I Need A Fast Answer Quick Please !
HELP !!!! I THINK I HAVE SOME BAD VIRUS 
!!!
My explorer.exe just crashes by itself i didn't do anything when it occured , just like the explorer.exe crashed , i tried to create a new task: explorer.exe but it didn't help . Can you please help me fast , or atleast tell me how to backup my files , so that if i need to format local disc C: then i have my files backed up ! This is urgent .
Comments
-
HELP !!!! I THINK I HAVE SOME BAD VIRUS !!!
My explorer.exe just crashes by itself i didn't do anything when it occured , just like the explorer.exe crashed , i tried to create a new task: explorer.exe but it didn't help . Can you please help me fast , or atleast tell me how to backup my files , so that if i need to format local disc C: then i have my files backed up ! This is urgent .
Hi,
A very difficult situation. Have you tried to see if you can go to safe mode preferably with networking?
Have you had the recent Vundo variant that creates a lot of junk files (P*.tmp)?
If you can I can assist you remove the Vundo, or at least free the explorer then you decide on the next step.
To get into the Windows XP Safe mode:
As the Computer is booting, start tapping the "F8 key" before WinXP starts loading, which should bring up the "Windows Advanced Options Menu".
Use your arrow keys to move to "Safe Mode with networking " and press your Enter key.0 -
Dear TotalErik,
To see what crashed explorer.exe once you are in safe mode press the windows button together with r now type eventvwr press enter open the application logbook and look for logged errors on the time that you had this issue more specificly application error. Double click on these entries and post if you see what module that caused the crash in explorer that is normally written after module. If that still fails please put in your windows installation cd-rom press the windows button together with r now type cmd press enter,after that type sfc /scannow and press enter.
Best regards
Niels0 -
The reason I asked if you are infected with the recent Vundo is that it creates a lot of junk files which sometimes overloads the system. Besides it tends to make a copy of running processes that then interfere with the legit processes. Every reboot creats more and more trouble. You may know it if you have some of the followings:
* a common symptom is getting pop ups and error warnings.
*your Internet privacy is lowered, and gets lowered after every reboot,
*you may see a lot of P*.tmp files usually on the root of C drive or in My Documents folder
* in some cases when you open the task manger you see more than usual processes running, some processes which have usually one entry have two entries, one is a .exe the other . exe (note the space in between), in some cases you may even see . exe. exe.
* BD detects Vundo, removes or blocks them but they come back again.
* in some cases there appears some Icons on the desktop (help and support center, window update, etc.),
* in some cases there is a red x on the the c drive
So if your system is not infected follow the suggestion made by Niels. Otherwise it may be just a temporary solution, which is also good because it open up the way to the next step. In case you are infected the short cut is removing the infection and at the end running the sfc /scannow command. If you opted for disinfection let me know.0 -
The reason I asked if you are infected with the recent Vundo is that it creates a lot of junk files which sometimes overloads the system. Besides it tends to make a copy of running processes that then interfere with the legit processes. Every reboot creats more and more trouble. You may know it if you have some of the followings:
* a common symptom is getting pop ups and error warnings.
*your Internet privacy is lowered, and gets lowered after every reboot,
*you may see a lot of P*.tmp files usually on the root of C drive or in My Documents folder
* in some cases when you open the task manger you see more than usual processes running, some processes which have usually one entry have two entries, one is a .exe the other . exe (note the space in between), in some cases you may even see . exe. exe.
* BD detects Vundo, removes or blocks them but they come back again.
* in some cases there appears some Icons on the desktop (help and support center, window update, etc.),
* in some cases there is a red x on the the c drive
So if your system is not infected follow the suggestion made by Niels. Otherwise it may be just a temporary solution, which is also good because it open up the way to the next step. In case you are infected the short cut is removing the infection and at the end running the sfc /scannow command. If you opted for disinfection let me know.
Well i've been noticing unusual processes yes . Like is it normal to have 5 svchost.exe's running ? if yes then what about unusual huge CPU Usage it's like 55% most of the time . (before it was like 2% at normal state )
Oh and im in a normal mode at the moment , but i run programs with task manager .0 -
Dear TotalErik,
To see what crashed explorer.exe once you are in safe mode press the windows button together with r now type eventvwr press enter open the application logbook and look for logged errors on the time that you had this issue more specificly application error. Double click on these entries and post if you see what module that caused the crash in explorer that is normally written after module. If that still fails please put in your windows installation cd-rom press the windows button together with r now type cmd press enter,after that type sfc /scannow and press enter.
Best regards
Niels
Ok i'll try it and i'll post the news as soon as i can
!0 -
Dear TotalErik,
To see what crashed explorer.exe once you are in safe mode press the windows button together with r now type eventvwr press enter open the application logbook and look for logged errors on the time that you had this issue more specificly application error. Double click on these entries and post if you see what module that caused the crash in explorer that is normally written after module. If that still fails please put in your windows installation cd-rom press the windows button together with r now type cmd press enter,after that type sfc /scannow and press enter.
Best regards
Niels
I didn't find exactly any logs for explorer.exe , but i did find something like this :Source: Winlogon , Description: The shell stopped unexpectedly and Explorer.exe was restarted. i hope this means anything to you , though it does not for me
And there were alot of such kind of logs in the event viewer.0 -
Farbar ,
There was this one virus Trojan.Vundo.DVS but they said that it might just be a configuration file used by the Vundo virus . But as they said , if the file reappears then im infected with vundo , but no it hasn't reappeared .0 -
Farbar ,
There was this one virus Trojan.Vundo.DVS but they said that it might just be a configuration file used by the Vundo virus . But as they said , if the file reappears then im infected with vundo , but no it hasn't reappeared .
Frankly when I saw your post I thought you are in trouble not able to stay in normal mode.
