WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] My computer is possesed

Started by boz228452 , May 25 2008 08:20 PM

This topic is locked

22 replies to this topic

#1 boz228452

New Member

New Member
10 posts

Posted 25 May 2008 - 08:20 PM

I am running win xp and somthing has taken over my computer
al control delete does nothing,lots of pop ups and all windows will close by themselves for no reason

here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:13:57 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\jmwnw64l.exe
C:\Documents and Settings\Owner\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130631592\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [{36-6D-DD-DC-DW}] C:\windows\system32\jmwnw64l.exe DWram
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Owner\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
O4 - HKLM\..\Run: [fc236d73] rundll32.exe "C:\WINDOWS\system32\yisfptbr.dll",b
O4 - HKLM\..\Run: [BMff105eef] Rundll32.exe "C:\WINDOWS\system32\cvvfsmxv.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jmwnw64l.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/...rp.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147825771500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay11...ex/HMAtchmt.ocx
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

Advertisements

Register to Remove

#2 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 26 May 2008 - 11:14 PM

Hi boz228452, and Welcome to WhatTheTech

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#3 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 28 May 2008 - 08:15 AM

boz228452,

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

You have an older version of HijackThis.

Download HijackThis from Here .

If using Internet Explorer, Please select RUN
If Using Firefox, Download to your Desktop and then Double-Click on Icon to start installation.
Choose the default location of C:\Program Files\Trend Micro\HijackThis as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
Click the Install button.
Accept the license agreement .
The progam will place a shortcut on your desktop. This will make it easier for you to access the tool when required.

Don't run a new scan until after you run Combofix.

Click Start, then Settings, then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, Remove HijackThis v1.99.1

A. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

B. Now we must disable some of your security programs so that they do not interfere with the running of our tools:

WINDOWS DEFENDER

Click Start > Programs > Windows Defender or launch from the system tray icon.
Click on Tools & Settings > Options.
Under Real-time protection options, uncheck the "Real-time protection" check box.
Click Save.
Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
(When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)

MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image

sign.

right-click it -> chose "Exit."
a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.

You succesfully disabled the McAfee Guard.

Go to Posted Image

-> Run -> copy/paste the following single line command in the runbox & click OK

"%userprofile%\desktop\combofix.exe" /killall

DO NOT USE your computer for any other purpose while ComboFix is running.
ComboFix may restart your computer, this is normal.
When finished, it will produce a log, ComboFix.txt.
Please post ComboFix.txt in your next reply along with a new HijackThis log.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#4 boz228452

New Member

New Member
10 posts

Posted 28 May 2008 - 11:34 AM

I am experienceing alot of problems the laptop i am having issues with no longer will open the what the tech forums i had to dl combo fix by manually typing in the url from my desktop and now when i run combo fix it gives error message Windows cannot find 'C:\WINDOWS\regedit.exe' make sure you typed the name correctly and try again

#5 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 28 May 2008 - 08:19 PM

boz228452, Let's try a different tool and see if it will run Please download SDFix and save it to your Desktop. You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key repeatedly; * Instead of Windows loading as normal, a menu with options should appear; * Select the first option, to run Windows in Safe Mode, then press "Enter". * Choose your usual user account. * Open the SDFix folder and double click on RunThis.bat to start the script. * Type Y and press Enter to begin the script. * It will start cleaning your PC and then prompt you to press any key to Reboot. * Press any key to restart the PC. * Your system will take longer than normal to restart as the fixtool will be removing files. * When the desktop loads the Fixtool will complete the removal and display Finished. * Press any key to end the script and to load your desktop icons. * A text file should automatically open, so please copy the contents and post them here. We also need you to post a new HijackThis log

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#6 boz228452

New Member

New Member
10 posts

Posted 28 May 2008 - 10:30 PM

SDFix: Version 1.186
Run by Owner on Wed 05/28/2008 at 10:30 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\RQRKEULC.DLL - Deleted
C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\vtmp2\ktnv33.log - Deleted
C:\WINDOWS\system32\vntiho05\vntiho051080.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\Documents and Settings\Owner\svchost.exe - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\jmwnw64l.exe - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\system32\drivers\HSFHWI~1.sys - Deleted
C:\Documents and Settings\Owner\!\*.avi - 6120 File(s) 242,205,120 bytes - Deleted

