-23 23:23 . 2008-12-23 23:23 <DIR> d——– c:\program files\AviSynth 2.5
2008-12-23 20:23 . 2008-12-23 20:25 <DIR> d——– c:\program files\PhotoFiltre
2008-12-22 16:10 . 2008-12-22 16:10 <DIR> d——– c:\windows\A8B9466986544126BD28D0D2412CDED6.TMP
2008-12-19 12:57 . 2008-12-19 12:57 <DIR> d——– c:\windows\system32\config\systemprofile\Application Data\Xfire
2008-12-18 17:38 . 2008-12-18 17:45 <DIR> d——– c:\windows\system32\CatRoot_bak
2008-12-11 15:37 . 2008-12-11 15:37 42,320 –a—— c:\windows\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 20:18 ——— d—–w c:\program files\DNA
2009-01-11 20:18 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\DNA
2009-01-11 18:47 ——— d—–w c:\program files\Trend Micro
2009-01-11 04:28 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\Xfire
2009-01-02 17:02 0 —-a-w c:\program files\temp01
2009-01-02 16:52 ——— d—–w c:\program files\Tales of Pirates Online
2008-12-26 18:59 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\U3
2008-12-22 13:43 ——— d-s—w c:\program files\Xfire
2008-12-20 16:49 24,392 —-a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2008-12-06 03:51 ——— d—–w c:\program files\TI Education
2008-12-06 03:51 ——— d—–w c:\program files\Common Files\TI Shared
2008-12-06 03:46 ——— d—–w c:\program files\Common Files\Wise Installation Wizard
2008-12-04 00:24 ——— d—–w c:\program files\Common Files\DirectX
2008-12-03 23:55 ——— d–h–w c:\program files\InstallShield Installation Information
2008-12-03 23:55 ——— d—–w c:\program files\Outspark
2008-12-03 21:39 ——— d—–w c:\program files\MAIET
2008-12-03 20:07 ——— d—–w c:\documents and settings\LocalService\Application Data\Xfire
2008-12-03 19:35 ——— d—–w c:\program files\Common Files\INCA Shared
2008-12-03 19:34 ——— d–h–w c:\documents and settings\Compaq_Owner\Application Data\ijjigame
2008-12-03 19:22 ——— d—–w c:\program files\NHN USA
2008-11-29 18:58 ——— d—–w c:\program files\Safari
2008-11-29 18:58 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2008-11-29 18:57 ——— d—–w c:\program files\Bonjour
2008-11-29 18:49 ——— d—–w c:\program files\QuickTime
2008-11-29 18:48 ——— d—–w c:\program files\Apple Software Update
2008-11-28 16:43 ——— d—–w c:\program files\AskTBar
2008-11-16 19:31 ——— d—–w c:\program files\D-Tools
2008-11-16 19:20 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\Ahead
2008-11-16 18:49 717,296 —-a-w c:\windows\system32\drivers\sptd.sys
2008-11-16 18:49 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\DAEMON Tools
2008-11-16 16:43 ——— d—–w c:\documents and settings\All Users\Application Data\Ahead
2008-11-16 16:42 ——— d—–w c:\program files\Common Files\Ahead
2008-11-16 16:39 ——— d—–w c:\program files\Nero
2008-11-16 16:39 ——— d—–w c:\documents and settings\All Users\Application Data\Nero
2008-11-16 16:33 ——— d—–w c:\program files\Ahead
2008-11-16 00:25 ——— d—–w c:\program files\Codec
2008-11-15 01:58 ——— d—–w c:\program files\ESTsoft
2008-11-15 01:58 ——— d—–w c:\documents and settings\Compaq_Owner\Application Data\ESTsoft
2008-11-08 21:10 23,040 —-a-w c:\documents and settings\Compaq_Owner\~.exe
2008-11-01 20:08 396,288 —-a-w C:\HijackThis.exe
2008-07-16 15:50 23 -c–a-w c:\documents and settings\Compaq_Owner\jagex_runescape_preferences.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
—- Directory of c:\program files\temp01 —-
c:\program files\temp01\
((((((((((((((((((((((((((((( snapshot@2009-01-11_14.20.55.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-11 19:00:39 32,768 —-a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2009-01-11 20:00:48 32,768 —-a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-11 19:00:39 32,768 —-a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2009-01-11 20:00:48 32,768 —-a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\program files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [2008-11-16 57344]
