Here Is My Log Please Help Me

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Here Is My Log Please Help Me, Have a virus i cant get off

Options

kgfire View Member Profile	Dec 6 2007, 03:20 AM Post #1
New Member Group: Members Posts: 9 Joined: 6-December 07 Member No.: 174,794	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:06:39 AM, on 12/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [3af6c01d] rundll32.exe "C:\WINDOWS\system32\lbcxpngk.dll",b O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator.RXENTRY02\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://companyweb O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://help.live.com/ContactUs/ActiveX/MSDcode.cab O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://netserver/ConnectComputer/nshelp.dll O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {4FDF3696-5078-4952-868C-CEEB9683B8C4} (DownloadFile Control) - http://192.168.64.251/cab/DownloadFile.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://autoins2.progressivedirect.com/ptt/cv/CVALAX.CAB O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://192.168.64.251/cab/Live.cab O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.sonypictures.com/games/zuma/popcaploader_v6.cab O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} (RPBX(v6.0)) - http://64.140.14.165/cab/RPB.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326 O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll O21 - SSODL: E404Helper - {9d1942de-8429-4eb1-a76c-e54a4cd7aa0c} - e404d.dll (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\fsodydarti.html -- End of file - 8088 bytes

RichieUK View Member Profile	Dec 7 2007, 06:21 AM Post #2
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975	Welcome to the BleepingComputer HijackThis Logs and Analysis forum kgfire My name is *Richie* and i'll be helping you to fix your problems. You’re running msconfig in Auto mode which means that you may have selectively unchecked some items in the past from starting up with Windows. This can be bad if they’re malware, so please re-enable those startup entries by doing the following: Click on Start>Run,type msconfig and then press Enter. When the ‘System Configuration Utility’ opens click on the ‘Startup’ tab,make sure all the boxes are checkmarked. Then press Apply/Ok to exit the utility. If it asks you to restart your pc,please don’t,it‘s not necessary at this point. Your version of Sun Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Sun Java,and then update. 1. Download the latest version of Java Runtime Environment (JRE) 2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'. 3. Click the "Download" button to the right. 4. Check the box that says: "Accept License Agreement". 5. The page will refresh. 6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop. 7. Close any programs you may have running - especially your web browser. 8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. 9. Check any item with Java Runtime Environment (JRE or J2SE) in the name. 10. Click the Change/Remove button. 11. Repeat as many times as necessary to remove each Java version. 12. Reboot your computer once all Java components are removed. 13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version. If you have previously downloaded ComboFix,please delete that version now. Warning You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert,not for private use. Using this tool incorrectly could lead to your system becoming unusable. Now download Combofix and save to your desktop: Note It is important that it is saved directly to your desktop Close any open browsers. Disconnect from the Internet. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask. Note In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again. Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them. Now go to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please. -------------------- If I have helped you in any way, please consider a donation: *Proud Member of ASAP (Alliance of Security Analysis Professionals).* *Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).*

kgfire View Member Profile	Dec 7 2007, 02:45 PM Post #3
