lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Clicking, beeping and hidden iexplore.exe process

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
 
Thread Tools
  #1  
Old 6th Oct 2008, 23:30
New Member Group
  
Hi,

Any help with this issue much apprecated. SAS, SSD and anti-malware can't seem to locate what ever I have. Here's what going on:

1) If not connected to my modem, constant clicking comes from my computer (I assume because something is trying to open iexplorer.exe
2) occasionally a beebing (one unlike any I've ever heard) beeps three or four times
3) If connected to the modem, iexplorer.exe is running (although I never use internet explorer) and when I shut down the process it open right back up.


Many thanks for any and all help, here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:50 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\INITIO\Button Manager v1.836\inihid.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\QH8jvpp4.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 64.34.113.100:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Media Player.lnk = ?
O4 - Global Startup: Button Manager v1.836.lnk = ?
O4 - Global Startup: instiki.bat
O4 - Global Startup: Linksys EasyLink Advisor.lnk = C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://D:\components\A9.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup145.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
  #2  
Old 7th Oct 2008, 00:28
Moderator Group
  
You are running an outdated version of HijackThis. Please install the new version of HijackThis but don't run it until after SDFix has completed it's process.

Download TrendMicro HijackThis.exe (HJT) to the Desktop.
  • Double-click on HJTInstall.
  • Click on the Install button.
  • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  • Upon install, HijackThis should open for you.
  • Click on the Do a system scan and save a log file button
  • HijackThis will scan and then a log will open in notepad.
  • Copy and then paste the entire contents of the log in your post.
  • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

----------

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
__________________
  #3  
Old 7th Oct 2008, 02:15
New Member Group
  
Thanks for your help,

This is a nasty one! The problem is still ongoing, although my computer got about 20 mins of respite after running SDFix.

SDFix and HiJackThis logs follow:


And once again many, many thanks


SD Fix:

