[Closed] VIRUS ALERT next to system time

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Closed] VIRUS ALERT next to system time

Options

Missteek View Member Profile	Jul 18 2008, 07:13 PM Post #1
New Member Group: New Member Posts: 4 Joined: 18-July 08 From: Kennewick, Washington Member No.: 80,375 Operating System: Windows XP Professional with Service Pack 2	Hello, I have this problem and I am hoping someone can help me get rid of it. I have run SPYBOT and Threatfire but I still have the words VIRUS ALERT next to my system time, which is in military format. Here is a copy of my Hijack this scan: Logfile of HijackThis v1.99.1 Scan saved at 18:05: VIRUS ALERT!, on 7/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\WINDOWS\ATKKBService.exe D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe D:\Program Files\Bonjour\mDNSResponder.exe D:\WINDOWS\system32\CTsvcCDA.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\CyberLink\Shared Files\RichVideo.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\ThreatFire\TFService.exe D:\WINDOWS\system32\MsPMSPSv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\alg.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\Verizon\McciTrayApp.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe D:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe D:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE D:\WINDOWS\CTHELPER.EXE D:\Program Files\ThreatFire\TFTray.exe D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe D:\Program Files\Creative\MediaSource5\MtdAcqu.exe D:\Program Files\AllWallpapersLite\awplite.exe D:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe D:\WINDOWS\system32\wscntfy.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\Program Files\ThreatFire\TFGui.exe D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe D:\Program Files\Internet Explorer\iexplore.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Wimpy\wimpy_flv_player_pc\FLVplayr.exe D:\Program Files\Wimpy\wimpy_flv_player_pc\FLVplayr.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.a...mp;bm=ho_search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\AdvancedSearchbar\advancedsearchbar.dll O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\AdvancedSearchbar\advancedsearchbar.dll O4 - HKLM\..\Run: [JMB36X IDE Setup] D:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] D:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [StartCCC] "d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [Verizon_McciTrayApp] D:\Program Files\Verizon\McciTrayApp.exe O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] D:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [ThreatFire] D:\Program Files\ThreatFire\TFTray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadwin PrintScreen] D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [MtdAcqu] "D:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s O4 - HKCU\..\Run: [awplite] D:\Program Files\AllWallpapersLite\awplite.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk.disabled O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with &Shareaza - res://D:\Program Files\Shareaza Pro\Plugins\RazaWebHook.dll/3000 O8 - Extra context menu item: ShaPlus Google Translator - res://D:\Program Files\ShaPlus Google Translator\GoogleTranslator.dll/ie.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\AdvancedSearchbar\advancedsearchbar.dll O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\AdvancedSearchbar\advancedsearchbar.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205833221765 O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15035/CTPID.cab O20 - Winlogon Notify: klogon - D:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing) O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: ThreatFire - PC Tools - D:\Program Files\ThreatFire\TFService.exe Thank you for any help you can offer me. Linda

LDTate View Member Profile	Jul 18 2008, 07:14 PM Post #2
Forum God Group: Root Admin Posts: 43,015 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	http://forums.whatthetech.com/How_To_Remov...eck_t92654.html

Missteek View Member Profile	Jul 19 2008, 12:44 PM Post #3
New Member Group: New Member Posts: 4 Joined: 18-July 08 From: Kennewick, Washington Member No.: 80,375 Operating System: Windows XP Professional with Service Pack 2	Thank You LD Tate for the info. I downloaded and ran Malwarebytes Anti-Malware program and it worked great! It seems odd that I can run 4 or 5 different malware/spyware removal programs and they each find something different to remove. Nevertheless, I am just happy to have my system back to normal. Now, if only I can stay away from those porn sites. . . . Linda

LDTate View Member Profile	Jul 19 2008, 12:48 PM Post #4
Forum God Group: Root Admin Posts: 43,015 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	QUOTE Now, if only I can stay away from those porn sites. That will do it every time Did you save the scan results to post here. I'll have a look and see if we need to do anything else.