Ok, if you are in normal mode and you don't recognize those symptoms it is good news. Having 5 svchost.exe or more is normal. It looks like you are not infected by Vundo. But the 55% CPU is not normal. If you want to be sure post a hijackthis log into your replay. I can tell you if you are infected.
Then we can see what happened and why the winlogon shell stopped. The main question is if this is a system malfunction or a malware.
So I suggest you to do this:
You can download a Trend Micro Hijackthis installer from here:
http://www.trendsecure.com/portal/en-US/to...ckthis/download
Install it, run it and click Do a system scan and save a logfile.
Please copy and paste the content of the logfile into your next reply.
Can you please check which process is having a hight CPU usage.0 -
OK, NOW I HAVE SOME VUNDOS ALERTS !!! Bitdefender found 2 vundos : Trojan.Vundo.DWB and Trojan.Vundo.DZK .
And i must add that the bitdefender File zone scanner is like always GREEN. ( i know it means that it's scanning some stuff ) . is it possible to scan with bitdefender in safe mode too ? (and im gonna reply you with the hijack-this logs soon )0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18:25, on 22.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {239F0C96-9D01-4146-B90F-3F52B7E39B04} - C:\WINDOWS\system32\ddaba.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xloydjio.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C} - C:\WINDOWS\system32\ljjkhed.dll
O2 - BHO: {7bd4294f-7957-fe78-89c4-962ed07afaab} - {baafa70d-e269-4c98-87ef-7597f4924db7} - C:\WINDOWS\system32\nldnpbpf.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\wsvbgbxv.dll",b
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O20 - Winlogon Notify: ljjkhed - C:\WINDOWS\SYSTEM32\ljjkhed.dll
O20 - Winlogon Notify: xloydjio - C:\WINDOWS\SYSTEM32\xloydjio.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 8375 bytes0 -
Please, send these files in a zip folder with the password infected on your next reply.
C:\WINDOWS\system32\xloydjio.dll
C:\WINDOWS\system32\ljjkhed.dll
C:\WINDOWS\system32\wsvbgbxv.dll0 -
ok i was told that i should upload these files/applications/core/interface/file/attachment.php?id=1555" data-fileid="1555" rel="">suspected_files.zip
0 -
Now I am sure you have Vundo. But there is no time to do it tonight. I'll come back tomorrow.
0 -
i forgot to put the INFECTED as a password is it bad ?
0 -
I got this error today :
Important - Potential Errors found in the system.
During a scan of files at system startup , potential errors in the system registry were found.
p-07-0100 irwl: 1f SYSVER 0xff00024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED.
Ok i hope this is ain't something real bad
0 -
... You may know it if you have some of the followings:
* a common symptom is getting pop ups and error warnings.
*your Internet privacy is lowered, and gets lowered after every reboot,
*you may see a lot of P*.tmp files usually on the root of C drive or in My Documents folder
* in some cases when you open the task manger you see more than usual processes running, some processes which have usually one entry have two entries, one is a .exe the other . exe (note the space in between), in some cases you may even see . exe. exe.
* BD detects Vundo, removes or blocks them but they come back again.
* in some cases there appears some Icons on the desktop (help and support center, window update, etc.),
* in some cases there is a red x on the the c drive
It is the recent Vundo variant.0 -
is there a removal tool for that Vundo ?
Or any way to get rid of it ?0 -
TotalErik,
Yes there is a Vundo Removal Tool (VundoFix), download here: http://www.majorgeeks.com/download4954.html
Please download VundoFix.exe to your desktop.- Double-click VundoFix.exe to run it.
- When VundoFix re-opens, click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
0 -
erm... it says
Error 404!
/download4954.html/url
File Not Found!0 -
erm... it says
Error 404!
/download4954.html/url
File Not Found!
TotalErik,
Try downloading at a different mirror location. If this does not work either, please download VundoFix here: http://www.atribune.org/ccount/click.php?id=40 -
Hi,
I am know looking at your log. I can assist you removing the malware. It is not just vundo, it is multiple infection. If you want me to help you step by step removing the malware post back. In that case I want you to follow the steps I am going to give you and fix nothing on your own or the suggestions of others. I am waiting for your reply.0 -
Hi,
I am know looking at your log. I can assist you removing the malware. It is not just vundo, it is multiple infection. If you want me to help you step by step removing the malware post back. In that case I want you to follow the steps I am going to give you and fix nothing on your own or the suggestions of others. I am waiting for your reply.
Well i think i got the vundo fixed but if you think i have something more then i think , yes of course i want you to help me remove the malware but i can't at the moment because i have to go away for like 6 hours or something like that .
AND I WANT TO THANK YOU ALL WHO WAS HELPING ME WITH THIS VUNDO THING !!!!!!!0 -
I had some happiness tears in my eyes when i fixed the vundo
because i thought that i have to format local disk C . I love ya'll at bitdefender and other guys . Thank you again 0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:28, on 23.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\sttray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Kodu\Desktop\VundoFix.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Softwin\BitDefender10\bdlite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\hcujscof.dll",b
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 6563 bytes0 -
TotalErik
Your system is not 100% clean yet (sorry to ruin your parade).
Run HijackThis and do a System Scan Only. Place a check beside each of the following, and fix:O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\hcujscof.dll",b
0 -
I don't want to disapoint you, but you are not clean yet. You don't need reformat at all.
So if you are away so long I can't help you today.
I suggest you do this: Go to the folder where hijachthis.exe resides (C:\Program Files\Trend Micro\HijackThis\HijackThis.exe). Rename hijackthis.exe to something like clear.exe. Double click clear.exe and make a new log and post it to your reply. For me it is the first step and the short cut.0 -
I am editing the post:
I don't want to disappoint you, but you are not clean yet. You don't need reformat at all.
So if you are away so long I can't help you today.
