You are here:
Computer Security & Viruses/follow up
Advertisement
Question
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:09 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\GizmoPlugin\GizmoPlugin.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Opware15.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Office12\GrooveMonitor.exe
D:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\OpAgent.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\OpScheduler.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iCall Internet Phone] "D:\Program Files\iCall\iCall.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\OpAgent.exe" /agent
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Office12\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Rapget - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.847\rapget.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - D:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: GoogleDesktopManager - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MNS Framework (MNSFramework) - Unknown owner - D:\WINDOWS\system32\MNSFramework.exe (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - D:\WINDOWS\system32\windows (file missing)
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 8358 bytes
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2873 (20080213)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=da87ef3e8af6ea4e8634dbe0d5b5cbd3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-14 10:54:13
# local_time=2008-02-14 04:24:13 (+0530, India Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=646927
# found=71
# scan_time=5348
C:\Documents and Settings\Administrator.ABC\Local Settings\Temp\removalfile.bat Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\kunal\movie\familykeylogger1.1.zip probably unknown NewHeur_PE virus (deleted) 00000000000000000000000000000000
C:\kunal\movie\familykeylogger1.1.zip »ZIP »GoldenKeylogger-setup.exe probably unknown NewHeur_PE virus (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\kunal\movie\familykeylogger1.1.zip »ZIP »GoldenKeylogger-setup.exe »NSIS »wsg32.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\Common Files\Hyperbar\Hyperbar.dll Win32/Adware.Toolbar.HyperBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\INSTAFINK\instafink.dll Win32/Adware.Instafinder.A application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Media Access\MediaAccC.dll Win32/Adware.WUpd application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Media Access\MediaAccess.exe Win32/Adware.WUpd application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Media Access\MediaAccK.exe Win32/Adware.WUpd application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\WebCracker\WebCrack4.exe Win32/WebCracker.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\win_dat\avitompeg.exe a variant of Win32/VB.ATE trojan (deleted) 00000000000000000000000000000000
C:\Program Files\win_dat\avitompeg.exe »WISE »almgr.exe a variant of Win32/VB.ATE trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\win_dat\pcic\softs\180sainstaller.exe Win32/Adware.180Solutions application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\win_dat\pcic\softs\Install_AIM.exe Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Program Files\win_dat\pcic\softs\Install_AIM.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\win_dat\pcic\softs\Install_AIM.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\win_dat\pcic\softs\WarezP2P.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Program Files\win_dat\pcic\softs\WarezP2P.exe »NSIS »7k43.exe probably a variant of Win32/TrojanDownloader.Swizzor trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\win_dat\pcic\softs\WarezP2P.exe »NSIS »NNWARZ3_88.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\win_dat\pcic\softs\softwares\kazaa\TopSearch.dll Win32/Adware.Altnet application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20A.tmp\MARSHAL.DLL Win32/Adware.P2PNet application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Temp\Altnet\adm25.dll Win32/Adware.BDE application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Temp\Altnet\adm4.dll Win32/Adware.Altnet application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Temp\Altnet\admdata.dll Win32/Adware.Altnet application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Temp\Altnet\admfdi.dll Win32/Adware.Altnet application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Temp\Altnet\admprog.dll Win32/Adware.Altnet application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Temp\Altnet\Setup.exe Win32/Adware.Altnet application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP233\A0087012.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125256.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125257.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125258.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125259.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125260.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125261.dll Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125262.dll Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125263.dll Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125265.dll Win32/BHO.NCC trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125266.dll Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125268.dll Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125270.dll Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125272.dll Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125273.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125274.dll Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0125275.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{E56408C5-1F1D-4C0C-BF27-6A1B2EA79824}\RP246\A0126293.DLL Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
D:\WINDOWS\system32\odbcasvc.exe Win32/Spy.VB.QU trojan (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
D:\WINDOWS\TEMP\100337.exe Win32/Spy.VB.QU trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\WINDOWS\TEMP\95567.exe Win32/Spy.VB.QU trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\WINDOWS\TEMP\193977.exe Win32/Spy.VB.QU trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\Documents and Settings\Administrator\Local Settings\Temp\64354.exe Win32/Spy.VB.QU trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\Documents and Settings\Administrator\My Documents\setup_en.exe a variant of Win32/Adware.WinFixer application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\catchme2008-02-07_234151.83.zip Win32/Adware.SecToolbar application (deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\catchme2008-02-07_234151.83.zip »ZIP »mobghsfp.dll Win32/Adware.SecToolbar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\upqqqimy.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\lbcmchww.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\pdoqcjhe.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\npkfmvyt.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\yfeoibkw.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\aiwuiwih.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\aqpktvpw.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\bhehvdpo.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\gfoxlgvs.dll.vir Win32/BHO.NCC trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\hgonqqbs.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\jbtnibnw.dll.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\oawnjces.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\psjhecly.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\pxgywhhk.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\utfclosk.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\ynivwkfj.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\mobghsfp.dll.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
D:\QooBox\Quarantine\D\WINDOWS\system32\windows.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
ComboFix 08-02.05.3 - Administrator 2008-02-14 17:52:24.3 - [color=red][b]FAT32[/b][/color]x86
Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\WINDOWS\system32\msvcrtd.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ODBCASVC
-------\odbcasvc
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.