Missteek View Member Profile	Jul 19 2008, 01:04 PM Post #5
New Member Group: New Member Posts: 4 Joined: 18-July 08 From: Kennewick, Washington Member No.: 80,375 Operating System: Windows XP Professional with Service Pack 2	Why that is mighty kind of you Mr. Tate. Here is a copy of the log file. Hopefully, it will pass your inspection with no infection. Linda Malwarebytes' Anti-Malware 1.21 Database version: 966 Windows 5.1.2600 Service Pack 2 11:47:56 PM 7/18/2008 mbam-log-7-18-2008 (23-47-56).txt Scan type: Full Scan (C:\\|D:\\|E:\\|F:\\|H:\\|) Objects scanned: 302025 Time elapsed: 1 hour(s), 57 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 10 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sqvgnrpx.bqbe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sqvgnrpx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{CEC53625-4D4F-47F6-B6BA-14BC5B205E26}\RP371\A0169598.dll (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{CEC53625-4D4F-47F6-B6BA-14BC5B205E26}\RP371\A0169603.dll (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. C:\WINDOWS\Sys139.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Sys13A.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. D:\Program Files\Nero\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully. D:\Program Files\Nero\2008-03-12.Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE\2008-03-12.Ahead.Nero.v8.3.2.1.Incl\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully. D:\Program Files\WinRAR\Default.SFX (Rogue.Installer) -> Quarantined and deleted successfully. D:\Documents and Settings\Linda\Application Data\TmpRecentIcons\Vista Antivirus 2008.lnk (Rogue.Link) -> Quarantined and deleted successfully. D:\Documents and Settings\Linda\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

LDTate View Member Profile	Jul 19 2008, 01:06 PM Post #6
Forum God Group: Root Admin Posts: 43,015 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	It won't hurt to check a little deeper. Download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop -------------------------------------------------------------------- Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts Please do not re-connect your machine back to the Internet until Combofix has completely finished. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ** *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. Give it atleast 20-30 minutes to finish