SDFix: Version 1.230
Run by Owner on Mon 10/06/2008 at 11:59 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CQVJNG.EXE - Deleted
C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTBLTF.EXE - Deleted
C:\WINDOWS\SYSTEM32\PUOGNR.EXE - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 00:20:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\d346prt\Cfg\0Jf40]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}]
"DisplayName"="DAEMON Tools"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btd ownloadgui"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"="C:\\P rogram Files\\GameHouse\\TextTwist\\TextTwist.exe:*:Enabl ed:Super TextTwist"
"C:\\Program Files\\Hexacto Games\\Lemonade Tycoon\\Lemonade.exe"="C:\\Program Files\\Hexacto Games\\Lemonade Tycoon\\Lemonade.exe:*:Disabled:Lemonade"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Global Star\\Age of Sail II\\privateer.exe"="C:\\Program Files\\Global Star\\Age of Sail II\\privateer.exe:*:Enabled:privateer"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Progra m Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:Re alPlayer"
"C:\\Program Files\\Atari-Infogrames\\Civilization III Gold Edition\\Civ3PTW\\Civilization3x.exe"="C:\\Program Files\\Atari-Infogrames\\Civilization III Gold Edition\\Civ3PTW\\Civilization3x.exe:*:Enabled:Civ ilization3X"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTor rent"
"C:\\Program Files\\Kerio\\Personal Firewall\\PERSFW.exe"="C:\\Program Files\\Kerio\\Personal Firewall\\PERSFW.exe:*:Enabled:Kerio Personal Firewall Engine"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast"
"C:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopAdve r"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Progra m Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:Qu ickTime Player"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Charon.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Charon.exe:*:Enabled:Charon - A proxy checking / scanning program."
"C:\\ruby\\bin\\ruby.exe"="C:\\ruby\\bin\\ruby.exe :*:Enabled:Ruby interpreter"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus (2)"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCas t Adver"
"C:\\Documents and Settings\\Owner\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe "="C:\\Documents and Settings\\Owner\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe :*:Enabled:PowerSoccer"
"C:\\Documents and Settings\\jen\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe "="C:\\Documents and Settings\\jen\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe :*:Enabled:PowerSoccer"
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"="C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe:*:Disabled:Sentinel Protection Server"
"C:\\Program Files\\NHL 2008\\nhl2008.exe"="C:\\Program Files\\NHL 2008\\nhl2008.exe:*:Enabled:nhl2008"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008 US\\PES2008.exe"="C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008 US\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\ \WINDOWS\\system32\\drivers\\svchost.exe:*:Disable d:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 27 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 14 Jun 2008 50,688 ...H. --- "C:\Documents and Settings\jen\Desktop\~WRL0001.tmp"
Sat 14 Jun 2008 50,176 ...H. --- "C:\Documents and Settings\jen\Desktop\~WRL1778.tmp"
Mon 3 Mar 2008 176,128 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\Interop.NetworkCore.dll"
Mon 3 Mar 2008 36,864 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\LelaAccount.dll"
Mon 3 Mar 2008 200,704 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\LelaNetwork.dll"
Mon 3 Mar 2008 143,360 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\LelaNetworkLib.dll"
Mon 3 Mar 2008 20,480 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\LelaPrint.dll"
Mon 3 Mar 2008 176,128 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\LelaResource.dll"
Mon 3 Mar 2008 151,552 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\LelaServices.dll"
Mon 3 Mar 2008 110,592 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe"
Mon 3 Mar 2008 18,879,808 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\LinksysUpdaterSetup.exe"
Mon 3 Mar 2008 270,336 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\log4net.dll"
Mon 3 Mar 2008 8,353,080 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\PlatformSetup.exe"
Mon 23 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 16 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 16 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Sat 20 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv04.tmp"
Sun 21 Oct 2007 87,552 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL0029.tmp"
Sun 21 Oct 2007 85,504 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL0207.tmp"
Sun 21 Oct 2007 88,576 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL0362.tmp"
Sun 21 Oct 2007 88,576 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL1369.tmp"
Sun 21 Oct 2007 81,920 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL1945.tmp"
Sun 21 Oct 2007 84,992 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL2108.tmp"
Sun 21 Oct 2007 88,576 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL2659.tmp"
Sun 21 Oct 2007 87,552 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL2779.tmp"
Sun 21 Oct 2007 86,016 ...H. --- "C:\Documents and Settings\jen\Desktop\analyst oct2007\~WRL2918.tmp"
Sat 9 Jun 2007 33,280 ...H. --- "C:\Documents and Settings\jen\Local Settings\Temp\~WRL1284.tmp"
Tue 27 Dec 2005 33,280 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL0003.tmp"
Tue 27 Dec 2005 33,792 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL0774.tmp"
Tue 27 Dec 2005 34,816 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL0804.tmp"
Tue 27 Dec 2005 33,792 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL1393.tmp"
Tue 27 Dec 2005 36,864 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL1707.tmp"
Tue 27 Dec 2005 33,280 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL2134.tmp"
Tue 27 Dec 2005 35,840 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL2768.tmp"
Tue 27 Dec 2005 33,280 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL3330.tmp"
Tue 27 Dec 2005 36,352 ...H. --- "C:\Documents and Settings\jen\My Documents\seasmoke\~WRL3500.tmp"
Mon 3 Jan 2005 25,088 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Scans\~WRL2003.tmp"
Mon 3 Jan 2005 25,088 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Scans\~WRL3264.tmp"
Mon 17 Apr 2006 40,960 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\~WRL2617.tmp"
Mon 25 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\~WRL2726.tmp"
Sun 24 Sep 2006 30,720 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\~WRL3228.tmp"
Sun 16 Apr 2006 38,912 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\~WRL3396.tmp"
Mon 3 Mar 2008 81,920 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\ar\LelaResource.resources.dll"
Mon 3 Mar 2008 69,632 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\da\LelaResource.resources.dll"
Mon 3 Mar 2008 73,728 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\de\LelaResource.resources.dll"
Mon 3 Mar 2008 94,208 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\el\LelaResource.resources.dll"
Mon 3 Mar 2008 77,824 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\en-US\LelaAccount.resources.dll"
Mon 3 Mar 2008 446,464 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\en-US\LelaNetwork.resources.dll"
Mon 3 Mar 2008 11,407,360 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\en-US\LelaResource.resources.dll"