The things which are showing on your HJT are not the whole story because now the infection is hiding itself partially from the log. I suggest you do this: Go to the folder where hijachthis.exe resides (C:\Program Files\Trend Micro\HijackThis\HijackThis.exe). Rename hijackthis.exe to something like clear.exe. Double click clear.exe and make a new log and post it to your reply. For me it is the first step and the short cut. I remind you again that I commit myself totally but I expect it also from you.
To Chesda: I am sure you have the intention to help and make also good suggestions. But sometime the case becomes more complicated if different people give conflicting directions. Besides, when somebody with more experience is helping, you can sit back and follow the course or try to help others who have initiated a topic but don't get any assistance0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:12:22, on 23.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\sttray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\clear.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: {350ab0c6-7ea0-fe48-d0a4-4554e43ca473} - {374ac34e-4554-4a0d-84ef-0ae76c0ba053} - C:\WINDOWS\system32\vopfevsb.dll (file missing)
O2 - BHO: (no name) - {4AFC929C-14E6-405F-80B8-76312A32540C} - C:\WINDOWS\system32\gebcb.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C} - C:\WINDOWS\system32\ljjkhed.dll
O2 - BHO: (no name) - {C809AB14-C67F-408A-B541-A5A6A7411AD1} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\ocvknxsh.dll",b
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 7808 bytes0 -
my documents is full of files named like this : pos1A , pos1A1 , pos1F7 what should i do about them ? just delete them ? (and local disk C: too
0 -
I saw your PM. Yes I am going to help you but these are not "left overs" (as you mention) by any means, these are multiple infections.
To be frank with you it looks like either you get panicked or you go into denial. We could have done this the day before yesterday after my second post but I couldn't get your attention at the time. Anyway please follow the steps and give feedback on doing them.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
Step 1
Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, check Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files (recommended) option.
Click Yes to confirm.
Then click this link--> http://www.virustotal.com/
When the page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\Program Files\Winamp\winampa.exe
If the file is clean just report back if not please add it to the files in step 2 and copy and paste the scan results in your next post.
Step 2.
The virus researchers may want to take a look at some files and if needed add them to BD for future detection.
Please copy the files in bold.
Archive them password protected (using .rar,7.zip, etc.).
The password you use should be infected.
Upload them as attachment.
If they are more than 2 MB you should make more than one archive file/folder.
If you don't know how read this topic Virus Submission.
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\ljjkhed.dll
C:\WINDOWS\system32\ocvknxsh.dll
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
I'll prepare the next step. I see when you finish these ones and give the next.0 -
it takes alot of time to upload it :S
0 -
/applications/core/interface/file/attachment.php?id=19759" data-fileext="zip" rel="">suspected_files.rar.zipok these are the files that farbar wanted me to upload , but i didn't find those files : gebcb.dll and ocvknxsh.dll i think VundoFix deleted/fixed those files , and winampa.exe isn't infected .(i don't know if the .rar file is password protected , because it has a weird password system , so honestly i don't know if it is password protected :S/uploads/emoticons/default_biggrin.png">)
0 -
TotalErik said:
/applications/core/interface/file/attachment.php?id=19759" rel="" data-fileext="zip">suspected_files.rar ok these are the files that farbar wanted me to upload , but i didn't find those files : gebcb.dll and ocvknxsh.dll i think VundoFix deleted/fixed those files , and winampa.exe isn't infected .(i don't know if the .rar file is password protected , because it has a weird password system , so honestly i don't know if it is password protected :S
The file is there on your last log:
O2 - BHO: (no name) - {4AFC929C-14E6-405F-80B8-76312A32540C} - C:\WINDOWS\system32\gebcb.dll
I assume you followed the instruction to unhide the files and folders. The Vundofix could not have removed it as it is there after running Vundofix. But let say you have run Vundofix again or BD removed it. Lets not argue about that.
Please follow the instruction and make a password protected file/folder and send the file as attachment. I have given you a link on how to do it.
It is important you would be able to follow the instructions in subsequent posts, otherwise we will do more harm than good and I don't want to take the responsibility for that.
Please post a fresh hijackthis log as it may has changed again.0 -
Please follow the instruction and make a password protected file/folder and send the file as attachment. I have given you a link on how to do it.
To attach the archive to your reply: when you press the reply, under the reply window press Browse... show the path to the file on your computer then press the green UPLOAD button.0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:21:01, on 25.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\clear.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {1ccadf93-521a-e928-e9e4-029f888e9b71} - {17b9e888-f920-4e9e-829e-a12539fdacc1} - C:\WINDOWS\system32\letnllwh.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {4633BAF5-9A92-4DD9-9BAE-F705F04E9C87} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: (no name) - {4AFC929C-14E6-405F-80B8-76312A32540C} - C:\WINDOWS\system32\gebcb.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C} - C:\WINDOWS\system32\ljjkhed.dll
O2 - BHO: (no name) - {C809AB14-C67F-408A-B541-A5A6A7411AD1} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Help Creative Meow City] C:\Documents and Settings\All Users\Application Data\aim rect help creative\Wma Aim.exe
O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\nrihorgw.dll",b
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 8154 bytes
well this is from recent hijack-this log . what do you have to say about that ?0 -
well this is from recent hijack-this log . what do you have to say about that ?
I don't know really what you want me to say about that. It confirms that you do the steps backward as those files are not attached yet.
But about the log: It confirms that the file named is indeed removed. It also confirms that you are still infected because Vundo makes a new infected file, and it confirms that the whole Sunday is gone and we are were we where at the beginning and it doesn't seem we get anywhere.
I am going to sleep now and tomorrow the whole day I am going to be at my work.
Perhaps the mods or virus researchers can send you a removal tool which is easier for you to use than the tools I am going to suggest.0 -
I don't know really what you want me to say about that. It confirms that you do the steps backward as those files are not attached yet.