Missteek View Member Profile	Jul 20 2008, 01:02 AM Post #7
New Member Group: New Member Posts: 4 Joined: 18-July 08 From: Kennewick, Washington Member No.: 80,375 Operating System: Windows XP Professional with Service Pack 2	Here are the log files from ComboFix and HijackThis: ComboFix 08-07-18.5 - Linda 2008-07-19 22:43:18.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1447 [GMT -7:00] Running from: D:\Documents and Settings\Linda\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\WINDOWS\config.ini D:\WINDOWS\Downloaded Program Files\setup.inf D:\WINDOWS\setup.exe D:\WINDOWS\system32\AutoRun.inf D:\WINDOWS\system32\mdm.exe . ((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 ))))))))))))))))))))))))))))))) . 2008-07-18 19:55 . 2008-07-18 19:55 <DIR> d-------- D:\Documents and Settings\Linda\Application Data\Malwarebytes 2008-07-18 19:54 . 2008-07-18 19:54 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware 2008-07-18 19:54 . 2008-07-18 19:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-18 19:54 . 2008-07-18 19:15 36,472 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-18 19:54 . 2008-07-18 19:15 17,144 --a------ D:\WINDOWS\system32\drivers\mbam.sys 2008-07-18 19:37 . 2008-07-18 19:38 <DIR> d-------- D:\Program Files\DropBox 2008-07-18 17:55 . 2008-07-18 17:55 191 --a------ D:\WINDOWS\system32\VAlert.bat 2008-07-18 17:18 . 2008-07-18 17:18 <DIR> d-------- D:\Program Files\Trend Micro 2008-07-18 14:39 . 2008-07-18 14:39 <DIR> d-------- D:\Deckard 2008-07-17 22:03 . 2008-07-17 22:03 301 --a------ D:\WINDOWS\doom3.ini 2008-07-15 15:59 . 2006-11-29 13:06 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll 2008-07-15 15:59 . 2006-09-28 16:05 2,414,360 --a------ D:\WINDOWS\system32\d3dx9_31.dll 2008-07-15 15:59 . 2007-01-24 15:27 255,848 --a------ D:\WINDOWS\system32\xactengine2_6.dll 2008-07-15 15:59 . 2006-12-08 12:02 251,672 --a------ D:\WINDOWS\system32\xactengine2_5.dll 2008-07-15 15:59 . 2006-09-28 16:05 237,848 --a------ D:\WINDOWS\system32\xactengine2_4.dll 2008-07-15 15:59 . 2007-03-05 12:42 15,128 --a------ D:\WINDOWS\system32\x3daudio1_1.dll 2008-07-15 15:58 . 2008-07-15 15:58 <DIR> d-------- D:\WINDOWS\Logs 2008-07-14 14:06 . 2008-07-14 14:06 <DIR> d-------- D:\Program Files\Wimpy 2008-07-14 12:41 . 2008-07-14 12:41 <DIR> d-------- D:\SmitRem 2008-07-14 03:03 . 2008-07-14 03:03 <DIR> d-------- D:\WINDOWS\ERUNT 2008-07-14 03:01 . 2008-07-14 03:01 <DIR> d-------- D:\Documents and Settings\Administrator 2008-07-14 02:57 . 2008-07-19 22:42 4,958,588 --a------ D:\WINDOWS\{00000005-00000000-00000002-00001102-00000004-10031102}.BAK 2008-07-14 02:53 . 2008-07-14 03:13 <DIR> d-------- D:\SDFix 2008-07-14 02:17 . 2008-07-14 02:17 <DIR> d-------- D:\Program Files\ThreatFire 2008-07-14 02:17 . 2008-07-19 22:47 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP 2008-07-14 02:17 . 2008-07-14 02:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\PC Tools 2008-07-14 02:17 . 2008-04-24 16:52 51,520 --a------ D:\WINDOWS\system32\drivers\TfFsMon.sys 2008-07-14 02:17 . 2008-04-24 16:52 38,208 --a------ D:\WINDOWS\system32\drivers\TfSysMon.sys 2008-07-14 02:17 . 2008-04-24 16:52 33,088 --a------ D:\WINDOWS\system32\drivers\TfNetMon.sys 2008-07-14 02:17 . 2008-04-24 16:52 12,608 --a------ D:\WINDOWS\system32\drivers\TfKbMon.sys 2008-07-14 01:48 . 2008-07-14 01:48 <DIR> d-------- D:\Documents and Settings\Linda\smitRem 2008-07-13 23:08 . 2008-07-19 10:32 <DIR> d-------- D:\WINDOWS\system32\CatRoot2 2008-07-13 22:46 . 2008-07-13 22:47 135 --a------ D:\WINDOWS\wininit.ini 2008-07-13 15:17 . 2008-07-18 23:54 <DIR> d-------- D:\Program Files\BFK 2008-07-13 15:07 . 2008-07-13 15:22 <DIR> d-------- D:\Program Files\Internet Spy 2008-07-13 15:06 . 2008-07-13 15:22 <DIR> d-------- D:\Program Files\HomeKeylogger 2008-07-13 15:03 . 2008-07-13 15:03 792 ---hs---- D:\WINDOWS\system\actualspystart.lnk 2008-07-12 19:56 . 2008-07-12 19:57 <DIR> d-------- D:\Program Files\iTunes 2008-07-12 19:56 . 2008-07-12 19:56 <DIR> d-------- D:\Program Files\iPod 2008-07-12 19:56 . 2008-07-12 19:56 <DIR> d-------- D:\Program Files\Bonjour 2008-07-12 19:55 . 2008-07-12 19:55 <DIR> d-------- D:\Program Files\Common Files\Apple 2008-07-12 19:48 . 2008-07-12 19:48 <DIR> d-------- D:\Program Files\Safari 2008-07-03 09:58 . 2008-07-03 09:58 7,680 --ahs---- D:\WINDOWS\Thumbs.db 2008-07-01 04:41 . 2008-07-01 04:41 0 --a------ D:\java 2008-06-26 19:21 . 2008-06-26 19:24 <DIR> d-------- D:\Program Files\MSECache 2008-06-26 13:12 . 2008-06-26 13:12 <DIR> d-------- D:\Program Files\Sagasoft 2008-06-26 13:12 . 2007-03-29 12:32 2,833,866 --a------ D:\id3editor.exe 2008-06-23 15:43 . 2008-06-23 15:43 <DIR> d-------- D:\Program Files\Cool Timer 2008-06-23 15:43 . 2007-12-15 10:07 90,112 --a------ D:\WINDOWS\system32\ccrpTmr6.dll 2008-06-20 13:37 . 2008-06-20 13:45 <DIR> d-------- D:\Program Files\QuickTime 2008-06-20 13:37 . 2008-07-12 19:56 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer 2008-06-20 12:17 . 