[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-26 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-05-26 27136]
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-12-11 2990416]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-05-26 36903]
PalStart.lnk - c:\program files\Paltalk Messenger\palstart.exe [2006-05-17 30720]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0×0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"18567:TCP"= 18567:TCP:*isabled:SolidNetworkManager
"18567:UDP"= 18567:UDP:*isabled:SolidNetworkManager
"53574:TCP"= 53574:TCP:*isabled:SolidNetworkManager
"53574:UDP"= 53574:UDP:*isabled:SolidNetworkManager
"4661:TCP"= 4661:TCP:*isabled:SolidNetworkManager
"4661:UDP"= 4661:UDP:*isabled:SolidNetworkManager
"54796:TCP"= 54796:TCP:*isabled:SolidNetworkManager
"54796:UDP"= 54796:UDP:*isabled:SolidNetworkManager
— Other Services/Drivers In Memory —
*NewlyCreated* - GTNDIS5
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{8584a2b0-d2ae-11dd-b8c5-001731a5ccf2}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the ‘Scheduled Tasks’ folder
2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
——- Supplementary Scan ——-
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 15:17:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
———————— Other Running Processes ————————
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-01-11 15:22:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-11 20:22:28
ComboFix2.txt 2009-01-11 19:21:45
ComboFix3.txt 2008-11-01 22:26:47
Pre-Run: 147,801,075,712 bytes free
Post-Run: 147,785,035,776 bytes free
201 — E O F — 2008-12-22 08:01:11
Did you get prompted to upload a zip file, and if so, was it successful?
If not, please post the contents of C:\Qoobox\ComboFix-quarantined-files.txt
Here are the contents of C:\Qoobox\ComboFix-quarantined-files.txt
2000-04-04 02:52:54 A——- 151,552 C:\Qoobox\Quarantine\C\WINDOWS\system32\RDOCURS.DLL.vir
2000-05-11 22:06:20 A——- 397,312 C:\Qoobox\Quarantine\C\WINDOWS\system32\MSRDO20.DLL.vir
2003-11-21 17:09:40 A——- 5,632 C:\Qoobox\Quarantine\C\WINDOWS\system32\mfcuia32.dll.vir
2003-11-21 17:09:40 A——- 133,904 C:\Qoobox\Quarantine\C\WINDOWS\system32\mfcans32.dll.vir
2004-08-04 06:00:00 A——- 255,488 C:\Qoobox\Quarantine\C\WINDOWS\system32\twext.exe.vir
2006-05-26 17:27:42 A——- 4,617 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2006-05-26 17:27:42 A——- 5,579 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-11-08 16:10:02 A——- 20 C:\Qoobox\Quarantine\C\WINDOWS\wiaserviv.log.vir
2008-11-08 16:10:04 A——- 56,832 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\gadcom\gadcom.exe.vir
2008-11-29 12:22:25 A——- 22,528 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
2008-11-29 12:22:26 A——- 4,410 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\user.ds.vir
2008-11-29 12:22:26 A——- 154,305 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\local.ds.vir
2008-11-29 12:22:26 A——- 230,889 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\user.ds.cla.vir
2008-12-01 17:56:26 A——- 4,784 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\twain_32\user.ds.vir
2008-12-03 14:22:53 A——- 9 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat.vir
2009-01-08 11:30:12 A——- 367,616 C:\Qoobox\Quarantine\C\Program Files\GetModule\GetModule33.exe.vir
2009-01-11 13:16:35 A——- 198,661 C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv801231601469.cpx.vir
2009-01-11 13:16:37 A——- 36,352 C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJYSjIx.dll.vir