Folder C:\Documents and Settings\Owner\! - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\Temp\vtmp2 - Removed
Folder C:\WINDOWS\system32\vntiho05 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 22:46:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\services\MRxDAV\EncryptedDirectories]
@=""

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1130631592\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1130631592\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"c:\\windows\\system32\\rk.exe"="c:\\windows\\system32\\rk.exe:*:Enabled:rk.exe"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os2D9.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os2D9.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os11.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os11.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os3D7.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os3D7.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os3D.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os3D.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os140.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\~os140.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files :

File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 26 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 9 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 7 Dec 2007 956 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Thu 1 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\02a4f2fd7d9c575c80786d5284ddaf44\BIT3.tmp"
Fri 16 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\27d4a83e15599dacf71be27edd0b072a\BIT8.tmp"
Thu 20 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT5.tmp"
Sat 26 Nov 2005 4,348 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Sat 26 Nov 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 26 Nov 2005 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:40 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130631592\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [{36-6D-DD-DC-DW}] C:\windows\system32\jmwnw64l.exe DWram
O4 - HKLM\..\Run: [fc236d73] rundll32.exe "C:\WINDOWS\system32\lohwgmqr.dll",b
O4 - HKLM\..\Run: [BMff105eef] Rundll32.exe "C:\WINDOWS\system32\mobbwqxt.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/...rp.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147825771500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay11...ex/HMAtchmt.ocx
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O22 - SharedTaskScheduler: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - http://organizations...et/0f5a7770.jpg
O24 - Desktop Component 1: (no name) - http://myspace-974.v...528201974_m.jpg
O24 - Desktop Component 2: (no name) - http://myspace-974.v...528201974_l.jpg
O24 - Desktop Component 3: (no name) - http://organizations...et/0f3a6760.jpg
O24 - Desktop Component 4: (no name) - http://organizations...et/0f1b1740.jpg

--
End of file - 9692 bytes

#7 boz228452

New Member

New Member
10 posts

Posted 28 May 2008 - 10:36 PM

#8 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 28 May 2008 - 11:44 PM

boz228452, That was a good start. Please try to run Combofix again using earlier instructions. Please post ComboFix.txt in your next reply along with a new HijackThis log.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#9 boz228452

