You are here:
Computer Security & Viruses/POS232.tmp virus
Advertisement
Question
QUESTION: Hello Brian,
My computer is infected with that POS343.tmp virus. Could you please help me. Here is a log of a HJT and COmbo fix scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:23 PM, on 02/03/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {4E3AECC2-7552-05FD-0213-2800B9CF8EBC} - C:\WINDOWS\System32\epclu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\windows\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\windows\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1275210071-1482476501-839522115-500\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\windows\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\windows\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Win32 Classes -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 4007 bytes
ComboFix 08-03-03.6 - Administrator 2008-03-02 22:34:35.2 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\acoqlntr.dll
C:\WINDOWS\system32\ewfojqgp.dll
C:\WINDOWS\system32\hixsabue.dll
C:\WINDOWS\SYSTEM32\jlnmp.ini
C:\WINDOWS\SYSTEM32\jlnmp.ini2
C:\WINDOWS\SYSTEM32\pgqjofwe.ini
C:\WINDOWS\SYSTEM32\pgqjofwe.ini2
C:\WINDOWS\SYSTEM32\pgqjofwe.tmp
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\txdjmiet.dll
C:\WINDOWS\system32\txdjmiet.dllbox
C:\WINDOWS\system32\urqnmno.dll
C:\WINDOWS\system32\yrbcsqvf.dll
C:\winlogon.exe
C:\x.dat
C:\z.dat
.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.
2008-03-02 22:30 . 2008-03-02 22:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 20:24 . 2008-03-02 20:24 268 --ah----- C:\sqmdata01.sqm
2008-03-02 20:24 . 2008-03-02 20:24 244 --ah----- C:\sqmnoopt01.sqm
2008-03-02 14:50 . 2008-03-02 14:50 300 --a------ C:\7161.bat
2008-03-02 14:50 . 2008-03-02 14:50 134 --a------ C:\n.bat
2008-03-02 13:51 . 2008-03-02 13:51 <DIR> d-------- C:\Program Files\D-Tools
2008-03-02 13:51 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\d347bus.sys
2008-03-02 13:51 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\d347prt.sys
2008-03-02 13:49 . 2008-03-02 13:49 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-03-02 13:39 . 2008-03-02 13:39 268 --ah----- C:\sqmdata00.sqm
2008-03-02 13:39 . 2008-03-02 13:39 244 --ah----- C:\sqmnoopt00.sqm
2008-03-02 00:34 . 2008-03-02 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-02 00:34 . 2008-03-02 00:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
2008-03-02 00:33 . 2008-03-02 00:33 <DIR> d-------- C:\Program Files\Comodo
2008-03-02 00:17 . 2008-03-02 00:17 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-02 00:17 . 2008-03-02 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-02 00:17 . 2008-03-02 00:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-03-02 00:17 . 2008-03-02 00:17 138,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-03-01 23:59 . 2008-03-01 23:59 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX7D3.tmp
2008-03-01 23:28 . 2008-03-01 23:28 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX5A23.tmp
2008-03-01 23:14 . 2008-03-01 23:14 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX5335.tmp
2008-03-01 22:24 . 2008-03-01 22:24 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX4DD7.tmp
2008-03-01 22:24 . 2008-03-02 22:30 99,441 --a------ C:\WINDOWS\BM3d492fd2.xml
2008-03-01 22:24 . 2008-03-02 22:25 22 --a------ C:\WINDOWS\pskt.ini
2008-03-01 22:15 . 2008-03-01 22:15 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX4F39.tmp
2008-02-26 15:51 . 2008-02-26 15:52 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX3543.tmp
2008-02-25 12:51 . 2008-02-25 12:51 338,140 --a------ C:\WINDOWS\SYSTEM32\RCX4B51.tmp
2008-02-25 12:50 . 2008-02-25 12:50 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX4AC4.tmp
2008-02-25 12:50 . 2008-02-25 12:50 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX4A7B.tmp
2008-02-25 12:50 . 2008-02-25 12:50 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX4A51.tmp
2008-02-25 12:49 . 2008-02-25 12:49 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX394C.tmp
2008-02-25 00:07 . 2008-02-25 00:07 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX5338.tmp
2008-02-25 00:06 . 2008-02-25 00:06 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX52F9.tmp
2008-02-25 00:04 . 2008-02-25 00:04 338,140 --a------ C:\WINDOWS\SYSTEM32\RCX5283.tmp
2008-02-25 00:00 . 2008-02-25 00:00 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX5199.tmp
2008-02-24 23:59 . 2008-02-24 23:59 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX512B.tmp
2008-02-24 23:57 . 2008-02-24 23:57 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX50A3.tmp
2008-02-24 23:52 . 2008-02-24 23:52 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX4F35.tmp
2008-02-24 22:19 . 2008-02-24 22:20 1,253,834 ---hs---- C:\WINDOWS\SYSTEM32\vxofjcmh.tmp
2008-02-24 21:16 . 2008-02-24 21:16 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX42BC.tmp