New Member Group: Members Posts: 9 Joined: 6-December 07 Member No.: 174,794	ComboFix 07-12-07.5 - wayne 2007-12-07 13:05:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT -6:00] Running from: C:\Documents and Settings\Administrator.RXENTRY02\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\autorun.inf C:\Program Files\Common Files\ecurit~1 C:\Program Files\Common Files\ecurit~1\?ecurity\ C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe C:\Program Files\FunWebProducts C:\Program Files\FunWebProducts\PopSwatr\History\allowed C:\Program Files\FunWebProducts\PopSwatr\History\notallow C:\Program Files\FunWebProducts\ScreenSaver\Images\2AD170E8.urr C:\Program Files\MyWebSearch C:\Program Files\MyWebSearch\bar\History\search2 C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat C:\Program Files\MyWebSearch\bar\Settings\setting2.htm C:\Program Files\MyWebSearch\bar\Settings\settings.dat C:\Program Files\Rqaljyvv C:\Program Files\Rqaljyvv\zukrvtec.dll C:\Program Files\SecCenter C:\Program Files\SecCenter\scprot4.exe.bak C:\Program Files\smss.exe C:\Program Files\vision C:\Program Files\vision\admupdat.exe C:\Program Files\vision\ANSITERM.exe C:\Program Files\vision\hostexp.exe C:\Program Files\vision\HostWiz.exe C:\Program Files\vision\Keymap.exe C:\Program Files\vision\MSGPAD.exe C:\Program Files\vision\ProxyWiz.exe C:\Program Files\vision\rps.exe C:\Program Files\vision\system\101.KLT C:\Program Files\vision\system\102.KLT C:\Program Files\vision\system\ANSI.DFT C:\Program Files\vision\system\ANSI.KDB C:\Program Files\vision\system\ANSIX.dll C:\Program Files\vision\system\English\Ats.hlp C:\Program Files\vision\system\English\Cnaccess.hlp C:\Program Files\vision\system\English\Cnterm.hlp C:\Program Files\vision\system\English\Cnvca.hlp C:\Program Files\vision\system\English\Cnvisn.hlp C:\Program Files\vision\system\English\Common.hlp C:\Program Files\vision\system\English\Conmon.hlp C:\Program Files\vision\system\English\Hostexp.hlp C:\Program Files\vision\system\English\Keymap.hlp C:\Program Files\vision\system\English\Licts.hlp C:\Program Files\vision\system\English\Msgpad.hlp C:\Program Files\vision\system\English\Netcheck.hlp C:\Program Files\vision\system\English\Rps.hlp C:\Program Files\vision\system\English\Term.hlp C:\Program Files\vision\system\English\Userview.hlp C:\Program Files\vision\system\English\Vcats.hlp C:\Program Files\vision\system\English\Vision.hlp C:\Program Files\vision\system\English\Visionts.hlp C:\Program Files\vision\system\English\Vwc32.hlp C:\Program Files\vision\system\HOSTFCTL.dll C:\Program Files\vision\system\LK250.KLT C:\Program Files\vision\system\PRTCTL.dll C:\Program Files\vision\system\PrtLocal.vcf C:\Program Files\vision\system\rifx.exe C:\Program Files\vision\system\rifxx.dll C:\Program Files\vision\system\Rpsx.dll C:\Program Files\vision\system\sni-tate.klt C:\Program Files\vision\system\UPDTCTL.dll C:\Program Files\vision\system\Vt420.dft C:\Program Files\vision\system\Vt420.kdb C:\Program Files\vision\system\VT420X.dll C:\Program Files\vision\system\VTICONX.dll C:\Program Files\vision\system\vwaansi.dll C:\Program Files\vision\system\vwarps.dll C:\Program Files\vision\system\vwavt420.dll C:\Program Files\vision\system\vwawys60.dll C:\Program Files\vision\system\W60X.dll C:\Program Files\vision\system\Wyse60.dft C:\Program Files\vision\system\Wyse60.kdb C:\Program Files\vision\unixwizd.exe C:\Program Files\vision\userview.exe C:\Program Files\vision\V420TERM.exe C:\Program Files\vision\wy60term.exe C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\abW9 C:\Temp\abW9\tPho.log C:\temp\tn3 C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\ODCTOOLS C:\WINDOWS\Free Online Dating.ico C:\WINDOWS\IA C:\WINDOWS\system32\c1 C:\WINDOWS\system32\d1 C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\core.sys C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\system32\j2 C:\WINDOWS\system32\ldinfo.ldr C:\WINDOWS\system32\m8 C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\rMa02yy C:\WINDOWS\system32\v97 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CORE -------\LEGACY_DOMAINSERVICE -------\core -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 ))))))))))))))))))))))))))))))) . 