New Member

New Member
10 posts

Posted 30 May 2008 - 06:44 AM

ComboFix 08-05-27.4 - Owner 2008-05-30 7:28:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\Starware
C:\Documents and Settings\Owner\Application Data\Starware\Manager\ManagerOptions.xml
C:\Documents and Settings\Owner\Application Data\Starware\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Owner\My Documents\RACLE~1
C:\Documents and Settings\Owner\My Documents\RACLE~1\?racle\
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pcodec
C:\Program Files\pcodec\iesuninst.exe
C:\Program Files\pcodec\pmuninst.exe
C:\Program Files\video access activex object
C:\Program Files\video activex object
C:\Program Files\video activex object\isauninst.exe
C:\WINDOWS\BMff105eef.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\pskt.ini
C:\WINDOWS\scurit~1
C:\WINDOWS\system32\components
C:\WINDOWS\system32\cvvfsmxv.dll
C:\WINDOWS\system32\hgGxVOii.dll
C:\WINDOWS\system32\hknerkkt.exe
C:\WINDOWS\system32\iiOVxGgh.ini
C:\WINDOWS\system32\iiOVxGgh.ini2
C:\WINDOWS\system32\jpcxngul.dll
C:\WINDOWS\system32\ljtlqcri.dll
C:\WINDOWS\system32\llcbnkge.dll
C:\WINDOWS\system32\lohwgmqr.dll
C:\WINDOWS\system32\mfkwejcr.exe
C:\WINDOWS\system32\mnphooyp.dll
C:\WINDOWS\system32\mobbwqxt.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msknnrtp.dll
C:\WINDOWS\system32\ntgahcby.ini
C:\WINDOWS\system32\pcgutklt.dll
C:\WINDOWS\system32\ptffeikv.exe
C:\WINDOWS\system32\rbtpfsiy.ini
C:\WINDOWS\system32\rqmgwhol.ini
C:\WINDOWS\system32\siserjvc.ini
C:\WINDOWS\system32\wbvaaonr.ini
C:\WINDOWS\system32\wjbcskbk.exe
C:\WINDOWS\system32\wnsintsu.exe
C:\WINDOWS\system32\wwjoogxi.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 22:16 . 2008-05-28 22:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 16:48 . 2008-05-28 16:48 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-05-28 11:05 . 2008-05-28 11:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 10:54 . 2008-05-28 10:54 200,774 --a------ C:\WINDOWS\system32\qcntnkdn.exe
2008-05-26 14:24 . 2008-05-26 14:24 200,769 --a------ C:\WINDOWS\system32\qcntnkdm.exe
2008-05-23 17:03 . 2008-05-23 17:03 401,972 --a------ C:\WINDOWS\system32\g98.exe
2008-05-23 16:33 . 2008-05-23 16:33 <DIR> d-------- C:\WINDOWS\system32\hI2
2008-05-23 16:33 . 2008-05-23 16:33 <DIR> d-------- C:\WINDOWS\system32\at1
2008-05-23 16:33 . 2008-05-23 16:33 <DIR> d-------- C:\WINDOWS\system32\1064a
2008-05-23 16:33 . 2008-05-23 16:33 298,311 --a------ C:\WINDOWS\system32\gside.exe
2008-05-23 16:33 . 2008-05-23 16:33 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-23 16:33 . 2008-05-28 11:05 858 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-20 18:11 . 2008-05-25 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 18:11 . 2008-04-20 18:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 20:35 . 2008-04-16 08:34 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-23 21:49 --------- d-----w C:\Program Files\Real
2008-05-17 17:41 --------- d-----w C:\Program Files\Google
2008-04-29 18:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\XnView
2008-03-30 19:30 --------- d-----w C:\Program Files\XnView
2007-08-01 01:23 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-08-01 01:23 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-08-01 01:23 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-08-01 01:23 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-08-01 01:23 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-08-01 01:23 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-08-01 01:23 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-08-01 01:23 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-08-01 01:23 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2006-10-24 13:51 76,736 ----a-w C:\Program Files\MySpaceIM_Setup.exe
2006-08-17 01:42 4,526,408 ----a-w C:\Program Files\BSINSTALL.exe
2006-06-09 20:12 3,725,420 ----a-w C:\Program Files\Pat[1].Orlando.01-027.zip
2006-04-26 21:23 905,728 ----a-w C:\Program Files\iview398.exe
2006-03-27 23:59 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 21:38 68856]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 20:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 20:47 688218]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 02:29 126976]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\MssCli.exe" [ ]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [ ]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1130631592\EE\AOLHostManager.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [ ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [ ]
"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"ProfileWatcher"="C:\Program Files\ProfileWatcher\profilewatcher.exe" [ ]
"{36-6D-DD-DC-DW}"="C:\windows\system32\jmwnw64l.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-01-05 16:52:55 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2005-10-29 19:17:39 729088]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S1 HSFHWICHH;HSFHWICHH;C:\WINDOWS\system32\drivers\HSFHWICHH.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 12:36:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 07:34:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-30 7:40:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-30 12:40:21

Pre-Run: 24,769,757,184 bytes free
Post-Run: 24,846,258,176 bytes free

180 --- E O F --- 2008-05-15 04:36:58

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:44, on 2008-05-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130631592\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [{36-6D-DD-DC-DW}] C:\windows\system32\jmwnw64l.exe DWram
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/...rp.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147825771500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay11...ex/HMAtchmt.ocx
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O22 - SharedTaskScheduler: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - http://organizations...et/0f5a7770.jpg
O24 - Desktop Component 1: (no name) - http://myspace-974.v...528201974_m.jpg
O24 - Desktop Component 2: (no name) - http://myspace-974.v...528201974_l.jpg
O24 - Desktop Component 3: (no name) - http://organizations...et/0f3a6760.jpg
O24 - Desktop Component 4: (no name) - http://organizations...et/0f1b1740.jpg

--
End of file - 9251 bytes

#10 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 30 May 2008 - 02:37 PM

boz228452,

COMBOFIX-Script

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

KILLALL::

File::
C:\WINDOWS\system32\qcntnkdn.exe
C:\WINDOWS\system32\qcntnkdm.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\winpfz33.sys
C:\Documents and Settings\Owner\Application Data\wklnhst.dat

Folder::
C:\WINDOWS\system32\hI2
C:\WINDOWS\system32\1064a
C:\WINDOWS\SxsCaPendDel

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{36-6D-DD-DC-DW}"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