But about the log: It confirms that the file named is indeed removed. It also confirms that you are still infected because Vundo makes a new infected file, and it confirms that the whole Sunday is gone and we are were we where at the beginning and it doesn't seem we get anywhere.
I am going to sleep now and tomorrow the whole day I am going to be at my work.
Perhaps the mods or virus researchers can send you a removal tool which is easier for you to use than the tools I am going to suggest.
well they either don't want my files because they haven't downloaded any of them . but maybe i just need to post them in the other topic they made : http://forum.bitdefender.com/index.php?showtopic=3409 ??0 -
well they either don't want my files because they haven't downloaded any of them . but maybe i just need to post them in the other topic they made : http://forum.bitdefender.com/index.php?showtopic=3409 ??
You have not attached them as it is instructed. How the virus researchers could have downloaded something you have not uploaded properly. And may be they don't want the files or perhaps they are overloaded with the work they are doing and later on attend to those files. Even if the files are of no use it would be nice to do something small in return for somebody who is trying to help you just because it is asked.
My stand is this: If you are not able to follow these instructions in order they are written to upload some files how would you be able to follow the removal instructions I was going to give you. And if you face any difficulty doing the steps you may just ask, not selectively doing what you can or what you think you need ignoring the rest of it.
So we are still discussing about the first step I suggested to you. Don't you think we both have better things to do?0 -
You have not attached them as it is instructed. How the virus researchers could have downloaded something you have not uploaded properly. And may be they don't want the files or perhaps they are overloaded with the work they are doing and later on attend to those files. Even if the files are of no use it would be nice to do something small in return for somebody who is trying to help you just because it is asked.
My stand is this: If you are not able to follow these instructions in order they are written to upload some files how would you be able to follow the removal instructions I was going to give you. And if you face any difficulty doing the steps you may just ask, not selectively doing what you can or what you think you need ignoring the rest of it.
So we are still discussing about the first step I suggested to you. Don't you think we both have better things to do?
Sorry , and i do APPRECIATE everything they do , but i haven't seen the right instructions , well this is a question then : where can i see the uploading instructions . Well im doing the best i can to follow your instructions and i understand you have better things to do , but i just don't like the negative vibe that comes from your replies(I just feel that negative attitude in your replies, but that's just me). So , I WILL Apologize for any things i have done wrong here , but just don't think im not appreciating anything they do here . But i think we should now go on with the removal instructions , not argue about , do or do i not appreciate the work their doing or do i follow the instructions . Help me farbar i appreciate your work , and everyone elses ! So now that these words are said , i hope you understand me .(Oh and some people just ain't that smart like others , so do respect me the best way you can , even if i might be a bit light-headed )0 -
To attach the archive to your reply: when you press the reply, under the reply window press Browse... show the path to the file on your computer then press the green UPLOAD button.
Here is the instruction.0 -
Sorry , and i do APPRECIATE everything they do , but i haven't seen the right instructions , well this is a question then : where can i see the uploading instructions . Well im doing the best i can to follow your instructions and i understand you have better things to do , but i just don't like the negative vibe that comes from your replies (I just feel that negative attitude in your replies, but that's just me). So , I WILL Apologize for any things i have done wrong here , but just don't think im not appreciating anything they do here . But i think we should now go on with the removal instructions , not argue about , do or do i not appreciate the work their doing or do i follow the instructions . Help me farbar i appreciate your work , and everyone elses ! So now that these words are said , i hope you understand me .(Oh and some people just ain't that smart like others , so do respect me the best way you can , even if i might be a bit light-headed )
Lets forget all and just go on with it. But please don't take it negative. Read every word of the post before doing it. If the instruction is not clear or is you find any difficulty just stop doing that, post me asp and don't go to the later step.0 -
Step 1
Go to start-run-control panel-add/remove programs and uninstall utorrent and any other p2p program. You may reinstall it later on after my last post.
Uninstall Windows Live Messenger. You may reinstall it later on after cleaning everything after my last post.
This one is optional and it is entirely up to you:I recommend not to use SweetIM.com as your startpage. Your starpage should be a totally clean site. Read more about the site and its program here (read also the comments) and decide for yourself:http://www.siteadvisor.com/sites/sweetim.com
Step 2
Download ComboFix.exe to your desktop using this link: BleepingComputer.com
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
Double click on combofix.exe to run the programme & then follow the prompts.
When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post.
ComboFix may need to reboot to finish its work. Let it.
Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.
Step 3.
Post a fresh hijackthis log along with the combofix log.0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:02, on 26.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Trend Micro\HijackThis\clear.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Help Creative Meow City] C:\Documents and Settings\All Users\Application Data\aim rect help creative\Wma Aim.exe
O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\shiddqay.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 7847 bytes0 -
ComboFix 08-02-25.3 - Kodu 2008-02-26 15:03:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1579 [GMT 2:00]
Running from: C:\Documents and Settings\Kodu\My Documents\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\amvminsu.dll
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\fsrvnxrg.dll
C:\WINDOWS\system32\letnllwh.dll
C:\WINDOWS\system32\ljjkhed.dll
C:\WINDOWS\system32\nbcgnmfq.ini
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SFSYNC02
-------\sfsync02
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.
