[evilfantasy]

Well we know what is left to do now, should be easy.


Go to add/remove programs and uninstall these: (if found)

mymorpheusToolbar
MorpheusBar
MyWebSearch
Trymedia

These have become infected by a trojan.

----------

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and save it to your desktop.

Double click OTMoveIt2.exe to launch it.

Be sure there is a check mark next to Unregister Dll's and OCX's

• Copy both of the file paths below to the clipboard by highlighting ALL of them.
• Then right-click and choose copy.

C:\Downloads\Combat_Wings-dm.exe
C:\Program Files\Morpheus\mymorpheusToolbar.exe

• Return to OTMoveIt, right click in the Paste List of Files/Folders to be moved window and choose Paste.
• Click the red MoveIt! button.
• The list will be processed and the results will appear in the right hand pane.
• Copy everything on the Results window to the clipboard by highlighting ALL of them.
• Then right-click and choose copy, and paste it on your next reply.
• When finished click Exit to exit the program.
• Please add the log in your next reply.

<<< Go ahead and post this log now before moving on.

• If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

• If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:\_OTMoveIt\MovedFiles\********_******.log
• (where "********_******" is the "date_time")

Click Exit to close OTMoveIt.

---------------

This scan will only take a few minutes.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
• Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log

---------------

Next post
OTMoveIt log << Unless you already posted it.
SDFix log

[Vlindsio]

Originally Posted by evilfantasy Well we know what is left to do now, should be easy. Go to add/remove programs and uninstall these: (if found) mymorpheusToolbar MorpheusBar MyWebSearch Trymedia These have become infected by a trojan. ---------- Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and save it to your desktop. Double click OTMoveIt2.exe to launch it. Be sure there is a check mark next to Unregister Dll's and OCX's Copy both of the file paths below to the clipboard by highlighting ALL of them. Then right-click and choose copy. C:DownloadsCombat_Wings-dm.exe C:Program FilesMorpheusmymorpheusToolbar.exe Return to OTMoveIt, right click in the Paste List of Files/Folders to be moved window and choose Paste. Click the red MoveIt! button. The list will be processed and the results will appear in the right hand pane. Copy everything on the Results window to the clipboard by highlighting ALL of them. Then right-click and choose copy, and paste it on your next reply. When finished click Exit to exit the program. Please add the log in your next reply. <<< Go ahead and post this log now before moving on. If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes. If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:_OTMoveItMovedFiles********_******.log (where "********_******" is the "date_time") Click Exit to close OTMoveIt. --------------- This scan will only take a few minutes. Download SDFix.exe and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:SDFix) Please then reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard). Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log --------------- Next post OTMoveIt log << Unless you already posted it. SDFix log

That looks like it'll take awhile, so I may have to do it tomorrow, as the whole of my waking hour I had to do that scan lol.

I shall be back within 8-10 hours with the logs.

[evilfantasy]

No problem. I can say we are very close to the end of this now.

See ya tomorrow.

[Vlindsio]

OTmoveit2 done, heres the results:

C:\Downloads\Combat_Wings-dm.exe moved successfully.
C:\Program Files\Morpheus\mymorpheusToolbar.exe moved successfully.

OTMoveIt2 v1.0.8 log created on 01182008_195204


I'll follow with the other one soon.

[Vlindsio]

Heres my final report =D:

SDFix: Version 1.127
Run by Administrator on 18/01/2008 at 19:59
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
No Trojan Files Found


Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 20:06:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:10,97,58,85,37,2a,ef,07,67,0b,e5,7c,03 ,28,7a,1e,5f,ab,77,de,44,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000002
"hdf12"=hex:fb,8e,97,09,2e,7c,e1,94,ca,40,83,38,0d ,28,61,66,68,88,61,bb,be,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,c6,69,5d,c7,75,14,ff,52,72,09 ,4b,de,96,f0,7a,7e,a8,..
"hdf12"=hex:82,99,70,7d,aa,f2,cb,ab,ea,d0,bf,55,88 ,fc,70,f5,a6,75,de,5d,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\ gdq0]
"hdf12"=hex:f5,28,e8,6a,01,d0,1d,55,18,41,39,09,60 ,dd,17,1f,11,60,ca,6b,58,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002]
"a0"=hex:20,01,00,00,a5,41,52,c7,12,02,45,4f,ed,b0 ,49,1b,62,d1,a8,aa,58,..
"hdf12"=hex:a3,4c,28,e6,c4,d3,28,01,12,2b,af,9e,b0 ,b9,92,04,6c,38,30,15,03,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\ gdq0]
"hdf12"=hex:b2,48,da,af,11,ac,18,c7,a0,66,3a,f7,a1 ,1b,08,5d,de,cb,b7,48,a0,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:0a,25,16,49,32,5a,c5,52,b3,10,8d,91,17 ,4d,e4,3d,88,42,6d,21,4b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:10,97,58,85,37,2a,ef,07,67,0b,e5,7c,03 ,28,7a,1e,5f,ab,77,de,44,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000002
"hdf12"=hex:fb,8e,97,09,2e,7c,e1,94,ca,40,83,38,0d ,28,61,66,68,88,61,bb,be,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,c6,69,5d,c7,75,14,ff,52,72,09 ,4b,de,96,f0,7a,7e,a8,..
"hdf12"=hex:82,99,70,7d,aa,f2,cb,ab,ea,d0,bf,55,88 ,fc,70,f5,a6,75,de,5d,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\ gdq0]
"hdf12"=hex:f5,28,e8,6a,01,d0,1d,55,18,41,39,09,60 ,dd,17,1f,11,60,ca,6b,58,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002]
"a0"=hex:20,01,00,00,a5,41,52,c7,12,02,45,4f,ed,b0 ,49,1b,62,d1,a8,aa,58,..
"hdf12"=hex:a3,4c,28,e6,c4,d3,28,01,12,2b,af,9e,b0 ,b9,92,04,6c,38,30,15,03,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\ gdq0]
"hdf12"=hex:b2,48,da,af,11,ac,18,c7,a0,66,3a,f7,a1 ,1b,08,5d,de,cb,b7,48,a0,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:0a,25,16,49,32,5a,c5,52,b3,10,8d,91,17 ,4d,e4,3d,88,42,6d,21,4b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:10,97,58,85,37,2a,ef,07,67,0b,e5,7c,03 ,28,7a,1e,5f,ab,77,de,44,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000002
"hdf12"=hex:fb,8e,97,09,2e,7c,e1,94,ca,40,83,38,0d ,28,61,66,68,88,61,bb,be,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000 001]
"a0"=hex:20,01,00,00,c6,69,5d,c7,75,14,ff,52,72,09 ,4b,de,96,f0,7a,7e,a8,..
"hdf12"=hex:82,99,70,7d,aa,f2,cb,ab,ea,d0,bf,55,88 ,fc,70,f5,a6,75,de,5d,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000 001\gdq0]
"hdf12"=hex:f5,28,e8,6a,01,d0,1d,55,18,41,39,09,60 ,dd,17,1f,11,60,ca,6b,58,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000 002]
"a0"=hex:20,01,00,00,a5,41,52,c7,12,02,45,4f,ed,b0 ,49,1b,62,d1,a8,aa,58,..
"hdf12"=hex:a3,4c,28,e6,c4,d3,28,01,12,2b,af,9e,b0 ,b9,92,04,6c,38,30,15,03,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000 002\gdq0]
"hdf12"=hex:b2,48,da,af,11,ac,18,c7,a0,66,3a,f7,a1 ,1b,08,5d,de,cb,b7,48,a0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:0a,25,16,49,32,5a,c5,52,b3,10,8d,91,17 ,4d,e4,3d,88,42,6d,21,4b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,fb,0f,92,e5,22,de,71,87,47 ,ce,5c,44,8c,f4,e2,d4,03,..
"ljej40"=hex:80,31,60,f7,e8,93,4a,30,a6,b9,f5,a0,9 7,f0,c1,bb,35,a8,d5,88,5b,..
"ljej41"=hex:49,31,60,f7,90,93,4a,30,a7,b9,f4,a0,9 6,f0,c1,bb,35,a8,d5,88,0c,..
"ljej42"=hex:49,31,60,f7,90,93,4a,30,a7,b9,f4,a0,9 6,f0,c1,bb,35,a8,d5,88,0c,..
"ljej43"=hex:49,31,60,f7,90,93,4a,30,a7,b9,f4,a0,9 6,f0,c1,bb,35,a8,d5,88,0c,..
"ljej44"=hex:49,31,60,f7,90,93,4a,30,a7,b9,f4,a0,9 6,f0,c1,bb,35,a8,d5,88,0c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:10,97,58,85,37,2a,ef,07,67,0b,e5,7c,03 ,28,7a,1e,5f,ab,77,de,44,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000002
"hdf12"=hex:fb,8e,97,09,2e,7c,e1,94,ca,40,83,38,0d ,28,61,66,68,88,61,bb,be,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,c6,69,5d,c7,75,14,ff,52,72,09 ,4b,de,96,f0,7a,7e,a8,..
"hdf12"=hex:82,99,70,7d,aa,f2,cb,ab,ea,d0,bf,55,88 ,fc,70,f5,a6,75,de,5d,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\ gdq0]
"hdf12"=hex:f5,28,e8,6a,01,d0,1d,55,18,41,39,09,60 ,dd,17,1f,11,60,ca,6b,58,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002]
"a0"=hex:20,01,00,00,a5,41,52,c7,12,02,45,4f,ed,b0 ,49,1b,62,d1,a8,aa,58,..
"hdf12"=hex:a3,4c,28,e6,c4,d3,28,01,12,2b,af,9e,b0 ,b9,92,04,6c,38,30,15,03,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\ gdq0]
"hdf12"=hex:b2,48,da,af,11,ac,18,c7,a0,66,3a,f7,a1 ,1b,08,5d,de,cb,b7,48,a0,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:0a,25,16,49,32,5a,c5,52,b3,10,8d,91,17 ,4d,e4,3d,88,42,6d,21,4b,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved\{60A8999D-1F2F-8066-DEA0-ABE6C6473501}]
"abegicfkpibhlfcinaimpljgfiicdieodm"=hex:64,62,63, 68,61,6d,67,62,6e,62,64,67,6a,68,66,63,62,6f,6d,6c ,64,..
"bbegicfkpibhlfcinanmcenlihdjokhnefcc"=hex:61,62,6 a,68,69,69,6e,65,61,6f,70,64,70,6b,6b,61,63,6d,65, 70,62,..
scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 6