2007-12-07 12:49 . 2007-12-07 12:49 <DIR> d-------- C:\Program Files\Sun 2007-12-07 12:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-12-07 12:37 . 2007-12-07 12:38 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\.SunDownloadManager 2007-12-06 12:42 . 2007-12-07 12:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2007-12-06 12:42 . 2007-12-06 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-12-06 12:42 . 2007-12-06 12:42 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\Application Data\SUPERAntiSpyware.com 2007-12-06 12:14 . 2007-12-06 12:14 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe 2007-12-06 11:55 . 2007-12-06 12:19 <DIR> d-------- C:\VundoFix Backups 2007-12-06 11:40 . 2007-12-06 11:40 <DIR> d-------- C:\Program Files\SonicWallES 2007-12-06 01:42 . 2007-12-07 12:14 1,276 --a------ C:\rollback.ini 2007-12-05 22:06 . 2007-12-06 11:40 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\Application Data\MailFrontier 2007-12-05 22:00 . 2007-12-07 13:17 2,863,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-05 22:00 . 2007-12-07 13:17 39,140 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-05 21:53 . 2007-12-06 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2007-12-05 21:53 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe 2007-12-05 21:53 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2007-12-05 21:53 . 2007-12-06 23:09 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-12-05 21:51 . 2007-12-07 13:15 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-12-05 21:47 . 2007-12-05 21:47 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-12-05 10:42 . 2007-12-06 01:41 807,606 --ahs---- C:\WINDOWS\system32\kgnpxcbl.ini 2007-12-01 13:11 . 2007-12-01 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6 2007-12-01 13:11 . 2007-12-01 13:12 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\Application Data\MSN6 2007-12-01 12:44 . 2007-12-01 12:44 <DIR> d-------- C:\Program Files\Microsoft Easy Assist 2007-12-01 11:20 . 2007-12-01 11:21 <DIR> d-------- C:\OneCareSupportData 2007-12-01 10:56 . 2007-12-01 11:00 <DIR> d-------- C:\Program Files\RegCure 2007-11-28 08:29 . 2007-12-01 11:22 1,459,356 --a------ C:\OneCareSupportData.zip 2007-11-27 19:47 . 2007-09-21 10:35 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys 2007-11-27 19:47 . 2007-09-21 10:35 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys 2007-11-27 19:46 . 2007-07-06 16:09 70,928 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys 2007-11-27 19:44 . 2007-03-29 06:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll 2007-11-27 19:44 . 2007-03-29 06:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll 2007-11-27 19:44 . 2007-03-29 06:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll 2007-11-27 19:44 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll 2007-11-27 19:44 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll 2007-11-27 19:44 . 2007-03-29 06:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll 2007-11-27 18:59 . 2007-11-27 18:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-11-27 16:23 . 2007-12-07 13:00 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live 2007-11-27 15:42 . 2007-12-06 11:40 <DIR> d-------- C:\WINDOWS\system32\tpcwdoia 2007-11-27 15:42 . 2007-11-27 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio 2007-11-27 15:42 . 2007-11-27 15:42 131 --a------ C:\Documents and Settings\Administrator.RXENTRY02\mit.bat 2007-11-27 15:41 . 2007-12-06 11:40 <DIR> d-------- C:\Program Files\kfqrsped 2007-11-27 15:41 . 2007-11-27 15:42 1,149,472 --a------ C:\Install 2007-11-26 10:15 . 2007-03-07 17:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll 2007-11-15 11:50 . 2007-11-15 11:50 <DIR> d-------- C:\Program Files\Ventrilo 2007-11-15 11:50 . 2007-12-06 12:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-11-13 13:33 . 2007-11-13 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2007-11-13 13:32 . 2007-11-13 13:32 <DIR> d-------- C:\Program Files\DivX 2007-11-13 10:30 . 2007-11-13 10:30 <DIR> d-------- C:\Program Files\MySlideShow Plug-ins 2007-11-13 10:30 . 