2008-06-20 12:17 54,156 --ah----- D:\WINDOWS\QTFont.qfn 2008-06-20 12:17 . 2008-06-20 12:17 1,409 --a------ D:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-20 05:47 60,184,352 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat 2008-07-20 05:47 545,568 --sha-w D:\WINDOWS\system32\drivers\fidbox2.dat 2008-07-19 21:07 --------- d-----w D:\Program Files\AdvancedSearchbar 2008-07-19 17:30 --------- d-----w D:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-07-19 10:24 809,180 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx 2008-07-19 10:24 54,344 --sha-w D:\WINDOWS\system32\drivers\fidbox2.idx 2008-07-19 06:47 --------- d-----w D:\Program Files\Nero 2008-07-18 05:04 --------- d--h--w D:\Program Files\InstallShield Installation Information 2008-07-13 02:57 --------- d-----w D:\Documents and Settings\Linda\Application Data\Apple Computer 2008-07-10 03:11 --------- d-----w D:\Documents and Settings\Linda\Application Data\Morpheus PRO 2008-06-20 17:41 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w D:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w D:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-17 00:06 --------- d-----w D:\Documents and Settings\Linda\Application Data\Creative 2008-06-17 00:03 --------- d-----w D:\Program Files\Creative 2008-06-17 00:02 86,016 ----a-w D:\WINDOWS\system32\OpenAL32.dll 2008-06-17 00:02 409,600 ----a-w D:\WINDOWS\system32\wrap_oal.dll 2008-06-16 23:20 --------- d--h--w D:\Program Files\Creative Installation Information 2008-06-16 23:20 --------- d-----w D:\Program Files\Common Files\Creative 2008-06-15 12:15 --------- d-----w D:\Program Files\SIW 2008-06-15 12:12 --------- d-----w D:\Program Files\Morpheus PRO 2008-06-15 12:10 --------- d-----w D:\Program Files\P2P_Energy 2008-06-15 12:10 --------- d-----w D:\Program Files\Conduit 2008-06-13 13:10 272,128 ------w D:\WINDOWS\system32\drivers\bthport.sys 2008-06-09 19:13 96,966 ----a-w D:\WINDOWS\system32\drivers\klin.dat 2008-06-09 19:13 88,774 ----a-w D:\WINDOWS\system32\drivers\klick.dat 2008-06-09 19:13 112,144 ----a-w D:\WINDOWS\system32\drivers\kl1.sys 2008-06-09 18:46 --------- d-----w D:\Program Files\Kaspersky Lab 2008-06-09 18:20 --------- d-----w D:\Documents and Settings\All Users\Application Data\Avg7 2008-06-08 22:10 --------- d-----w D:\Program Files\CoffeeCup Software 2008-06-07 22:22 --------- d-----w D:\Program Files\FlashFXP 2008-06-05 20:59 --------- d-----w D:\Program Files\Hp 2008-06-05 03:21 286,720 ----a-w D:\WINDOWS\iun507.exe 2008-06-05 03:21 --------- d-----w D:\Program Files\Sea Scene 2008-06-02 05:16 --------- d-----w D:\Program Files\AllWallpapersLite 2008-06-01 08:38 --------- d-----w D:\Documents and Settings\Linda\Application Data\HPAppData 2008-05-30 21:19 507,400 ----a-w D:\WINDOWS\system32\XAudio2_1.dll 2008-05-30 21:18 238,088 ----a-w D:\WINDOWS\system32\xactengine3_1.dll 2008-05-30 21:17 65,032 ----a-w D:\WINDOWS\system32\XAPOFX1_0.dll 2008-05-30 21:17 25,608 ----a-w D:\WINDOWS\system32\X3DAudio1_4.dll 2008-05-30 21:11 467,984 ----a-w D:\WINDOWS\system32\d3dx10_38.dll 2008-05-30 21:11 3,850,760 ----a-w D:\WINDOWS\system32\D3DX9_38.dll 2008-05-30 21:11 1,491,992 ----a-w D:\WINDOWS\system32\D3DCompiler_38.dll 2008-05-26 22:19 --------- d-----w D:\Documents and Settings\Linda\Application Data\CyberLink 2008-05-26 22:19 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink 2008-05-22 11:41 25,992 ----a-w D:\WINDOWS\system32\pgdfgsvc.exe 2008-05-22 11:39 --------- d-----w D:\Program Files\Sysinternals 2008-05-22 11:34 --------- d-----w D:\Documents and Settings\Linda\Application Data\Uniblue 2008-05-07 05:18 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w D:\WINDOWS\system32\wininet.dll 2006-06-23 14:48 32,768 ----a-r D:\WINDOWS\inf\UpdateUSB.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488] "ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360] "Gadwin PrintScreen"="D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 01:42 495616] "Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400] "MtdAcqu"="D:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 08:56 278528] "awplite"="D:\Program Files\AllWallpapersLite\awplite.exe" [2007-02-10 11:17 2607616] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X IDE Setup"="D:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-19 23:36 36864] "36X Raid Configurer"="D:\WINDOWS\system32\xRaidSetup.exe" [2007-03-21 01:23 1953792] "StartCCC"="d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 13:17 61440] "Verizon_McciTrayApp"="D:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 14:37 936960] "LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832] "NeroFilterCheck"="D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664] "NBKeyScan"="D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352] "CTSysVol"="D:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152] "CTDVDDet"="D:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056] "ThreatFire"="D:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392] "DropBoxUtility"="D:\Program