2008-02-14 14:23 . 2008-02-14 14:23 <DIR> d-------- D:\Program Files\EsetOnlineScanner
2008-02-14 11:54 . 2008-02-14 11:54 <DIR> d--hs---- D:\FOUND.013
2008-02-09 19:34 . 2006-10-06 11:57 3,699,949 --------- D:\WINDOWS\cp5.CAB
2008-02-09 19:34 . 2008-02-09 19:34 4,746 --a------ D:\WINDOWS\SETUP.LST
2008-02-09 19:34 . 2008-02-09 19:35 1,601 --a------ D:\WINDOWS\ST6UNST.000
2008-02-09 14:32 . 2008-02-09 14:32 124,688 --a------ D:\WINDOWS\system32\mswinsck.ocx
2008-02-09 14:32 . 2008-02-09 14:32 111,104 --a------ D:\WINDOWS\system32\uha.exe
2008-02-09 13:17 . 2004-08-04 00:56 388,608 --a------ D:\kmd.exe
2008-02-04 10:53 . 2008-02-04 14:31 354 ---hs---- D:\WINDOWS\system32\oenxquvj.ini
2008-01-31 00:48 . 2008-01-31 00:48 <DIR> d--hs---- D:\FOUND.012
2008-01-30 23:08 . 2008-01-30 23:08 <DIR> d-------- D:\Program Files\XoftSpySE
2008-01-30 13:32 . 2008-01-30 13:32 <DIR> d--hs---- D:\FOUND.011
2008-01-29 22:42 . 2008-01-29 22:42 <DIR> d--hs---- D:\FOUND.010
2008-01-28 11:49 . 2008-01-28 11:49 <DIR> d--hs---- D:\FOUND.009
2008-01-26 11:27 . 2008-01-26 11:27 <DIR> d--hs---- D:\FOUND.008
2008-01-25 23:42 . 2008-01-24 09:02 <DIR> d-------- D:\SDFix
2008-01-25 20:54 . 2008-01-25 20:54 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Snapfish
2008-01-25 11:53 . 2008-01-25 11:53 <DIR> d--hs---- D:\FOUND.007
2008-01-25 11:25 . 2008-01-25 11:25 <DIR> d--hs---- D:\FOUND.006
2008-01-24 21:10 . 2008-01-25 18:52 834 ---hs---- D:\WINDOWS\system32\duwwfqew.ini
2008-01-23 23:56 . 2008-01-23 23:56 <DIR> d-------- D:\Program Files\Common Files\eSellerate
2008-01-23 21:37 . 2008-02-14 12:35 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-01-23 21:37 . 2008-01-23 21:37 1,409 --a------ D:\WINDOWS\QTFont.for
2008-01-23 21:34 . 2008-01-23 21:34 <DIR> d-------- D:\Program Files\iTunes
2008-01-23 21:34 . 2008-01-23 21:34 <DIR> d-------- D:\Program Files\iPod
2008-01-23 21:31 . 2008-01-23 21:31 <DIR> d-------- D:\Program Files\QuickTime
2008-01-23 21:27 . 2008-01-23 21:27 <DIR> d-------- D:\Program Files\Common Files\Apple
2008-01-23 21:27 . 2008-01-15 02:39 30,464 --a------ D:\WINDOWS\system32\drivers\usbaapl.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 04:09 253,952 ----a-w D:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 04:09 237,568 ----a-w D:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-09 14:04 73,216 ----a-w D:\WINDOWS\ST6UNST.EXE
2008-02-09 13:50 249,856 ------w D:\WINDOWS\Setup1.exe
2008-02-08 18:46 3,126 ----a-w D:\WINDOWS\system32\tmp.reg
2008-02-08 08:23 110,592 ----a-w D:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 03:18 77,824 ----a-w D:\WINDOWS\system32\OnlineScannerUninstaller.exe
2007-10-17 15:29 13 ---h--w D:\Documents and Settings\All Users\Application Data\1ÌØ13.sys
2007-07-10 00:11 45,224 ----a-w D:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"OpAgent"="C:\Program Files\OpAgent.exe" [2005-08-11 13:56 155648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 01:08 185896]
"SSBkgdUpdate"="D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14 155648]
"Opware15"="C:\Program Files\Opware15.exe" [2005-08-11 13:52 69632]
"OpScheduler"="C:\Program Files\OpScheduler.exe" [ ]
"ISUSPM Startup"="D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"iCall Internet Phone"="D:\Program Files\iCall\iCall.exe" [2007-08-28 14:24 1191936]
"GrooveMonitor"="C:\Program Files\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