2007-11-13 10:30 <DIR> d-------- C:\Program Files\MySlideShow Gold 2 2007-11-13 10:30 . 2007-11-13 10:30 <DIR> d-------- C:\Program Files\Common Files\Anix Shared 2007-11-13 10:30 . 2007-11-13 10:30 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\Application Data\Anix Software . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-07 18:51 --------- d-----w C:\Program Files\Java 2007-12-06 17:50 --------- d-----w C:\Program Files\QuickTime 2007-12-06 17:40 --------- d-----w C:\Program Files\Virtools Web Player 3.5 2007-12-06 08:05 --------- d-----w C:\Program Files\Trend Micro 2007-12-06 02:16 --------- d-----w C:\Program Files\Compaq 2007-12-01 21:59 --------- d-----w C:\Program Files\Yahoo SiteBuilder 2007-12-01 21:58 524,288 ----a-w C:\Documents and Settings\__sbs_netsetup__\ntuser.dat 2007-12-01 21:58 --------- d-----w C:\Program Files\MySpace 2007-11-28 02:09 --------- d-----w C:\Program Files\Lavasoft 2007-11-27 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-27 16:00 --------- d-----w C:\Program Files\Google 2007-11-27 15:59 --------- d-----w C:\Program Files\Yahoo! Games 2007-11-27 15:59 --------- d-----w C:\Program Files\Common Files\AOL 2007-11-27 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2007-11-27 15:55 --------- d---a-w C:\Program Files\Lycos 2007-11-26 16:16 --------- d-----w C:\Program Files\Winamp 2007-11-19 14:11 --------- d-----w C:\Program Files\UI Central 2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2007-11-13 19:33 --------- d--h--r C:\Documents and Settings\Administrator.RXENTRY02\Application Data\yahoo! 2007-11-07 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll 2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-09-24 23:28 202,240 ----a-w C:\WINDOWS\system32\Dr Pepper Go For More 23.scr 2004-06-22 13:04 94,438 ------w C:\Program Files\hposcu08.inf 2004-06-22 13:04 9,777 ------w C:\Program Files\hpzipr13.inf 2004-06-22 13:04 9,773 ------w C:\Program Files\hpousc08.inf 2004-06-22 13:04 70,656 ------w C:\Program Files\msvcirt.dll 2004-06-22 13:04 7,579 ------w C:\Program Files\hpound08.inf 2004-06-22 13:04 66,431 ------w C:\Program Files\hpoprl04.dat 2004-06-22 13:04 65,420 ------w C:\Program Files\hpoprl05.dat 2004-06-22 13:04 65 ------w C:\Program Files\dxprl.dat 2004-06-22 13:04 6,704 ------w C:\Program Files\hpounp08.inf 2004-06-22 13:04 53,670 ------w C:\Program Files\hposcu08.cat 2004-06-22 13:04 52,349 ------w C:\Program Files\hpzius13.cat 2004-06-22 13:04 52,349 ------w C:\Program Files\HPZius12.cat 2004-06-22 13:04 51,467 ------w C:\Program Files\hpzist13.cat 2004-06-22 13:04 51,467 ------w C:\Program Files\hpzist12.cat 2004-06-22 13:04 51,467 ------w C:\Program Files\hpzipr13.cat 2004-06-22 13:04 51,467 ------w C:\Program Files\HPZipr12.cat 2004-06-22 13:04 51,467 ------w C:\Program Files\hpzid413.cat 2004-06-22 13:04 51,467 ------w C:\Program Files\HPZid412.cat 2004-06-22 13:04 51,026 ------w C:\Program Files\HPOunp08.cat 2004-06-22 13:04 50,615 ------w C:\Program Files\hpzid412.inf 2004-06-22 13:04 5,538 ------w C:\Program Files\hpzist12.inf 2004-06-22 13:04 49,212 ------w C:\Program Files\hpzjvp01.dll 2004-06-22 13:04 458,752 ------w C:\Program Files\tls704d.dll 2004-06-22 13:04 447,400 ------w C:\Program Files\hpoprn08.cat 2004-06-22 13:04 442,425 ------w C:\Program Files\hpzjpp01.dll 2004-06-22 13:04 4,779 ------w C:\Program Files\hpoglu08.inf 2004-06-22 13:04 4,768 ------w C:\Program Files\hpoprl01.dat 2004-06-22 13:04 4,144 ------w C:\Program Files\hpousb08.inf 2004-06-22 13:04 4,132 ------w C:\Program Files\hpzist13.inf 2004-06-22 13:04 4,014 ------w C:\Program Files\hpoprl08.dat 2004-06-22 13:04 399 ------w C:\Program Files\hpzprl01.dat 2004-06-22 13:04 314 ------w C:\Program Files\hpqprl01.dat 2004-06-22 13:04 3,448 ------w C:\Program Files\hpohub08.inf 2004-06-22 13:04 297 ------w C:\Program Files\Readme.html 2004-06-22 13:04 290,873 ------w C:\Program Files\hpzjut01.dll 2004-06-22 13:04 28,722 ------w C:\Program Files\hpzjlog.dll 2004-06-22 13:04 270,336 ------w C:\Program Files\hpzglu10.exe 2004-06-22 13:04 270,336 ------w C:\Program Files\hpzc3212.dll 2004-06-22 13:04 26,768 ------w C:\Program Files\usbhub.sys 2004-06-22 