2008-02-24 17:51 . 2008-02-24 17:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTemp
2008-02-24 17:39 . 2008-02-24 17:39 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX1D25.tmp
2008-02-24 17:39 . 2008-02-24 17:39 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX1C18.tmp
2008-02-24 17:31 . 2008-02-24 17:31 338,140 --a------ C:\WINDOWS\SYSTEM32\RCX41DC.tmp
2008-02-24 17:23 . 2008-02-24 17:23 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX24C9.tmp
2008-02-18 13:34 . 2008-02-18 16:37 474 ---hs---- C:\WINDOWS\SYSTEM32\odfcsjip.ini
2008-02-18 13:33 . 2008-02-18 13:33 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX3327.tmp
2008-02-18 12:58 . 2008-02-18 12:58 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX3CAE.tmp
2008-02-18 12:58 . 2008-02-18 12:58 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX3C9F.tmp
2008-02-18 12:52 . 2008-02-18 12:52 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX3890.tmp
2008-02-13 00:47 . 2008-02-13 00:47 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX37C8.tmp
2008-02-13 00:45 . 2008-02-13 00:45 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX373D.tmp
2008-02-13 00:41 . 2008-02-13 00:41 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX355D.tmp
2008-02-13 00:40 . 2008-02-13 00:40 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX3434.tmp
2008-02-13 00:33 . 2008-02-13 00:33 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX28E0.tmp
2008-02-11 12:55 . 2008-02-11 12:55 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX3214.tmp
2008-02-11 12:51 . 2008-02-11 12:51 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX2EF7.tmp
2008-02-11 12:49 . 2008-02-11 12:49 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX276C.tmp
2008-02-08 19:05 . 2008-02-08 19:05 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX2937.tmp
2008-02-05 09:49 . 2008-02-05 09:49 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX25E7.tmp
2008-02-04 16:37 . 2008-02-04 16:37 338,140 --a------ C:\WINDOWS\SYSTEM32\RCX2837.tmp
2008-02-04 16:12 . 2008-02-04 16:12 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX25AB.tmp
2008-02-03 17:30 . 2008-02-03 17:30 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-03 03:08 . 2008-02-03 03:08 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX211D.tmp
2008-02-03 03:08 . 2008-02-03 03:08 338,140 --a------ C:\WINDOWS\SYSTEM32\RCX2118.tmp
2008-02-03 03:02 . 2008-02-03 03:02 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX10B4.tmp
2008-02-03 03:02 . 2008-02-03 03:02 338,432 --a------ C:\WINDOWS\SYSTEM32\RCX1034.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 18:49 278,546 ----a-w C:\WINDOWS\FONTS\Setup.exe
2008-02-02 19:28 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX1275.tmp
2008-02-02 03:16 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX25D3.tmp
2008-02-02 03:10 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX23E8.tmp
2008-02-02 03:10 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX23AB.tmp
2008-02-02 03:09 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX2394.tmp
2008-02-02 03:06 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX228B.tmp
2008-02-02 03:06 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX223F.tmp
2008-02-02 03:04 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX20AF.tmp
2008-01-31 04:36 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCXFFA.tmp
2008-01-31 04:36 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCXFE7.tmp
2008-01-29 06:38 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXBBA.tmp
2008-01-29 06:38 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXBA2.tmp
2008-01-29 06:38 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXB8F.tmp
2008-01-29 06:37 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCXB51.tmp
2008-01-29 06:37 338,432 ----a-w C:\WINDOWS\SYSTEM32\RCX8B3.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXB7D.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXB6A.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXB58.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXB3D.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXB2B.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXB0F.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXADD.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXAAB.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXA86.tmp
2008-01-29 06:37 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCXA60.tmp
2008-01-29 05:50 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCX8AA.tmp
2008-01-29 05:50 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCX89F.tmp
2008-01-29 05:50 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCX88B.tmp
2008-01-29 05:50 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCX878.tmp
2008-01-29 05:50 338,140 ----a-w C:\WINDOWS\SYSTEM32\RCX854.tmp
2008-01-24 23:01 366,080 ----a-w C:\WINDOWS\SYSTEM32\jkkihhi.dll
2008-01-24 23:01 366,080 ----a-w C:\WINDOWS\SYSTEM32\iifdeed.dll