2009-01-11 13:16:38 A——- 32,081 C:\Qoobox\Quarantine\C\Program Files\iCheck\Uninstall.exe.vir
2009-01-11 13:16:46 A——- 46,080 C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnljJYO.dll.vir
2009-01-11 13:16:49 A——- 330 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\xmggivje.job.vir
2009-01-11 13:16:50 A——- 164,327 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\GetModule\dicik.gz.vir
2009-01-11 13:16:51 A——- 55 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\GetModule\ofadik.gz.vir
2009-01-11 13:16:51 A——- 78,095 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\GetModule\kwdik.gz.vir
2009-01-11 13:21:50 A——- 282,624 C:\Qoobox\Quarantine\C\WINDOWS\system32\qoMgfeCr.dll.vir
2009-01-11 13:21:54 A——- 679,144 C:\Qoobox\Quarantine\C\WINDOWS\system32\rCefgMoq.ini.vir
2009-01-11 13:21:54 A——- 679,144 C:\Qoobox\Quarantine\C\WINDOWS\system32\rCefgMoq.ini2.vir
2009-01-11 13:22:56 A——- 123,392 C:\Qoobox\Quarantine\C\WINDOWS\system32\tbisml.dll.vir
2009-01-11 13:22:56 A——- 123,392 C:\Qoobox\Quarantine\C\WINDOWS\system32\vrotypph.dll.vir
2009-01-11 13:24:54 A——- 80,896 C:\Qoobox\Quarantine\C\WINDOWS\system32\kjabltpj.dll.vir
2009-01-11 13:24:58 A——- 1,256,329 C:\Qoobox\Quarantine\C\WINDOWS\system32\jptlbajk.ini.vir
2009-01-11 13:36:14 A——- 745 C:\Qoobox\Quarantine\catchme.log
2009-01-11 14:11:07 A——- 1,662 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\_user_.ds.zip
2009-01-11 14:11:07 A——- 105,083 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\_local_.ds.zip
2009-01-11 14:12:41 A——- 7,699 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-01-11 14:16:47 A——- 37,376 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Local Settings\Temp\init.exe.vir
2009-01-11 14:20:56 A——- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{29AFA3A5-688A-40AB-BFBB-65332E2478B6}.reg.dat
2009-01-11 14:20:56 A——- 416 C:\Qoobox\Quarantine\Registry_backups\BHO-{056aba4b-907a-488f-95c5-fab7c8303baa}.reg.dat
2009-01-11 14:20:57 A——- 90 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
2009-01-11 14:20:57 A——- 142 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-GetModule33.reg.dat
2009-01-11 14:20:58 A——- 99 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-PCDrProfiler.reg.dat
2009-01-11 15:11:36 A——- 44,835 C:\Qoobox\Quarantine\[4]-Submit_2009-01-11@15.11.zip
2009-01-11 15:15:06 A——- 1,088 C:\Qoobox\Quarantine\Registry_backups\Legacy_XDVA219.reg.dat
2009-01-11 15:15:07 A——- 2,484 C:\Qoobox\Quarantine\Registry_backups\Service_XDva219.reg.dat
C:\Qoobox\ComboFix-quarantined-files.txt
2000-04-04 02:52:54 A——- 151,552 C:\Qoobox\Quarantine\C\WINDOWS\system32\RDOCURS.DLL.vir
2000-05-11 22:06:20 A——- 397,312 C:\Qoobox\Quarantine\C\WINDOWS\system32\MSRDO20.DLL.vir
2003-11-21 17:09:40 A——- 5,632 C:\Qoobox\Quarantine\C\WINDOWS\system32\mfcuia32.dll.vir
2003-11-21 17:09:40 A——- 133,904 C:\Qoobox\Quarantine\C\WINDOWS\system32\mfcans32.dll.vir
2004-08-04 06:00:00 A——- 255,488 C:\Qoobox\Quarantine\C\WINDOWS\system32\twext.exe.vir
2006-05-26 17:27:42 A——- 4,617 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2006-05-26 17:27:42 A——- 5,579 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-11-08 16:10:02 A——- 20 C:\Qoobox\Quarantine\C\WINDOWS\wiaserviv.log.vir
2008-11-08 16:10:04 A——- 56,832 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\gadcom\gadcom.exe.vir
2008-11-29 12:22:25 A——- 22,528 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
2008-11-29 12:22:26 A——- 4,410 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\user.ds.vir
2008-11-29 12:22:26 A——- 154,305 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\local.ds.vir
2008-11-29 12:22:26 A——- 230,889 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\user.ds.cla.vir