13:04 254,005 ------w C:\Program Files\msvcrt.dll 2004-06-22 13:04 22,636 ------w C:\Program Files\hpzid413.inf 2004-06-22 13:04 22,608 ------w C:\Program Files\usbprint.sys 2004-06-22 13:04 205 ------w C:\Program Files\hpzprl02.dat 2004-06-22 13:04 200,704 ------w C:\Program Files\hpzpnp10.dll 2004-06-22 13:04 20,168 ------w C:\Program Files\hpzius12.inf 2004-06-22 13:04 2,542 ------w C:\Program Files\hpoprl02.dat 2004-06-22 13:04 19,578 ------w C:\Program Files\hpoprl03.dat 2004-06-22 13:04 176,128 ------w C:\Program Files\hpzscr10.dll 2004-06-22 13:04 17,176 ------w C:\Program Files\hpomdl04.dat 2004-06-22 13:04 16,416 ------w C:\Program Files\HPZUCI12.DLL 2004-06-22 13:04 14,845 ------w C:\Program Files\hpoapd01.dat 2004-06-22 13:04 14,815 ------w C:\Program Files\hpzius13.inf 2004-06-22 13:04 137,124 ------w C:\Program Files\hpoprn08.inf 2004-06-22 13:04 12,922 ------w C:\Program Files\hpzipr12.inf 2004-06-22 13:04 12,288 ------w C:\Program Files\usbmon.dll 2004-06-22 13:04 1,980 ------w C:\Program Files\hpoprl07.dat 2004-06-22 13:04 1,479 ------w C:\Program Files\license.txt 2004-06-22 13:04 1,391 ------w C:\Program Files\readme.txt 2004-06-22 13:04 1,073,152 ------w C:\Program Files\Setup.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [] "MsnMsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24] "Aim6"="C:\Program Files\AIM6\aim6.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-04 19:00] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56] "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 15:34] "SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 10:57] "SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 12:01] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [] "OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-11-19 09:38] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [] "My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32] "HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 06:34] "CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26] HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38] HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 22:06:36] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04] Vision Services.lnk - C:\Program Files\Common Files\Vision\vservice.exe [2004-06-10 09:03:46] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "tmlisten"=2 (0x2) "ntrtscan"=2 (0x2) "WinDefend"=2 (0x2) "usnjsvc"=3 (0x3) "SoundMAX Agent Service (default)"=2 (0x2) "ose"=3 (0x3) "odserv"=3 (0x3) "MDM"=2 (0x2) "iPodService"=3 (0x3) "IDriverT"=3 (0x3) "DomainService"=2 (0x2) "Belkin Wireless USB Network Adapter Service"=2 (0x2) "wuauserv"=2 (0x2) R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys R2 Machnm32;Machnm32 Driver;\??\C:\WINDOWS\system32\Machnm32.sys R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe" R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe" R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys S4 Belkin Wireless USB Network Adapter Service;Belkin Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a9ddc6f-dc16-11db-a95a-001150bec44a}] \Shell\AutoRun\command - E:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2007-11-24 06:11:37 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job" - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe "2007-12-07 19:18:25 C:\WINDOWS\Tasks\RegCure Program Check.job" - C:\Program Files\RegCure\RegCure.exe "2007-12-06 09:00:12 C:\WINDOWS\Tasks\RegCure.job" - C:\Program Files\RegCure\RegCure.exe . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-07 13:23:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-12-07 13:30:46 - machine was rebooted . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:42:28 PM, on 12/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe O4 - Global Startup: ZIM SMS Mail.lnk = C:\Program Files\ZIM\SMS Mail\ZIMSMSMail.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5800 bytes

RichieUK View Member Profile	Dec 7 2007, 03:36 PM Post #4