2008-02-26 01:13 . 2008-02-26 01:18 109 --a------ C:\WINDOWS\wininit.ini
2008-02-26 00:40 . 2008-02-26 00:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 00:40 . 2008-02-26 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 00:33 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-26 00:33 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-26 00:33 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-26 00:33 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-26 00:32 . 2008-02-26 00:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-26 00:32 . 2008-02-26 00:32 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\PC Tools
2008-02-25 23:23 . 2008-02-26 01:18 1,260,406 ---hs---- C:\WINDOWS\system32\yaqddihs.ini
2008-02-25 23:22 . 2008-02-25 23:26 178 --a------ C:\WINDOWS\system32\testscript.tmp
2008-02-25 23:20 . 2008-02-25 23:20 1,097 --a------ C:\WINDOWS\system32\lpflnieq.dll
2008-02-25 23:18 . 2008-02-25 23:18 1,097 --a------ C:\WINDOWS\system32\tcqtcmty.dll
2008-02-24 23:25 . 2008-02-25 13:50 1,253,894 ---hs---- C:\WINDOWS\system32\wgrohirn.ini
2008-02-24 23:19 . 2008-02-24 23:19 1,097 --a------ C:\WINDOWS\system32\ltdedawq.dll
2008-02-24 16:58 . 2008-02-24 16:58 <DIR> d-------- C:\Program Files\PremiumSoft
2008-02-24 16:56 . 2008-02-24 16:56 <DIR> d-------- C:\Program Files\MySQL
2008-02-23 23:16 . 2008-02-24 23:17 1,253,774 ---hs---- C:\WINDOWS\system32\nsvvnvgp.ini
2008-02-23 23:16 . 2008-02-23 23:16 1,097 --a------ C:\WINDOWS\system32\yoyinnsd.dll
2008-02-23 20:20 . 2008-02-23 20:20 <DIR> d-------- C:\Program Files\Junk2Time
2008-02-23 19:09 . 2008-02-23 19:10 1,253,834 ---hs---- C:\WINDOWS\system32\hsxnkvco.ini
2008-02-23 19:08 . 2008-02-23 19:08 1,097 --a------ C:\WINDOWS\system32\wpxcmgla.dll
2008-02-23 12:05 . 2008-02-23 19:08 1,253,774 ---hs---- C:\WINDOWS\system32\focsjuch.ini
2008-02-23 12:03 . 2008-02-23 12:03 1,097 --a------ C:\WINDOWS\system32\rcfggpys.dll
2008-02-23 11:46 . 2008-02-25 14:40 <DIR> d-------- C:\VundoFix Backups
2008-02-23 09:33 . 2008-02-23 09:33 268 --ah----- C:\sqmdata01.sqm
2008-02-23 09:33 . 2008-02-23 09:33 244 --ah----- C:\sqmnoopt01.sqm
2008-02-22 23:18 . 2008-02-22 23:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 19:15 . 2008-02-22 23:03 1,252,804 --ahs---- C:\WINDOWS\system32\vxbgbvsw.ini
2008-02-22 16:26 . 2006-02-28 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-22 16:25 . 2006-02-28 14:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-22 16:23 . 2008-02-22 16:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-21 19:58 . 2008-02-21 19:58 1,097 --a------ C:\WINDOWS\system32\gfurriif.dll
2008-02-21 18:19 . 2008-02-21 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-02-21 18:17 . 2008-02-23 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\aim rect help creative
2008-02-21 18:16 . 2008-02-23 20:19 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-02-21 18:16 . 2008-02-21 18:16 <DIR> d-------- C:\Program Files\Circle Developement
2008-02-21 18:16 . 2008-02-23 20:24 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\Junk2Time
2008-02-20 23:11 . 2008-02-26 01:15 <DIR> d-------- C:\Program Files\AdvancedCleaner Free
2008-02-20 23:11 . 2003-03-19 05:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-20 20:03 . 2008-02-21 20:04 1,253,501 --ahs---- C:\WINDOWS\system32\dkswuddu.ini
2008-02-18 23:58 . 2008-02-23 19:35 <DIR> d-------- C:\Program Files\Macrogaming
2008-02-18 10:12 . 2008-02-18 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-02-10 22:26 . 2008-02-10 22:26 <DIR> d-------- C:\mydecal
2008-02-10 15:42 . 2008-02-10 15:42 0 --a------ C:\WINDOWS\PROTOCOL.INI
2008-02-10 15:41 . 2008-02-10 15:41 <DIR> d-------- C:\Documents and Settings\Kodu\WINDOWS
2008-02-10 15:41 . 1998-02-06 21:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-02-07 13:54 . 2008-02-07 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-07 13:38 . 2008-02-07 13:38 <DIR> d-------- C:\Program Files\Sierra
2008-02-04 07:26 . 2008-02-04 07:26 <DIR> d-------- C:\Program Files\ZhyperMU
2008-02-02 01:14 . 2008-02-02 01:14 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\InstallShield
2008-02-01 21:12 . 2008-02-01 21:12 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-01-30 15:28 . 2008-01-30 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-30 15:25 . 2008-01-30 15:25 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-27 16:20 . 2008-01-27 16:20 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\Bitdefender
2008-01-27 15:48 . 2008-01-27 15:48 <DIR> d-------- C:\Program Files\Ordi
2008-01-27 15:48 . 2002-08-28 10:45 645,120 --a------ C:\WINDOWS\Ordi.scr
2008-01-27 15:48 . 2008-01-27 15:48 91 --a------ C:\WINDOWS\Ordi.ini
2008-01-27 15:48 . 2008-01-27 15:48 62 --a------ C:\WINDOWS\FSaver.ini
2008-01-27 15:45 . 2008-01-27 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 13:07 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-02-26 13:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-26 12:55 --------- d-----w C:\Documents and Settings\Kodu\Application Data\MegauploadToolbar
2008-02-25 19:47 --------- d-----w C:\Program Files\LimeWire
2008-02-25 12:49 --------- d-----w C:\Program Files\World of Warcraft
2008-02-21 12:11 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-13 16:36 --------- d-----w C:\Program Files\Valve
2008-02-04 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 23:16 --------- d-----w C:\Program Files\NCSoft
2008-02-01 23:15 --------- d-----w C:\Program Files\EA GAMES
2008-01-30 13:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-27 15:01 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2008-01-27 13:49 69,632 ----a-w C:\WINDOWS\uinst001.exe
2008-01-27 13:45 --------- d-----w C:\Program Files\Common Files\Softwin
2008-01-23 19:12 --------- d-----w C:\Program Files\ssClient
2008-01-18 08:21 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-17 09:20 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-15 13:07 --------- d-----w C:\Program Files\MegauploadToolbar