BTTray.lnk - D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-11-10 14:14:10 507965]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Prince of Persia Warrior Within.LNK]
path=D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Registration Prince of Persia Warrior Within.LNK
backup=D:\WINDOWS\pss\Registration Prince of Persia Warrior Within.LNKStartup
R2 Gizmo Plugin;Gizmo VoIP Service;"D:\Program Files\GizmoPlugin\GizmoPlugin.exe" [2007-10-30 12:22]
R3 CLEDX;Team H2O CLEDX service;D:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
S1 HekkoVirtualCD;Hekko Virtual CD Driver;D:\WINDOWS\system32\Drivers\hvcd.sys []
S3 AVer;AVerTV PVR USB/EZMaker Pro USB Device;D:\WINDOWS\system32\DRIVERS\AvEZPRO.sys [2004-06-08 18:42]
S3 MSControlService;Microsoft cache control;D:\WINDOWS\system32\windows []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 11:41:42 D:\WINDOWS\Tasks\Norton Security Scan.job"
- D:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 18:03:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-14 18:06:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 12:35:58
ComboFix3.txt 2008-02-07 18:16:14
ComboFix2.txt 2008-02-09 07:52:02
Hi Kunal
The ESET scan deleted 71 instances of malware and it looks like ComboFix cleaned the rest. The computer should be running much better now. You just need to clean up the leftover files. Please run HJT (scan only) and place a check mark in the box next to the following items, then click the Fix Checked button:
O23 - Service: MNS Framework (MNSFramework) - Unknown owner - D:\WINDOWS\system32\MNSFramework.exe (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - D:\WINDOWS\system32\windows (file missing)
After fixing, close HJT and open a browser to download CCleaner here:
http://majorgeeks.com/downloadget.php?id=4191&file=14&evp=a12d758b021af1a4f0a6bf...
Once you have installed the program, please run it by double-clicking the icon on your desktop. You should run the general Cleaner option, which will allow you to optimize your system, by removing unused and temporary files. It also protects your personal privacy by removing traces of the websites you have visited and the files you have opened.
(It's important to point out that it does this without removing any files you'll still need!)
Also, please run the Registry cleaner option, which analyzes your computers registry (where windows system settings are stored) and fixes any problems and inconsistencies that exist.
After that, if you are still having any issues with the computer, just let me know. Otherwise, I hope I have helped you to solve your virus problem. Please do not forget to leave feedback here as that is all that the volunteers here on AllExperts receive. Good luck!
Brian
Related Articles
- Expand (Recovery Console) - Expand Command Details
- Windows File Associations
- System Restore Windows 7 - How To Use System Restore to Undo System Changes in Windows 7
- Restore NTLDR Ntdetect.com - How To Restore NTLDR and Ntdetect.com From the Windows XP CD - NTLDR Ntdetect.com
- Animation Software Review: Xara 3D 6.0 Animation Software
Computer Security & Viruses
Answers by Expert:
Brian Benosky
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.
Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here:
http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm
I am also a Top Contributor of General Computing answers in Yahoo! Questions.
Education/Credentials
College Educated
Self-taught Computer Skills
©2012 About.com, a part of The New York Times Company. All rights reserved.