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975	Disable Windows Defender's real-time protection,as it may interfere. * Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender. * Click on 'Tools'>'Options'. * Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box * Click 'Save'. Click Start/Control Panel/Add or Remove Programs and remove MyWebSearch,then restart your pc. You have SpywareBot installed on your pc,it's a rogue Antispyware program because it uses the name Search & Destroy on its pages which can trick novice uses into thinking they are downloading the genuine Spybot Search & Destroy. If this is free then i suggest you uninstall/remove it via Start/Control Panel/Add or Remove Programs,then restart your pc. If you have payed for this remover then its really up to you to decide if you trust the company that makes it,i most certainly would not. SpywareBot is listed on the Rogue/Suspect Anti-Spyware Products list here: http://spywarewarrior.com/rogue_anti-spyware.htm Copy and paste the following text in the Quote box below into Notepad. Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop. Then double click on the fix.bat file on your desktop You'll see a black screen flash,thats normal. QUOTE @echo off sc stop DomainService sc delete DomainService Restart your pc. Please download OTMoveIt by OldTimer,save it to your desktop: http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'): C:\WINDOWS\system32\VundoFixSVC.exe C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\kgnpxcbl.ini C:\Documents and Settings\Administrator.RXENTRY02\mit.bat C:\VundoFix Backups C:\WINDOWS\system32\tpcwdoia C:\Program Files\kfqrsped Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Click the red Moveit! button Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply. Close OTMoveIt. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Please download/install Avira AntiVir Personal Edition Classic[Free]: http://www.free-av.com/ Perform a full scan with Avira and allow it to delete everything it detects. Restart your pc when you've done. After restart,open Avira Antivirus and select "Reports". Then double click the report from the full scan you have just completed. Click the "Report File" button,then copy and paste the report into your next reply along with a new HijackThislog. This post has been edited by RichieUK: Dec 7 2007, 03:37 PM -------------------- If I have helped you in any way, please consider a donation: *Proud Member of ASAP (Alliance of Security Analysis Professionals).* *Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).*

kgfire View Member Profile	Dec 8 2007, 09:43 AM Post #5
New Member Group: Members Posts: 9 Joined: 6-December 07 Member No.: 174,794	AntiVir PersonalEdition Classic Report file date: Friday, December 07, 2007 23:48 Scanning for 1036370 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: SYSTEM Computer name: GIPSONFAMILY Version information: BUILD.DAT : 269 15604 Bytes 9/10/2007 14:31:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 20:16:29 AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 19:23:51 LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 22:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 19:35:20 ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 19:32:40 ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 7/10/2007 19:32:46 ANTIVIR2.VDF : 6.39.1.43 1542656 Bytes 8/25/2007 00:21:02 ANTIVIR3.VDF : 6.39.1.51 29696 Bytes 8/28/2007 14:22:36 AVEWIN32.DLL : 7.6.0.5 2789888 Bytes 8/30/2007 00:09:10 AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 17:36:26 AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 14:39:17 AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 20:16:24 AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 15:46:00 AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 14:17:06 AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 19:26:33 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 14:10:18 NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 18:09:42 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 19:38:13 RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 19:50:37 SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 16:37:21 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: off Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Friday, December 07, 2007 23:48 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'Ventrilo.