Mon 3 Mar 2008 1,916,928 A.SHR --- "C:\Program Files\Linksys\Linksys EasyLink Advisor\en-US\Linksys EasyLink Advisor.resources.dll"
Tue 25 Mar 2008 26,112 ...H. --- "C:\Documents and Settings\All Users\Documents\Happy House Info\2008\~WRL0454.tmp"
Thu 27 Mar 2008 22,016 ...H. --- "C:\Documents and Settings\All Users\Documents\Happy House Info\2008\~WRL1118.tmp"
Fri 7 Apr 2006 3,595,264 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2168.tmp"
Fri 7 Apr 2006 3,593,728 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2962.tmp"
Wed 5 Apr 2006 4,252,160 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3217.tmp"
Fri 27 Jan 2006 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Sat 30 Sep 2006 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 27 Jan 2006 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Mon 18 Sep 2006 32,256 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\Biotech 206B\~WRL0004.tmp"
Tue 31 Oct 2006 114,688 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\Biotech 206B\~WRL1340.tmp"
Sun 17 Sep 2006 30,720 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\Biotech 206B\~WRL2439.tmp"
Mon 18 Sep 2006 32,256 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\Biotech 206B\~WRL3767.tmp"
Wed 21 Sep 2005 26,624 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\~WRL0005.tmp"
Sat 26 Nov 2005 27,136 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\~WRL3662.tmp"
Mon 13 Jun 2005 30,208 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL0386.tmp"
Sun 5 Jun 2005 25,088 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL0788.tmp"
Sun 5 Jun 2005 25,600 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL0794.tmp"
Mon 13 Jun 2005 30,208 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL1533.tmp"
Wed 1 Jun 2005 24,064 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL1817.tmp"
Mon 13 Jun 2005 31,232 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL2720.tmp"
Tue 14 Jun 2005 35,840 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL2966.tmp"
Tue 14 Jun 2005 36,864 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL3073.tmp"
Thu 9 Jun 2005 28,160 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\Eng 150\~WRL3453.tmp"
Thu 2 Feb 2006 382,464 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL0003.tmp"
Fri 7 Apr 2006 3,594,240 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL0004.tmp"
Wed 5 Apr 2006 4,243,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL0010.tmp"
Wed 5 Apr 2006 4,254,720 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL0303.tmp"
Sat 4 Feb 2006 928,256 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL0501.tmp"
Sun 5 Feb 2006 591,360 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL0928.tmp"
Wed 5 Apr 2006 4,254,720 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL1029.tmp"
Wed 5 Apr 2006 24,064 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL1104.tmp"
Sat 4 Feb 2006 384,000 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL1259.tmp"
Wed 5 Apr 2006 4,243,456 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL1375.tmp"
Wed 5 Apr 2006 4,244,992 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL1969.tmp"
Thu 6 Apr 2006 710,656 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL2066.tmp"
Fri 31 Mar 2006 35,840 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL2175.tmp"
Tue 28 Mar 2006 185,856 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL2368.tmp"
Fri 31 Mar 2006 65,024 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL2573.tmp"
Tue 4 Apr 2006 4,242,944 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL2686.tmp"
Sun 5 Feb 2006 891,904 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL2700.tmp"
Sat 4 Feb 2006 507,392 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL2881.tmp"
Wed 5 Apr 2006 4,244,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL2992.tmp"
Wed 5 Apr 2006 24,576 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL3160.tmp"
Wed 5 Apr 2006 4,242,432 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL3277.tmp"
Sat 4 Feb 2006 928,768 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL3387.tmp"
Wed 5 Apr 2006 4,251,648 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL3591.tmp"
Sat 4 Feb 2006 383,488 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL3770.tmp"
Wed 5 Apr 2006 4,243,456 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL3900.tmp"
Wed 5 Apr 2006 4,243,456 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL3905.tmp"
Sat 4 Feb 2006 382,976 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\ENVR 253\~WRL4065.tmp"
Thu 23 Mar 2006 27,648 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\Envrionmental\~WRL3569.tmp"
Sat 25 Nov 2006 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\Geog 220\~WRL1016.tmp"
Mon 4 Dec 2006 27,648 ...H. --- "C:\Documents and Settings\Owner\My Documents\School\Geog 220\~WRL2705.tmp"
Sun 6 Mar 2005 56,832 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\physics 11\~WRL3235.tmp"
Sun 20 Feb 2005 36,864 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\physics 11\~WRL3307.tmp"
Sun 13 Nov 2005 27,648 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\chem theory\~WRL0952.tmp"
Sun 13 Nov 2005 27,648 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\chem theory\~WRL1162.tmp"
Sun 13 Nov 2005 26,112 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\chem theory\~WRL1539.tmp"
Sun 13 Nov 2005 24,576 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\chem theory\~WRL1964.tmp"
Sun 13 Nov 2005 27,136 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\chem theory\~WRL2068.tmp"
Sun 13 Nov 2005 28,672 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\chem theory\~WRL3230.tmp"
Sun 13 Nov 2005 27,648 A..H. --- "C:\Documents and Settings\Owner\My Documents\School\chem 120 labs\chem theory\~WRL3512.tmp"

Finished!

HiJack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:20 AM, on 10/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\INITIO\Button Manager v1.836\inihid.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\QH8jvpp4.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 64.34.113.100:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = ?
O4 - Global Startup: Button Manager v1.836.lnk = ?
O4 - Global Startup: instiki.bat
O4 - Global Startup: Linksys EasyLink Advisor.lnk = C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://D:\components\A9.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup145.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 9148 bytes
  #4  
Old 7th Oct 2008, 09:48
Moderator Group
  
Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
__________________
  #5  
Old 7th Oct 2008, 18:34
New Member Group
  
Thanks EF you rock,

The combofix log is huge so it's attached as a zip file:
combofixlog.zip
  #6  
Old 7th Oct 2008, 18:44
Moderator Group
  
[*] Click START then RUN[*] Now type Combofix /u in the runbox[*] Make sure there's a space between Combofix and /u[*] Then hit Enter.

----------

Download OTMoveIt2 by OldTimer and save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

Code:
[kill explorer]
C:\WINDOWS\system32\xVB47F7a.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RGI5.tmp
EmptyTemp
[start explorer]
3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

After posting the OTMoveIt2 log.

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • When finished exit out of OTMoveIt2

----------

Run CCleaner.

----------

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.
__________________
Reply

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.