Virus Dramas

borojamie · December 9, 2009

Hi All,

Hoping someone can help a computer biff :-)

I have a XP Pro Laptop and was on facebook earlier today when McAfee started flashing allsorts of virus warnings and quarantines up. I closed internet explorer and checked mcafee - about 10-15 warnings had been notified along with a request to change my registry which i denied.

My whole laptop then froze so i re-booted it about 5-8 minutes of loading up it frozxe again and now does so repeatedly. Assuming i have a virus I tried to delete the files in temp internet (the ones warned by McAfee) however the Folder Options>tools button has disappeared from explorer stopping me from displaying hidden files. These do not appear via search (*.tmp. ~mp) either.

I cannot run a system restore as it says it needs to be ran by administrator however my account is the administrators account (???)

It will not allow me to enter safe mode but does however run a scandisk everytime it re-boots finding various problems within temp internet files folder.

I have a large folder of photographs that are not backed up anywhere else so i dont want to re3store to factory settings however everything else can be downloaded/re-installed (i think lol).

Do you guys have any suggestions/ideas of how to resolve as far as i know my mcafee is upto date and so are my windows updates do i didnt think id have a problem :-(

any help would be greatfully appreciated.

Thanks

Jamie

RandyL · December 9, 2009

Hi borojamie.

It does indeed seem that you have some very serious issues. You probably are infected and it seems serious.

I suggest you wait for our resident malware removal expert to reply. His name is chiaz and he is formally trained and quite excellent.

If backing up is a high priorty there are ways to do it even if you can't get into Windows but even the easiest way involves removing the hard drive and connecting it to a caddy or using a laptop to desktop adapter cable.

I see you are using XP Professional so I hope you have not encrypted the files you need. Even if you have not you still may need to take ownership if you slave the drive and want to backup the files.

First things first though. What is your main priority? Also I would wait for chiaz to weigh in on the seriousness of this issue.

borojamie · December 9, 2009

Hi Randy thank you for your help :-) is it ok to slave a laptop harddisk to a main pc or do i need a second laptop?

Yeah I'm happy to wait to speak to Chiaz too :-) im totally lost lol

the main priority is to have a working laptop however i am keen to keen to keep the photos if possible (im UK Air Force and lots of Op Tour ones). I have access to all the software but it would be good to check what is on so i can re-install if required.

Luckily all my other media files are all held on external hd (well mainly lol)

Thanks again mate take care

Jamie

RandyL · December 9, 2009

UK Air Force.

Very noble my friend.

A laptop drive to desktop drive cable converter is very cheap. A caddy slightly more. However please wait for chiaz on this matter as he will likely know more on how serious this is.

As for what else needs to be backed up, how to do it or if it even needs to be done is another story.

Personally I'm a a fanatic about everything backup but first things first.

borojamie · December 9, 2009

thank you! :-) Both us and the USAF work very close, I guess we aare kindred Nations its good to know you guys hold us in high esteem, a lot more so that the British public.

Thanks for your advice, my g/f works with an IT section so she is goiing to try and grab a lead, as its only temporary it will save the caddy option i guess

I'll still wait to speak to Chiaz, hopefully he can help advise altho i think factory settings option is probably best.

Lesson learned on the backing up option :-) lol

thanks for your help Randy

chiaz · December 10, 2009

Hi borojamie,

Seems like something is loading at start-up that causes this issue. Looks like we can't run any conventional scanner programs as your PC freezes up that fast.

Please download the latest version of HijackThis from Trend Micro and save it to your desktop.

Download HJTInstall.exe to your desktop.
Doubleclick HJTInstall.exe to install HijackThis.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Copy and paste this log in your next reply.

Notes:

Do not use the AnalyseThis button, its findings are dangerous if misinterpreted.

Do not have Hijackthis fix anything yet. Most of what it finds will be harmless, or required for your computer to run like it should.

borojamie · December 10, 2009

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:04:59, on 10/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\Acer\Empowering Technology\admtray.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\admServ.exe

C:\Program Files\Acer\OrbiCam\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Registry Mechanic\RegMech.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\y7pvb6g.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\winlogon.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Bing

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Acer | Product registration

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: C:\WINDOWS\system32\xkwqhyjqen.dll - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - C:\WINDOWS\system32\xkwqhyjqen.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe

O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect

O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [fjwtwaar] C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\sqegic\uxolsysguard.exe

O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\WINDOWS\TEMP\E_S1BE4.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S

O4 - HKCU\..\Run: [fjwtwaar] C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\sqegic\uxolsysguard.exe

O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\y7pvb6g.exe

O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\winlogon.exe

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\WINDOWS\TEMP\E_S1BE4.tmp" /EF "HKCU" (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [fjwtwaar] C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\sqegic\uxolsysguard.exe (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0 (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\y7pvb6g.exe (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\winlogon.exe (User 'HelpAssistant')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: gar873hruefrh87w3hjinhef87w3h7dfd - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - C:\WINDOWS\system32\xkwqhyjqen.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1ca28baf7cbe6a6) (gupdate1ca28baf7cbe6a6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--

End of file - 17036 bytes

borojamie · December 10, 2009

Hi Chiaz, thanks for your help I have followed your direction above and copy and pasted it from my infected laptop.

The first time it tried my pc threw up some ms virus problems suggesting 18 trojans, amongst some other things but it froze and dissappeared before i could printscreen/write em down at firt i thought this could be your website security as it was just as I entered this url

Thanks again for your help sorry for being such a pain!

Jamie

chiaz · December 10, 2009

Hi Jamie,

Your computer is VERY infected. I need you to print the following instructions out.