Files\DropBox\DropBox\DropBox.exe" [2008-02-09 17:53 405504] "CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 D:\WINDOWS\CTHELPER.EXE] D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - D:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520] Microsoft Office.lnk.disabled [2008-04-05 16:56:35 1733] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Nero PhotoShow Media Manager"=D:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\BearFlix\\bearflix.exe"= "D:\\Program Files\\BearFlix\\bearflix.exe"= "D:\\Program Files\\Shareaza Pro\\Shareaza Pro.exe"= "D:\\Program Files\\BearFlix\\IeEmbed.exe"= "D:\\Program Files\\Morpheus Games Downloader\\Morpheus Games Downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "D:\\Program Files\\Messenger\\msmsgs.exe"= "D:\\Program Files\\Bonjour\\mDNSResponder.exe"= "D:\\Program Files\\iTunes\\iTunes.exe"= "D:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"= "D:\\Program Files\\DropBox\\DropBox\\DropBox.exe"= R0 TfFsMon;TfFsMon;D:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52] R0 TfSysMon;TfSysMon;D:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52] R2 ThreatFire;ThreatFire;D:\Program Files\ThreatFire\TFService.exe service [] R3 klim5;Kaspersky Anti-Virus NDIS Filter;D:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28] R3 TfNetMon;TfNetMon;D:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52] S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;D:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-14 23:12] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2008-07-20 01:53:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - D:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-19 22:47:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-07-19 22:49:59 ComboFix-quarantined-files.txt 2008-07-20 05:49:42 Pre-Run: 33,205,211,136 bytes free Post-Run: 33,247,113,216 bytes free 202 --- E O F --- 2008-07-16 09:05:59 Logfile of HijackThis v1.99.1 Scan saved at 10:56:08 PM, on 7/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\WINDOWS\ATKKBService.exe D:\Program Files\Bonjour\mDNSResponder.exe D:\WINDOWS\system32\CTsvcCDA.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\CyberLink\Shared Files\RichVideo.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\ThreatFire\TFService.exe D:\WINDOWS\system32\MsPMSPSv.exe D:\WINDOWS\system32\ctfmon.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe D:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe D:\Program Files\ThreatFire\TFTray.exe D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe D:\Program Files\Creative\MediaSource5\MtdAcqu.exe D:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\WINDOWS\System32\alg.exe D:\WINDOWS\system32\wscntfy.exe D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe D:\WINDOWS\system32\CF22119.exe D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\WINDOWS\system32\notepad.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\AdvancedSearchbar\advancedsearchbar.dll O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\AdvancedSearchbar\advancedsearchbar.dll O4 - HKLM\..\Run: [JMB36X IDE Setup] D:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] D:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [StartCCC] "d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [Verizon_McciTrayApp] D:\Program Files\Verizon\McciTrayApp.exe O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] D:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [ThreatFire] D:\Program Files\ThreatFire\TFTray.exe O4 - HKLM\..\Run: [DropBoxUtility] "D:\Program Files\DropBox\DropBox\DropBox.exe" /s O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadwin PrintScreen] D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [MtdAcqu] "D:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s O4 - HKCU\..\Run: [awplite] D:\Program Files\AllWallpapersLite\awplite.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk.disabled O8 - Extra context menu item: Download with &Shareaza - res://D:\Program Files\Shareaza Pro\Plugins\RazaWebHook.dll/3000 O8 - Extra context menu item: ShaPlus Google Translator - res://D:\Program Files\ShaPlus Google Translator\GoogleTranslator.dll/ie.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\AdvancedSearchbar\advancedsearchbar.dll O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - D:\Program Files\AdvancedSearchbar\advancedsearchbar.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205833221765 O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15035/CTPID.cab O20 - Winlogon Notify: klogon - D:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing) O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: ThreatFire - PC Tools - D:\Program Files\ThreatFire\TFService.exe I really appreciate your time and efforts.. Thank you, Linda