2008-01-24 23:01 366,080 ----a-w C:\WINDOWS\SYSTEM32\awtutrs.dll
2008-01-22 00:03 --------- d-----w C:\Program Files\Lavasoft
2008-01-22 00:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 23:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 21:13 1,043,456 ----a-w C:\WINDOWS\SYSTEM32\lgbpd .exe
2008-01-21 19:31 --------- d-----w C:\Program Files\MSN Messenger
2008-01-21 19:22 376,320 ----a-w C:\WINDOWS\mrofinu1000140.exe.tmp
2008-01-21 19:17 --------- d-----w C:\Program Files\Dot1XCfg
2008-01-21 18:59 --------- d-----w C:\Program Files\slowaxis
2008-01-21 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memo save stupid creative
2008-01-21 18:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\slowaxis
2008-01-21 17:03 86,016 ----a-w C:\WINDOWS\SYSTEM32\lgbsysinfo.dll
2008-01-21 17:03 81,920 ----a-w C:\WINDOWS\SYSTEM32\lgbaudio.dll
2008-01-21 17:03 458,789 ----a-w C:\WINDOWS\SYSTEM32\QHTM.dll
2008-01-21 17:03 40,960 ----a-w C:\WINDOWS\SYSTEM32\xcon.dll
2008-01-21 17:03 372,736 ----a-w C:\WINDOWS\SYSTEM32\ijl15.dll
2008-01-21 17:03 229,376 ----a-w C:\WINDOWS\SYSTEM32\sdl.dll
2008-01-21 17:03 159,744 ----a-w C:\WINDOWS\SYSTEM32\lgbskin.dll
2008-01-20 19:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-01-20 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-20 01:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HP
2008-01-20 01:54 --------- d-----w C:\Program Files\Common Files\HP
2008-01-20 01:43 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-20 01:43 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-01-20 00:50 --------- d-----w C:\Program Files\HP
2008-01-19 04:41 --------- d-----w C:\Program Files\AV DVD Player Morpher
2008-01-10 22:26 12,328 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-01-08 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-08 01:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6
2008-01-06 03:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple
2007-12-31 02:50 173,056 ----a-w C:\WINDOWS\SYSTEM32\migicons.exe
2007-12-31 02:22 558,142 ----a-w C:\WINDOWS\JAVA\Packages\1BB1N1Z5.ZIP
2007-12-31 02:22 271 --sh--w C:\Program Files\desktop.ini
2007-12-31 02:22 23,357 ---h--w C:\Program Files\folder.htt
2007-12-31 02:22 155,995 ----a-w C:\WINDOWS\JAVA\Packages\Z13JBDBJ.ZIP
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\QmlnIERhZGR5\kA5BKHl1t3lc.vbs
.
[code]<pre>
----a-w 1,043,456 2008-01-21 21:13:22 C:\WINDOWS\SYSTEM32\lgbpd .exe
----a-w 132,496 2008-01-21 21:13:16 C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w 652,288 2008-02-13 05:32:56 C:\Program Files\QuickTime\qttask .exe
----a-w 267,048 2008-02-24 22:30:06 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 49,152 2008-02-25 04:42:48 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 61,440 2008-01-21 21:13:24 C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w 5,674,352 2008-01-21 21:13:30 C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w 1,084,928 2008-01-22 05:17:16 C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\BARBPR~1 .EXE
----a-w 1,058,816 2008-01-26 09:12:52 C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\Barb Program .exe
----a-w 407,552 2008-01-21 21:13:22 C:\Documents and Settings\Administrator\Application Data\slowaxis\global free .exe
</pre>[/code]
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E3AECC2-7552-05FD-0213-2800B9CF8EBC}]
C:\WINDOWS\System32\epclu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-03-02 00:33 1115728]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\System32\CTFMON.EXE" [2001-08-23 18:00 13312]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bzpygnhh]
C:\Program Files\Common Files\?ecurity\m?hta.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dart bike]
C:\DOCUME~1\ADMINI~1\APPLIC~1\slowaxis\global free.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IESet]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGBLiveUpdate]
C:\WINDOWS\System32\lgbpd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\mllji.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mooh]
C:\WINDOWS\System32\FNTS~1\explorer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2002-10-25 05:18 4239360 C:\WINDOWS\System32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2002-10-25 05:18 315392 C:\WINDOWS\SYSTEM32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageProtector]
C:\Program Files\StorageProtector\SysRep.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stupid creative poll axis]
C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\Barb Program.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--a------ 2001-08-23 18:00 3072 C:\WINDOWS\SYSTEM32\systray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ucookw]
C:\PROGRA~1\STORAG~1\ucookw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ucookw ]
C:\PROGRA~1\STORAG~1\UCOOKW~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Hidserv"=Hidserv.exe run
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
.