2008-12-01 17:56:26 A——- 4,784 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\twain_32\user.ds.vir
2008-12-03 14:22:53 A——- 9 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat.vir
2009-01-08 11:30:12 A——- 367,616 C:\Qoobox\Quarantine\C\Program Files\GetModule\GetModule33.exe.vir
2009-01-11 13:16:35 A——- 198,661 C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv801231601469.cpx.vir
2009-01-11 13:16:37 A——- 36,352 C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJYSjIx.dll.vir
2009-01-11 13:16:38 A——- 32,081 C:\Qoobox\Quarantine\C\Program Files\iCheck\Uninstall.exe.vir
2009-01-11 13:16:46 A——- 46,080 C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnljJYO.dll.vir
2009-01-11 13:16:49 A——- 330 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\xmggivje.job.vir
2009-01-11 13:16:50 A——- 164,327 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\GetModule\dicik.gz.vir
2009-01-11 13:16:51 A——- 55 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\GetModule\ofadik.gz.vir
2009-01-11 13:16:51 A——- 78,095 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\GetModule\kwdik.gz.vir
2009-01-11 13:21:50 A——- 282,624 C:\Qoobox\Quarantine\C\WINDOWS\system32\qoMgfeCr.dll.vir
2009-01-11 13:21:54 A——- 679,144 C:\Qoobox\Quarantine\C\WINDOWS\system32\rCefgMoq.ini.vir
2009-01-11 13:21:54 A——- 679,144 C:\Qoobox\Quarantine\C\WINDOWS\system32\rCefgMoq.ini2.vir
2009-01-11 13:22:56 A——- 123,392 C:\Qoobox\Quarantine\C\WINDOWS\system32\tbisml.dll.vir
2009-01-11 13:22:56 A——- 123,392 C:\Qoobox\Quarantine\C\WINDOWS\system32\vrotypph.dll.vir
2009-01-11 13:24:54 A——- 80,896 C:\Qoobox\Quarantine\C\WINDOWS\system32\kjabltpj.dll.vir
2009-01-11 13:24:58 A——- 1,256,329 C:\Qoobox\Quarantine\C\WINDOWS\system32\jptlbajk.ini.vir
2009-01-11 13:36:14 A——- 745 C:\Qoobox\Quarantine\catchme.log
2009-01-11 14:11:07 A——- 1,662 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\_user_.ds.zip
2009-01-11 14:11:07 A——- 105,083 C:\Qoobox\Quarantine\C\WINDOWS\system32\twain_32\_local_.ds.zip
2009-01-11 14:12:41 A——- 7,699 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-01-11 14:16:47 A——- 37,376 C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Local Settings\Temp\init.exe.vir
2009-01-11 14:20:56 A——- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{29AFA3A5-688A-40AB-BFBB-65332E2478B6}.reg.dat
2009-01-11 14:20:56 A——- 416 C:\Qoobox\Quarantine\Registry_backups\BHO-{056aba4b-907a-488f-95c5-fab7c8303baa}.reg.dat
2009-01-11 14:20:57 A——- 90 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
2009-01-11 14:20:57 A——- 142 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-GetModule33.reg.dat
2009-01-11 14:20:58 A——- 99 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-PCDrProfiler.reg.dat
2009-01-11 15:11:36 A——- 44,835 C:\Qoobox\Quarantine\[4]-Submit_2009-01-11@15.11.zip
2009-01-11 15:15:06 A——- 1,088 C:\Qoobox\Quarantine\Registry_backups\Legacy_XDVA219.reg.dat
2009-01-11 15:15:07 A——- 2,484 C:\Qoobox\Quarantine\Registry_backups\Service_XDva219.reg.dat
Please upload the following file to this submission channel.
C:\Qoobox\Quarantine\[4]-Submit_2009-01-11@15.11.zip
Then, do an online scan with Kaspersky Online Scanner
Click Accept, when prompted to download and install the program files and database of malware definitions.Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click View scan report at the bottom.
Click the Save Report As… button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**
To optimize scanning time and produce a more sensible report for review:Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Post the Kaspersky log here.
Related Posts:
Comments
Leave a Reply
You must be logged in to post a comment.