LDTate View Member Profile	Jul 20 2008, 06:46 AM Post #8
Forum God Group: Root Admin Posts: 43,015 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	You're welcome Linda Did you install this keylogger? D:\Program Files\HomeKeylogger D:\Program Files\Internet Spy I can't find any information on this file Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis: D:\WINDOWS\system32\VAlert.bat Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. If Jotti is too busy you can try these. http://www.kaspersky.com/scanforvirus.html http://www.virustotal.com/en/indexf.html Next: Open notepad and copy/paste the text in the Codebox below into it: CODE Folder:: D:\Deckard D:\SmitRem D:\SDFix D:\Program Files\Bonjour Save this as Save this as "CFScript" Drag CFScript.txt into ComboFix.exe Then post the results log and a new HijackThis log. Also please describe how your computer behaves at the moment.

LDTate View Member Profile	Jul 26 2008, 05:28 AM Post #9
Forum God Group: Root Admin Posts: 43,015 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	You still with me?

LDTate View Member Profile	Jul 29 2008, 03:27 PM Post #10
Forum God Group: Root Admin Posts: 43,015 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

« Next Oldest · HijackThis™ Logs and Infections Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
[Resolved] UiPopHidden, Can't seem to get it out! Please 12	26	Cutichyk	121	Today, 06:15 AM Last post by: LDTate
[Resolved] Antivirus 2009 infection	5	medicman151	56	Today, 01:33 AM Last post by: mschroe919
Spyware Alert /system Alert Popup	2	RAIDANLIT	19	Yesterday, 10:41 PM Last post by: BHow