2008-01-15 06:15 --------- d-----w C:\Program Files\FlashGet
2008-01-08 11:12 --------- d-----w C:\Documents and Settings\Kodu\Application Data\DAEMON Tools
2008-01-08 10:46 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-01-08 10:43 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-07 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\POPWWPROFILES
2008-01-07 13:19 --------- d-----w C:\Program Files\Common Files\DirectX
2008-01-07 02:35 --------- d-----w C:\Documents and Settings\Kodu\Application Data\GetRightToGo
2008-01-05 23:57 --------- d-----w C:\Program Files\Lizard Interactive Co
2008-01-05 17:54 --------- d-----w C:\Program Files\Arjaloc
2008-01-05 12:30 --------- d-----w C:\Program Files\Neffy
2008-01-04 17:37 --------- d-----w C:\Program Files\Ubisoft
2008-01-02 13:15 --------- d-----w C:\Program Files\Disc2Phone
2007-12-31 22:48 --------- d-----w C:\Documents and Settings\Kodu\Application Data\Winamp
2007-12-31 20:43 --------- d-----w C:\Documents and Settings\Kodu\Application Data\Talkback
2007-12-31 20:42 --------- d-----w C:\Program Files\Winamp
2007-12-31 20:18 --------- d-----w C:\Program Files\Google
2007-12-30 10:46 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-29 16:20 --------- d-----w C:\Program Files\Radical Games
2007-12-25 16:22 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-25 16:00 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 14:34 286,720 ----a-w C:\WINDOWS\iun506.exe
2005-04-04 09:21 29,998 ----a-w C:\WINDOWS\inf\install.exe
2005-04-04 09:21 25,119 ----a-w C:\WINDOWS\inf\update.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27E4AB42-936F-4EB3-B357-1CA9D2E3550C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AFC929C-14E6-405F-80B8-76312A32540C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99cfb505-af2d-4ee2-a23c-bdc4dc949c76}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C809AB14-C67F-408A-B541-A5A6A7411AD1}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-26 04:32 171448]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 15:54 486856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 20:15 103712]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05 8429568]
"nwiz"="nwiz.exe" [2007-04-20 06:05 1626112 C:\WINDOWS\system32\nwiz.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-20 17:16 37376]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2008-01-27 16:51 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-27 16:50 69632]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-20 06:05 81920]
"SigmatelSysTrayApp"="sttray.exe" [2007-05-06 11:10 405504 C:\WINDOWS\sttray.exe]
"Help Creative Meow City"="C:\Documents and Settings\All Users\Application Data\aim rect help creative\Wma Aim.exe" [2008-02-26 15:08 495104]
"149d6d99"="C:\WINDOWS\system32\shiddqay.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Reboot.exe [2006-12-29 12:35:16 409088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enGB-downloader.exe"=
"C:\\Program Files\\Valve\\hlds.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Valve\\cstrike\\valve\\hl.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"41816:TCP"= 41816:TCP:uTorrent
"27015:TCP"= 27015:TCP:UDP Port
R2 MySQL4;MySQL4;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" []
S3 Axtmvflt;Axesstel USB Filter Service;C:\WINDOWS\system32\DRIVERS\Axtmvflt.sys [2007-03-22 11:36]
S3 Axtmvprt;Axesstel Diagnostic Port;C:\WINDOWS\system32\Drivers\Axtmvprt.sys [2007-03-26 09:25]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-26 13:00:06 C:\WINDOWS\Tasks\AC6AE3C091C596D8.job"
- c:\docume~1\kodu\applic~1\junk2t~1\Roadeachamen.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 15:08:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\update\update.exe
.
**************************************************************************
.
Completion time: 2008-02-26 15:10:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 13:10:43
.
2008-02-25 23:23:04 --- E O F ---0 -
TotalEric,
Good work, I am now at work, Combofix have removed some of them but this evening (West European time) I am going to post you the next step which hopefully takes care of all the active infections at once.
Have you uninstalled windows live messenger? Because the infected file is still there. We will take care of that.
Let me know asap.0 -
yeah i uninstalled the windows live messenger main program , but i thought , maybe the other relative programs don't disturbe the work : windows live OneCare safety scanner , and windows live login helper (or something like that)
Edit: And i must add , i had some Blue error screen just a few moments ago that made me restart my computer . And on the computer startup i saw an error :
RUNDLL
Error loading C:WINDOWS\System32\shiddqay.dll
the specified module could not be found.0 -
TotalErik,
I must say you are doing a good job. The other programs don't disturb and you need not uninstall them. After following steps your hijacklog is clean and your system is clean from the active infection and you may relax and enjoy. There remains still some left overs which we are going to take care of and make sure they are also clean.
1. Open a notepad (start menu-all programs-accessorie-notepad). Make sure the word wrap under format menu is not selected.
Copy and paste the text in bold into it.
File::
C:\WINDOWS\system32\shiddqay.dll
Folder::
C:\Program Files\Windows Live\Messenger
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"149d6d99"=-
"MsnMsgr"=-
* Select save in:desktop
* Fill in File name: CFScript.txt
* save as type: All file types (*.*)
Drag CFScript.txt into ComboFix.exe. You can see the image showing this here: http://www.fromsej.saknet.dk/billeder/cfscript.gif
ComboFix will now run a scan on your system.
It may reboot your system when it finishes. This is normal.
2. Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)- Double-click
Under Main "Select Files to Delete" choose: Select All.
If you use Firefox browser
Click the Empty Selected button.- Click
Click the Empty Selected button.