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Call"
"I:\\Games\\EA GAMES\\Battlefield 2\\BF2.exe"="I:\\Games\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
Remaining Files:
---------------

Files with Hidden Attributes:
Wed 3 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 19 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu 25 Jan 2007 1,609 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Fri 19 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0089cd1e c7c03d0a52caa6b6ea801507\BIT11.tmp"
Wed 28 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a53bf224 a188f23c622431aa5c569c34\BIT2.tmp"
Fri 21 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e 70c80a1e476f1abf49afecb1\BIT3.tmp"
Wed 3 Jan 2007 4,348 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Wed 3 Jan 2007 20 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 3 Jan 2007 312 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Wed 3 Jan 2007 1,536 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2lic.bak"
Finished!


_______________________________

I dont know if this may of caused anything to appear incorrect, but something fell onto the keyboard as the SDfix was finishing the very lasty phase and a button was pushed..
I didnt see anything happen, but all I saw was that the SDfix finishing as normal.. so I dont know if I aborted it ... or if it was coincidental.

[evilfantasy]

Post one last Hijackthis log and I am pretty sure we can wrap this up.

[Vlindsio]

Was alot quicker that time =].




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:29:36, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wt32exe.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\tblmouse.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [prOSeLogin] C:\Program Files\SymplisIT\RecoverMagic\prose.exe /auto
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187781780562
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe
O24 - Desktop Component 0: (no name) - http://www.imnotobsessed.com/image/harrybum1.jpg
O24 - Desktop Component 1: (no name) - http://www.nvnews.net/images/screens...ulator_x_1.jpg
O24 - Desktop Component 2: (no name) - http://www.hostropolis.com/april/potter.jpg
--
End of file - 9727 bytes

[evilfantasy]

Remove the Morpheus Bar entries with HJT.

Open HijackThis and select Do a system scan only then place a check mark next to:

R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL

Close all windows except for HijackThis and click Fix checked

Exit Hijackthis.


As far as the sound problem I would start a new thread in the multimedia drivers and codecs forums.

It will get seen there and someone who has more knowledge on this type of thing will help out.

Closing steps.

Time to do some cleanup and secure the work you have done.

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future. << I suggest looking at the firewalls and installing a better one. They are free.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.


Sorry I am not much help on the sound issue, but someone will work through it with you I am sure.


Let me know if any malware problems come back.

Cheers................

[Vlindsio]

Thank you very much for your help!

Although the sound problem was not fixed, I somehow feel a little more relieved that traces of that dreadful trojan virus have been removed.

I shall make a new post on the other forum and hopefully my sound problem can be fixed.

Thanks alot for your help again.

[evilfantasy]

That was definitely a sticky one!!!!!

See ya.......