First, follow instructions here to show all hidden files and folders:

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/hiddenfiles.mspx

Next run HijackThis and place a tick by the following entries:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\sdra64.exe,

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: C:\WINDOWS\system32\xkwqhyjqen.dll - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - C:\WINDOWS\system32\xkwqhyjqen.dll

O4 - HKLM\..\Run: [fjwtwaar] C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\sqegic\uxolsysguard.exe

O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [fjwtwaar] C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\sqegic\uxolsysguard.exe

O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\y7pvb6g.exe

O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\winlogon.exe

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [fjwtwaar] C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\sqegic\uxolsysguard.exe (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0 (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\y7pvb6g.exe (User 'HelpAssistant')

O4 - HKUS\S-1-5-21-758658292-1448399802-4154073810-1004\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\winlogon.exe (User 'HelpAssistant')

O22 - SharedTaskScheduler: gar873hruefrh87w3hjinhef87w3h7dfd - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - C:\WINDOWS\system32\xkwqhyjqen.dll

Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis.

Now navigate to and delete the following files if they exist:

C:\WINDOWS\system32\sdra64.exe

C:\WINDOWS\system32\xkwqhyjqen.dll

C:\WINDOWS\system32\notepad.dll

C:\Documents and Settings\Local Settings\ntload.dll

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\y7pvb6g.exe

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\winlogon.exe

And also this folder:

C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\sqegic\

Finally, restart your PC and post a new HijackThis log. Hopefully by now the PC doesn't freeze within a short time so we can run more thorough scans and removal fixes after this.

borojamie · December 10, 2009

Hi Chiaz,

After re-booting earlier it has stopped freezing up. However the show all hidden files and folders button is still missing in explorer when igo to tools it gives me 3 options Map NEtwork Drive, Disconnect Network Drive and Syncronize. The Folder options button is no longer there.

As it is not freezing up anymore it has allowed me to re-install mcafee and is doin a full scan as we speak

do you want me to run and tick the hijack programme without showing hidden files and folders?

Thanks again for your help

Jamie

chiaz · December 10, 2009

Now if your computer is not freezing, then we can ignore the above tedious instructions!

Do this instead...

=======================

After your McAfee scan, please download Malwarebytes' Anti-Malware by clicking the link below:

Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* You'll be required to post the contents of this log later.

Please Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

borojamie · December 10, 2009

thanks mate I've ran mbam and it found 74 errors some slightly worrying saying password spyware. it has said regedit has been disabled and will afect the quarantining process. Some couldnt be removed so it is rebooting. Throughout this Mcafee warned me that malware was changing the registry files which i allowed.

Upon rebooting it said error rundll error loading c:\documents & settings ntload.dll

I try and download combofix however once it reaches 1 second it opens a box saying cannot copy combofix[1]: access denied.

Majke sure disk is not full or write protected. (of which neither disk is full. Interestingly at the exact samepoint mcafee flashes up and warns me that it has blocked “Artemis!3b0a79fb4f95 trojan from being allowed to run

I have then ran combofix rather than trying to save to desktop and mcafee again blocks Artemis!3b0a79fb4f95 trojan

Im guessing I should switch off firewall and mcafee in order to let combofix run?

chiaz · December 11, 2009

As mentioned:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

borojamie · December 11, 2009

Hi Chiaz sorry i didnt get that far down the instructions. I have now done that both links download combofix but when i go to run it comes up with a corruption error ive tried re-downloading it/running straight from site but nothing gets passed this corruption message. even though my windows firewall and mcafee are turned off.

Jamie

chiaz · December 11, 2009

It's OK.

Have you completed the MBAM scan yet? If yes, post the log here, as well as a fresh HijackThis log for my perusal.

borojamie · December 11, 2009

Malwarebytes' Anti-Malware 1.42

Database version: 3338

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/12/2009 16:37:21

mbam-log-2009-12-10 (16-37-21).txt

Scan type: Quick Scan

Objects scanned: 133510

Time elapsed: 14 minute(s), 32 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 2

Registry Keys Infected: 6

Registry Values Infected: 11

Registry Data Items Infected: 5

Folders Infected: 1

Files Infected: 48

Memory Processes Infected:

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\winlogon.exe (Spyware.Passwords) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\xkwqhyjqen.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{c5b24b16-23f2-41ad-f4e4-00abc39c0004} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5b24b16-23f2-41ad-f4e4-00abc39c0004} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5b24b16-23f2-41ad-f4e4-00abc39c0004} (Trojan.Agent) -> Delete on reboot.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5b24b16-23f2-41ad-f4e4-00abc39c0004} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fjwtwaar (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fjwtwaar (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygua8e7yhuiesfha876yfauy8fe (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\xkwqhyjqen.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\winlogon.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\tdndhuv.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\95158178.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\taskmgr.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\user.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\mdm.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\3832872566.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\933374020.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\csrss.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\drweb.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\install.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\860165580.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\svchost.exe (Spyware.Passwords) -> Delete on reboot.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\lsass.exe (Spyware.Passwords) -> Delete on reboot.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\win.exe (Spyware.Passwords) -> Delete on reboot.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\95158178.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\taskmgr.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\user.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\mdm.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\3832872566.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\933374020.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\csrss.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\drweb.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\install.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\winlogon.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\1GTKK58I\ms306[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\D7Q2F3AS\hohhveswgc[1].htm (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jamie Panico\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp

borojamie · December 11, 2009

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:25:05, on 11/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Acer\Empowering Technology\admServ.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\admtray.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Program Files\Acer\OrbiCam\CameraAssistant.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\wscntfy.exe

C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Documents and Settings\Jamie Panico\Desktop\ComboFix.exe

C:\Program Files\Internet Explorer\iexplore.exe