THEN

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (If available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

So your next reply should contain:

Combofix report
Kaspersky report
New HijackThis log

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

Advertisements

Register to Remove

#11 boz228452

New Member

New Member
10 posts

Posted 30 May 2008 - 08:17 PM

ComboFix 08-05-27.4 - Owner 2008-05-30 18:21:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.317 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Owner\Application Data\wklnhst.dat
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\qcntnkdm.exe
C:\WINDOWS\system32\qcntnkdn.exe
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\wklnhst.dat
C:\WINDOWS\SxsCaPendDel
C:\WINDOWS\system32\1064a
C:\WINDOWS\system32\1064a\tgvram102.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hI2
C:\WINDOWS\system32\hI2\aSCdt4x.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\qcntnkdm.exe
C:\WINDOWS\system32\qcntnkdn.exe
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 22:16 . 2008-05-28 22:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 11:05 . 2008-05-28 11:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 17:03 . 2008-05-23 17:03 401,972 --a------ C:\WINDOWS\system32\g98.exe
2008-05-23 16:33 . 2008-05-23 16:33 <DIR> d-------- C:\WINDOWS\system32\at1
2008-04-20 18:11 . 2008-05-25 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 18:11 . 2008-04-20 18:11 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-23 21:49 --------- d-----w C:\Program Files\Real
2008-05-17 17:41 --------- d-----w C:\Program Files\Google
2008-04-29 18:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\XnView
2008-03-30 19:30 --------- d-----w C:\Program Files\XnView
2007-08-01 01:23 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-08-01 01:23 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-08-01 01:23 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-08-01 01:23 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-08-01 01:23 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-08-01 01:23 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-08-01 01:23 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-08-01 01:23 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-08-01 01:23 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2006-10-24 13:51 76,736 ----a-w C:\Program Files\MySpaceIM_Setup.exe
2006-08-17 01:42 4,526,408 ----a-w C:\Program Files\BSINSTALL.exe
2006-06-09 20:12 3,725,420 ----a-w C:\Program Files\Pat[1].Orlando.01-027.zip
2006-04-26 21:23 905,728 ----a-w C:\Program Files\iview398.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_ 7.39.39.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 12:33:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 23:24:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 22:45:13 4,724 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{59E71F09-8508-4166-B194-8FD8E88C2C30}.bin
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 21:38 68856]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 20:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 20:47 688218]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 02:29 126976]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\MssCli.exe" [ ]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [ ]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1130631592\EE\AOLHostManager.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [ ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [ ]
"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"ProfileWatcher"="C:\Program Files\ProfileWatcher\profilewatcher.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-01-05 16:52:55 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2005-10-29 19:17:39 729088]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133305375\\ee\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S1 HSFHWICHH;HSFHWICHH;C:\WINDOWS\system32\drivers\HSFHWICHH.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 23:27:57 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 18:25:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-30 18:31:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-30 23:30:57
ComboFix2.txt 2008-05-30 12:40:34

Pre-Run: 24,752,914,432 bytes free
Post-Run: 24,740,593,664 bytes free

146 --- E O F --- 2008-05-30 12:47:05

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-30 21:17
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 816364
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 53310
Number of viruses found: 28
Number of infected objects: 82
Number of suspicious objects: 0
Duration of the scan process: 00:45:28