Contents of the 'Scheduled Tasks' folder
"2008-03-02 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-03-03 03:20:22 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-03-02 03:49:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-03 03:00:02 C:\WINDOWS\Tasks\AEB0FBCD91EF7065.job"
- c:\docume~1\admini~1\applic~1\slowaxis\bone plus cdrom.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 22:38:18
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
.
**************************************************************************
.
Completion time: 2008-03-02 22:38:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 03:38:48
ComboFix2.txt 2008-03-02 05:14:44
Thanks,
Jo
ANSWER: Hi Jo
ComboFix got rid of most of the entries. Run Hijackthis again, click scan, and put a checkmark in the boxes next to each of the entries below. Then click the Fix Checked button:
O2 - BHO: (no name) - {4E3AECC2-7552-05FD-0213-2800B9CF8EBC} - C:\WINDOWS\System32\epclu.dll (file missing)
O16 - DPF: Win32 Classes -
Now reboot, then download Dr.Web Cureit from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:
* If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, send me the contents of the log from Dr.Web, along with a fresh HJT log.
Brian
---------- FOLLOW-UP ----------
QUESTION: Hello Brian,
Sorry I couldn't back at you, i've been away for a while. Alright I did what you asked me with the Dr.Web program. Here is the report and a fresh HJT report.
RCX25AB.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX1034.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX10B4.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX211D.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX25E7.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX2937.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX1C18.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX3214.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX276C.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX28E0.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX2EF7.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX373D.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX3434.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX355D.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX3890.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX37C8.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX3327.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX3C9F.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX3CAE.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX24C9.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX50A3.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX1D25.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX42BC.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX5199.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX4F35.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX52F9.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX512B.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX5338.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX4F39.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX4A51.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX394C.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX4A7B.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX4AC4.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX3543.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX4DD7.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX7D3.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX5335.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX5A23.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX8B3.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCXB51.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCXFE7.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCXFFA.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX20AF.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX223F.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX228B.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX2394.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX23AB.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX23E8.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX25D3.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX1275.tmp;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
SECURITY.tmp.LOG;C:\WINDOWS\SYSTEM32\config;Trojan.MulDrop.11190;Deleted.;
Setup.exe;C:\WINDOWS\FONTS;Trojan.DownLoader.39189;Deleted.;
QTTask.exe;C:\Program Files\QuickTime;Trojan.MulDrop.11190;Deleted.;
qttask .exe;C:\Program Files\QuickTime;Trojan.MulDrop.11190;Deleted.;
Dot1XCfg .exe;C:\Program Files\Dot1XCfg;Trojan.Stars.184;Deleted.;
A0000009.bat;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP1;Probably SCRIPT.Virus;Incurable.Moved.;
A0008352.exe\data001;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5\A0008352.exe;Tool.FirePassword;;
A0008352.exe\data002;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5\A0008352.exe;Tool.Netpass;;
A0008352.exe\data003;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5\A0008352.exe;Tool.PassView;;
A0008352.exe;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Archive contains infected objects;Moved.;
A0008353.dll;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Trojan.Virtumod.260;Deleted.;
A0008355.dll;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Trojan.Virtumod.269;Deleted.;
A0008356.dll;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Trojan.Virtumod.280;Deleted.;
A0008358.bat;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Probably BATCH.Virus;Incurable.Moved.;
A0008379.bat;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Probably SCRIPT.Virus;Incurable.Moved.;