If you use Opera browser
NOTE: If you would like to keep your saved passwords, please click No at the prompt.- Click
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
3. Remove vundofix.ex and the C:\VundoFix Backups folder.
(we need combofix tomorrow to clean the rest after I made the list to clean)
4.Please go to firewall and remove all suspicious allowed entries if you can.
It has been a long day for me today. Tomorrow I am going to go through combofix log and prepare the final step. Please let me know how the things going on.
Please post the combofix log.0 -
File::
C:\WINDOWS\system32\shiddqay.dll
Folder::
C:\Program Files\Windows Live\Messenger
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"149d6d99"=-
"MsnMsgr"=-
Please note, I edited the post:
The bold text should be this:
File::
C:\WINDOWS\system32\shiddqay.dll
Folder::
C:\Program Files\Windows Live\Messenger
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"149d6d99"=-
"MsnMsgr"=-0 -
ComboFix 08-02-25.3 - Kodu 2008-02-27 7:47:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1628 [GMT 2:00]
Running from: C:\Documents and Settings\Kodu\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kodu\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\shiddqay.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.
2008-02-27 00:04 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-27 00:03 . 2008-02-27 00:04 <DIR> d-------- C:\Program Files\Java
2008-02-27 00:03 . 2008-02-27 00:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-26 21:03 . 2008-02-26 21:03 <DIR> d-------- C:\Program Files\Junk2Time
2008-02-26 21:00 . 2008-02-26 21:02 <DIR> d-------- C:\Program Files\MSN Messenger
2008-02-26 01:13 . 2008-02-26 01:18 109 --a------ C:\WINDOWS\wininit.ini
2008-02-26 00:40 . 2008-02-27 07:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 00:40 . 2008-02-27 07:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 00:33 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-26 00:33 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-26 00:33 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-26 00:33 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-26 00:32 . 2008-02-26 00:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-26 00:32 . 2008-02-26 00:32 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\PC Tools
2008-02-25 23:23 . 2008-02-26 01:18 1,260,406 ---hs---- C:\WINDOWS\system32\yaqddihs.ini
2008-02-25 23:22 . 2008-02-25 23:26 178 --a------ C:\WINDOWS\system32\testscript.tmp
2008-02-25 23:20 . 2008-02-25 23:20 1,097 --a------ C:\WINDOWS\system32\lpflnieq.dll
2008-02-25 23:18 . 2008-02-25 23:18 1,097 --a------ C:\WINDOWS\system32\tcqtcmty.dll
2008-02-24 23:25 . 2008-02-25 13:50 1,253,894 ---hs---- C:\WINDOWS\system32\wgrohirn.ini
2008-02-24 23:19 . 2008-02-24 23:19 1,097 --a------ C:\WINDOWS\system32\ltdedawq.dll
2008-02-24 16:58 . 2008-02-24 16:58 <DIR> d-------- C:\Program Files\PremiumSoft
2008-02-24 16:56 . 2008-02-24 16:56 <DIR> d-------- C:\Program Files\MySQL
2008-02-23 23:16 . 2008-02-24 23:17 1,253,774 ---hs---- C:\WINDOWS\system32\nsvvnvgp.ini
2008-02-23 23:16 . 2008-02-23 23:16 1,097 --a------ C:\WINDOWS\system32\yoyinnsd.dll
2008-02-23 19:09 . 2008-02-23 19:10 1,253,834 ---hs---- C:\WINDOWS\system32\hsxnkvco.ini
2008-02-23 19:08 . 2008-02-23 19:08 1,097 --a------ C:\WINDOWS\system32\wpxcmgla.dll
2008-02-23 12:05 . 2008-02-23 19:08 1,253,774 ---hs---- C:\WINDOWS\system32\focsjuch.ini
2008-02-23 12:03 . 2008-02-23 12:03 1,097 --a------ C:\WINDOWS\system32\rcfggpys.dll
2008-02-23 11:46 . 2008-02-26 15:17 <DIR> d-------- C:\VundoFix Backups
2008-02-23 09:33 . 2008-02-23 09:33 268 --ah----- C:\sqmdata01.sqm
2008-02-23 09:33 . 2008-02-23 09:33 244 --ah----- C:\sqmnoopt01.sqm
2008-02-22 23:18 . 2008-02-22 23:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 19:15 . 2008-02-22 23:03 1,252,804 --ahs---- C:\WINDOWS\system32\vxbgbvsw.ini
2008-02-22 17:57 . 2008-02-26 17:06 2,145,386,496 --a------ C:\WINDOWS\MEMORY.DMP
2008-02-22 16:26 . 2006-02-28 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-22 16:25 . 2006-02-28 14:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-22 16:23 . 2008-02-22 16:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-21 19:58 . 2008-02-21 19:58 1,097 --a------ C:\WINDOWS\system32\gfurriif.dll
2008-02-21 18:19 . 2008-02-21 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-02-21 18:17 . 2008-02-26 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\aim rect help creative
2008-02-21 18:16 . 2008-02-26 21:02 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-02-21 18:16 . 2008-02-21 18:16 <DIR> d-------- C:\Program Files\Circle Developement
2008-02-21 18:16 . 2008-02-26 21:04 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\Junk2Time
2008-02-20 23:11 . 2008-02-26 01:15 <DIR> d-------- C:\Program Files\AdvancedCleaner Free
2008-02-20 23:11 . 2003-03-19 05:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-20 20:03 . 2008-02-21 20:04 1,253,501 --ahs---- C:\WINDOWS\system32\dkswuddu.ini
2008-02-18 23:58 . 2008-02-23 19:35 <DIR> d-------- C:\Program Files\Macrogaming
2008-02-18 10:12 . 2008-02-18 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-02-10 22:26 . 2008-02-10 22:26 <DIR> d-------- C:\mydecal
2008-02-10 15:42 . 2008-02-10 15:42 0 --a------ C:\WINDOWS\PROTOCOL.INI
2008-02-10 15:41 . 2008-02-10 15:41 <DIR> d-------- C:\Documents and Settings\Kodu\WINDOWS
2008-02-10 15:41 . 1998-02-06 21:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-02-07 13:54 . 2008-02-07 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-07 13:38 . 2008-02-07 13:38 <DIR> d-------- C:\Program Files\Sierra
2008-02-04 07:26 . 2008-02-04 07:26 <DIR> d-------- C:\Program Files\ZhyperMU
2008-02-02 01:14 . 2008-02-02 01:14 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\InstallShield