Infected Object Name / Virus Name / Last Action
C:\2C.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\2C.tmp NSIS: infected - 1 skipped
C:\2D.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\2D.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\2D.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\2D.tmp NSIS: infected - 3 skipped
C:\31.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12302006-202400.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\MySpace\IM\Logs\MySpaceIM-20080530-182732.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe/WISE0105.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe/WISE0105.BIN/stream Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe/WISE0105.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe WiseSFXDropper: infected - 3 skipped
C:\Documents and Settings\Owner\Desktop\MUSIC FILES\hip-hop\webbi i know.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/b122.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/jmwnw64l.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/rqRKEULC.dll Infected: Trojan.Win32.Inject.cgf skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/svchost.exe Infected: Trojan.Win32.VB.daj skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/UWFX6_0001_N68M2301NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/vntiho051080.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip ZIP: infected - 9 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008053020080531\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DF8BDD.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DFCE1E.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DFCE29.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\Big John\BSINSTALL.exe/WISE0025.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Owner\My Documents\Big John\BSINSTALL.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Owner\My Documents\Big John\BSINSTALL.exe WiseSFXDropper: infected - 1 skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BSINSTALL.exe/WISE0026.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Program Files\BSINSTALL.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Program Files\BSINSTALL.exe WiseSFX: infected - 2 skipped
C:\Program Files\BSINSTALL.exe WiseSFXDropper: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\PCODEC\iesuninst.exe.vir Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\QooBox\Quarantine\C\Program Files\PCODEC\pmuninst.exe.vir Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\QooBox\Quarantine\C\Program Files\Video ActiveX Object\isauninst.exe.vir Infected: Trojan-Downloader.Win32.Zlob.biu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\1064a\tgvram102.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cvvfsmxv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.umu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hI2\aSCdt4x.exe.vir Infected: Trojan.Win32.Agent.lom skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljtlqcri.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.uor skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\llcbnkge.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.uor skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qcntnkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qcntnkdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP767\A0036668.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP767\A0036669.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP772\A0036683.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP772\A0036686.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP772\A0036687.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP772\A0036693.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP773\A0036704.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP774\A0036711.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP775\A0036714.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP776\A0036774.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP776\A0036780.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ugj skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039865.dll Infected: Trojan.Win32.Inject.cgf skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039867.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039868.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039870.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039871.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039874.exe Infected: Trojan.Win32.VB.daj skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039876.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039878.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039885.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039889.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039890.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039894.dll Infected: Trojan.Win32.Inject.cgf skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039895.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039896.exe Infected: Trojan.Win32.VB.daj skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039899.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039900.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP777\A0039901.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039975.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039976.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039977.exe Infected: Trojan-Downloader.Win32.Zlob.biu skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039982.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.umu skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039985.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.uor skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP778\A0039986.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.uor skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\A0040059.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\A0040060.exe Infected: Trojan.Win32.Agent.lom skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\A0040064.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\A0040065.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\at1\sxdparsdll.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\g98.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g98.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g98.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP781\change.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19, on 2008-05-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130631592\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/...rp.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147825771500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay11...ex/HMAtchmt.ocx
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O22 - SharedTaskScheduler: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - http://organizations...et/0f5a7770.jpg
O24 - Desktop Component 1: (no name) - http://myspace-974.v...528201974_m.jpg
O24 - Desktop Component 2: (no name) - http://myspace-974.v...528201974_l.jpg
O24 - Desktop Component 3: (no name) - http://organizations...et/0f3a6760.jpg
O24 - Desktop Component 4: (no name) - http://organizations...et/0f1b1740.jpg

--
End of file - 9331 bytes

#12 boz228452

New Member

New Member
10 posts

Posted 03 June 2008 - 09:44 AM

Is there anything else i need to do? i read through all the intructions and the pc is acting normal again is it fixed? or is there another step to the process?

#13 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 03 June 2008 - 11:35 AM

boz228452, Sorry about the delay. No you're not quite fixed yet. We got a pile but there is a little more to do. I'm waiting on a confirmation and hope to have some information to you shortly.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#14 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 03 June 2008 - 03:23 PM

boz228452,

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is often installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware
It is STRONGLY recommended that you remove the Viewpoint products; however, decide for yourself. To uninstall the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

Click Start, then Settings, then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, Remove the Viewpoint component
Do the same for each Viewpoint component.

BearShare
You have BearShare, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetw...cles/art053.htm
See Clean/Infected P2P Programs here

Your BearShare, is infected. Please remove it via Control Panel >> Add or Remove Programs.

Please either print out these instructions for reference or copy/paste them in notepad and save to your desktop for access when in safe mode

Make all files and folders visible
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please make sure your protection programs are still disabled or they may interfere with our fix:

Please open HijackThis and run Do a system scan only
Check the boxes next to ONLY the entries listed below(if present):
- R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
  O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
  O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
  O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
  O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
  O22 - SharedTaskScheduler: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
Close all programs except for HijackThis.
Click on Fix checked
A box will pop up asking you if you wish to fix the selected items. Please choose YES.
Once it has fixed them, please exit/close HijackThis.