A0009421.exe;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Trojan.DownLoader.39189;Deleted.;
A0009422.exe;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Trojan.MulDrop.11190;Deleted.;
A0009423.exe;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Trojan.MulDrop.11190;Deleted.;
A0009424.exe;C:\System Volume Information\_restore{043C0D8B-D173-4450-878C-F0E21160E6C2}\RP5;Trojan.Stars.184;Deleted.;
winlogon.exe.vir\data001;C:\QooBox\Quarantine\C\winlogon.exe.vir;Tool.FirePassword;;
winlogon.exe.vir\data002;C:\QooBox\Quarantine\C\winlogon.exe.vir;Tool.Netpass;;
winlogon.exe.vir\data003;C:\QooBox\Quarantine\C\winlogon.exe.vir;Tool.PassView;;
winlogon.exe.vir;C:\QooBox\Quarantine\C;Archive contains infected objects;Moved.;
Yazzle1396OinAdmin.exe.vir;C:\QooBox\Quarantine\C\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
Yazzle1396OinUninstaller.exe.vir;C:\QooBox\Quarantine\C\Program Files\Common Files;Adware.Outer;Incurable.Moved.;
FF.dll.vir;C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components;Adware.ClickSpring - read error;;
kernInst.exe.vir;C:\QooBox\Quarantine\C\Program Files\Temporary;Trojan.Winpop.origin;Incurable.Moved.;
mrofinu1000106.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.DownLoader.45546;Deleted.;
windows.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Starter.341;Deleted.;
RCX25.tmp.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX98.tmp.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCXC7.tmp.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX16.tmp.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX80.tmp.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCXB.tmp.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
RCX1F.tmp.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
ytoumgla.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.EzulaAd;Deleted.;
hqk.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Adware.ClickSpring.origin;Incurable.Moved.;
mllji.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
geeby.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.MulDrop.11190;Deleted.;
awvtq.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Click.16833;Deleted.;
ddayy.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.268;Deleted.;
dhrpthuk.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.260;Deleted.;
eetdsuyv.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.274;Deleted.;
fgboghwu.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
fjptfbns.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.272;Deleted.;
geeby.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.257;Deleted.;
gxbsbjmf.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.274;Deleted.;
hmjvpuwf.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
jnpsfanq.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
kmekorig.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.263;Deleted.;
ktahflmf.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
loecoljl.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
mljjh.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.268;Deleted.;
mllji.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.257;Deleted.;
pmkjg.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Click.16833;Deleted.;
qxfrtqhb.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.280;Deleted.;
rrywbsnq.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
uykalnkp.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.280;Deleted.;
wfkeabpa.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
acoqlntr.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.260;Deleted.;
hixsabue.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
yrbcsqvf.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Virtumod.280;Deleted.;
explorer .exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\FNTS~1;Trojan.DownLoader.45540;Deleted.;
nGpxx051080.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nGpxx05;Trojan.DownLoader.24715;Deleted.;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:31 PM, on 09/03/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\windows\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\windows\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1275210071-1482476501-839522115-500\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\windows\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\windows\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 3905 bytes
Hi Jo
You're log file looks clean. However, I can't be one hundred percent certain that the malware is completely gone. You are running XP without any Service Packs installed, which can leave gaping holes in your security. Also, there is no anti-virus program running, which is also a concern. If you are having no signs of malware and your computer is running normally again, I very strongly suggest that you run Windows Update to install the latest security fixes. After which, install a good virus solution, such as the free AVG Antivirus or the equally good Avast! antivirus:
http://free.grisoft.com/doc/download-free-anti-virus/us/frt/0
http://www.avast.com/eng/avast_4_home.html
If you have further problems or questions, please don't hesitate to contact me again. Good luck.
Brian
- Add to this Answer
- Ask a Question
Questioner's Rating
| Rating(1-10) | Knowledgeability = 10 | Clarity of Response = 10 | Politeness = 10 |
| Comment | Very good | ||
Related Articles
Computer Security & Viruses
Answers by Expert:
Brian Benosky
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.
Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here:
http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm
I am also a Top Contributor of General Computing answers in Yahoo! Questions.
Education/Credentials
College Educated
Self-taught Computer Skills
©2012 About.com, a part of The New York Times Company. All rights reserved.