2008-02-01 21:12 . 2008-02-01 21:12 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-01-30 15:28 . 2008-01-30 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-30 15:25 . 2008-01-30 15:25 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-27 16:20 . 2008-01-27 16:20 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\Bitdefender
2008-01-27 15:48 . 2008-01-27 15:48 <DIR> d-------- C:\Program Files\Ordi
2008-01-27 15:48 . 2002-08-28 10:45 645,120 --a------ C:\WINDOWS\Ordi.scr
2008-01-27 15:48 . 2008-01-27 15:48 91 --a------ C:\WINDOWS\Ordi.ini
2008-01-27 15:48 . 2008-01-27 15:48 62 --a------ C:\WINDOWS\FSaver.ini
2008-01-27 15:45 . 2008-01-27 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 05:47 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-02-26 18:56 --------- d-----w C:\Program Files\World of Warcraft
2008-02-26 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-26 18:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-26 12:55 --------- d-----w C:\Documents and Settings\Kodu\Application Data\MegauploadToolbar
2008-02-25 19:47 --------- d-----w C:\Program Files\LimeWire
2008-02-21 12:11 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-13 16:36 --------- d-----w C:\Program Files\Valve
2008-02-04 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 23:16 --------- d-----w C:\Program Files\NCSoft
2008-02-01 23:15 --------- d-----w C:\Program Files\EA GAMES
2008-01-30 13:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-27 15:01 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2008-01-27 13:49 69,632 ----a-w C:\WINDOWS\uinst001.exe
2008-01-27 13:45 --------- d-----w C:\Program Files\Common Files\Softwin
2008-01-23 19:12 --------- d-----w C:\Program Files\ssClient
2008-01-18 08:21 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-17 09:20 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-15 13:07 --------- d-----w C:\Program Files\MegauploadToolbar
2008-01-15 06:15 --------- d-----w C:\Program Files\FlashGet
2008-01-08 11:12 --------- d-----w C:\Documents and Settings\Kodu\Application Data\DAEMON Tools
2008-01-08 10:46 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-01-08 10:43 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-07 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\POPWWPROFILES
2008-01-07 13:19 --------- d-----w C:\Program Files\Common Files\DirectX
2008-01-07 02:35 --------- d-----w C:\Documents and Settings\Kodu\Application Data\GetRightToGo
2008-01-05 23:57 --------- d-----w C:\Program Files\Lizard Interactive Co
2008-01-05 17:54 --------- d-----w C:\Program Files\Arjaloc
2008-01-05 12:30 --------- d-----w C:\Program Files\Neffy
2008-01-04 17:37 --------- d-----w C:\Program Files\Ubisoft
2008-01-02 13:15 --------- d-----w C:\Program Files\Disc2Phone
2007-12-31 22:48 --------- d-----w C:\Documents and Settings\Kodu\Application Data\Winamp
2007-12-31 20:43 --------- d-----w C:\Documents and Settings\Kodu\Application Data\Talkback
2007-12-31 20:42 --------- d-----w C:\Program Files\Winamp
2007-12-31 20:18 --------- d-----w C:\Program Files\Google
2007-12-30 10:46 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-29 16:20 --------- d-----w C:\Program Files\Radical Games
2007-12-25 16:22 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-25 16:00 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 14:34 286,720 ----a-w C:\WINDOWS\iun506.exe
2005-04-04 09:21 29,998 ----a-w C:\WINDOWS\inf\install.exe
2005-04-04 09:21 25,119 ----a-w C:\WINDOWS\inf\update.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27E4AB42-936F-4EB3-B357-1CA9D2E3550C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AFC929C-14E6-405F-80B8-76312A32540C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99cfb505-af2d-4ee2-a23c-bdc4dc949c76}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C809AB14-C67F-408A-B541-A5A6A7411AD1}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="~C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-26 04:32 171448]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 15:54 486856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 20:15 103712]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Reboot.exe [2006-12-29 12:35:16 409088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enGB-downloader.exe"=
"C:\\Program Files\\Valve\\hlds.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Valve\\cstrike\\valve\\hl.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"41816:TCP"= 41816:TCP:uTorrent
"27015:TCP"= 27015:TCP:UDP Port
R2 MySQL4;MySQL4;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" []
S3 Axtmvflt;Axesstel USB Filter Service;C:\WINDOWS\system32\DRIVERS\Axtmvflt.sys [2007-03-22 11:36]
S3 Axtmvprt;Axesstel Diagnostic Port;C:\WINDOWS\system32\Drivers\Axtmvprt.sys [2007-03-26 09:25]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-26 22:00:02 C:\WINDOWS\Tasks\B18C1109915B84D9.job"
- c:\docume~1\kodu\applic~1\junk2t~1\Roadeachamen.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 07:49:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-27 7:50:10
ComboFix-quarantined-files.txt 2008-02-27 05:50:07
ComboFix2.txt 2008-02-26 13:10:49
.
2008-02-27 05:38:11 --- E O F ---0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:39, on 27.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Trend Micro\HijackThis\clear.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27E4AB42-936F-4EB3-B357-1CA9D2E3550C} - (no file)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {4AFC929C-14E6-405F-80B8-76312A32540C} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {99cfb505-af2d-4ee2-a23c-bdc4dc949c76} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C809AB14-C67F-408A-B541-A5A6A7411AD1} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 6822 bytes0