We Now Need To Boot Into Safemode

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine,
amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present):
C:\2C.tmp <--This file
C:\2D.tmp <--This file
C:\31.tmp <--This file
C:\Documents and Settings\Owner\Desktop\BearShareV6.exe <--This file
C:\Documents and Settings\Owner\Desktop\MUSIC FILES\hip-hop\webbi i know.mp3 <--This file
C:\Documents and Settings\Owner\My Documents\Big John\BSINSTALL.exe <--This file
C:\Program Files\BSINSTALL.exe <--This file
C:\WINDOWS\system32\at1\sxdparsdll.exe <--This file
C:\WINDOWS\system32\g98.exe[/b] <--This file

Don't be concerned if you don't find these folders. It just means that it was already removed in a previous step.

Restart your computer normally.

Let's be sure we got everything.

Please run the following scan: [url="http://www.eset.com/onlinescan/"]Eset Online Scanner

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#15 boz228452

New Member

New Member
10 posts

Posted 03 June 2008 - 10:27 PM

# version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3156 (20080603) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=c6f9a042b4b631488a6100946a0fe9c7 # end=finished # remove_checked=false # unwanted_checked=false # utc_time=2008-06-04 04:26:01 # local_time=2008-06-03 11:26:01 (-0600, Central Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=251672 # found=19 # scan_time=2432 C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip multiple infiltrations 20FCCC37A083FAF05CCF9A41D6F3B95A C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip »ZIP »backups/b122.exe a variant of Win32/TrojanDropper.Agent.NJY trojan 00000000000000000000000000000000 C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip »ZIP »backups/jmwnw64l.exe Win32/Adware.ZenoSearch application 00000000000000000000000000000000 C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip »ZIP »backups/mrofinu1000106.exe probably a variant of Win32/TrojanDownloader.Agent.BLS trojan 00000000000000000000000000000000 C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip »ZIP »backups/rwwnw64d.exe Win32/Adware.ZenoSearch application 00000000000000000000000000000000 C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip »ZIP »backups/UWFX6_0001_N68M2301NetInstaller.exe Win32/Adware.WinFixer application 00000000000000000000000000000000 C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip »ZIP »backups/vntiho051080.exe Win32/TrojanDownloader.VB.AWJ trojan 00000000000000000000000000000000 C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip »ZIP »backups/Yazzle1552OinAdmin.exe Win32/TrojanDownloader.PurityScan.EG trojan 00000000000000000000000000000000 C:\QooBox\Quarantine\C\Program Files\PCODEC\iesuninst.exe.vir probably a variant of Win32/Hoax.Renos application 94539EFB7A9002BC277F4F18B1EBB66C C:\QooBox\Quarantine\C\Program Files\Video ActiveX Object\isauninst.exe.vir Win32/TrojanDownloader.Zlob.AOC trojan B78A42C631A6620AD4EF5139D2359B21 C:\QooBox\Quarantine\C\WINDOWS\system32\gside.exe.vir Win32/Adware.Sidebar application FC421E770C53F5F6A806440B1F2A6F81 C:\QooBox\Quarantine\C\WINDOWS\system32\gside.exe.vir »NSIS »mysidesearch_sidebar.dll Win32/Adware.Sidebar application 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\system32\hknerkkt.exe.vir Win32/PrivacySet.B trojan 43D29843431B3FF90E287657F6547439 C:\QooBox\Quarantine\C\WINDOWS\system32\mfkwejcr.exe.vir Win32/PrivacySet.B trojan 43D29843431B3FF90E287657F6547439 C:\QooBox\Quarantine\C\WINDOWS\system32\ptffeikv.exe.vir Win32/PrivacySet.B trojan 43D29843431B3FF90E287657F6547439 C:\QooBox\Quarantine\C\WINDOWS\system32\qcntnkdm.exe.vir Win32/Adware.ZenoSearch application B9F8CEA3722B9978FE360D5F318CDC84 C:\QooBox\Quarantine\C\WINDOWS\system32\qcntnkdn.exe.vir Win32/Adware.ZenoSearch application 4736E7161BF61F8DE0375385E6CC2738 C:\QooBox\Quarantine\C\WINDOWS\system32\wjbcskbk.exe.vir Win32/PrivacySet.B trojan 43D29843431B3FF90E287657F6547439 C:\QooBox\Quarantine\C\WINDOWS\system32\1064a\tgvram102.exe.vir Win32/Adware.ZenoSearch application 841F5DEF7C3C5423E6857EBA7C697464

Body Background

skin color theme