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'hpqgalry.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned Scan process 'Hotsync.exe' - '1' Module(s) have been scanned Scan process 'msmsgs.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'apdproxy.exe' - '1' Module(s) have been scanned Scan process 'DrvLsnr.exe' - '1' Module(s) have been scanned Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned Scan process 'hkcmd.exe' - '1' Module(s) have been scanned Scan process 'igfxpers.exe' - '1' Module(s) have been scanned Scan process 'igfxtray.exe' - '1' Module(s) have been scanned Scan process 'SMTray.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'realsched.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'msfwsvc.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 41 processes with 41 modules were scanned Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Starting to scan the registry. The registry was scanned ( '49' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! C:\Program Files\Trend Micro\HijackThis\backups\backup-20071206-025420-161.dll [DETECTION] Contains suspicious code HEUR/Malware [INFO] The file was moved to '47bd8344.qua'! C:\qoobox\Quarantine\catchme2007-12-07_132042.82.zip [0] Archive type: ZIP --> core.sys [DETECTION] Is the Trojan horse TR/Rootkit.Gen [INFO] The file was moved to '47ce88d7.qua'! C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP850\A0077431.exe [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen [INFO] The file was moved to '478a893c.qua'! C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP868\A0080740.exe [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen [INFO] The file was moved to '478a8f6c.qua'! C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP868\A0080741.exe [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen [INFO] The file was moved to '478a8f6f.qua'! C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP876\A0083199.dll [DETECTION] Contains suspicious code HEUR/Malware [INFO] The file was moved to '478a8fa7.qua'! C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP883\A0086628.inf [DETECTION] Is the Trojan horse TR/Dldr.IstBar.FA [INFO] The file was moved to '478a8fd8.qua'! C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP883\A0086629.dll [DETECTION] Contains suspicious code HEUR/Malware [INFO] The file was moved to '46f4dff9.qua'! End of the scan: Saturday, December 08, 2007 07:17 Used time: 7:29:14 min The scan has been done completely. 9214 Scanning directories 646067 Files were scanned 5 viruses and/or unwanted programs were found 3 Files were classified as suspicious: 0 files were deleted 0 files were repaired 8 files were moved to quarantine 0 files were renamed 1 Files cannot be scanned 646062 Files not concerned 7620 Archives were scanned 1 Warnings 11 Notes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:40:49 AM, on 12/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe O4 - Global Startup: ZIM SMS Mail.lnk = C:\Program Files\ZIM\SMS Mail\ZIMSMSMail.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 6110 bytes

RichieUK View Member Profile	Dec 8 2007, 10:37 AM Post #6
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975	jre1.5.0_03 is still running in processes,you did'nt uninstall it when updating to the latest version of Sun Java,please remove/uninstall it now via Add/Remove Programs. Have Hijack This fix the following if still present,by placing a check in the appropriate boxes and selecting 'Fix checked'. Make sure all browser and all Windows Explorer windows are closed before fixing: O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0 Exit Hijackthis. Restart your pc. Post a new Hijackthis log. Let me know how your pc is running now. -------------------- If I have helped you in any way, please consider a donation: *Proud Member of ASAP (Alliance of Security Analysis Professionals).* *Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).*

kgfire View Member Profile	Dec 8 2007, 12:44 PM Post #7
New Member Group: Members Posts: 9 Joined: 6-December 07 Member No.: 174,794	Malware Assassin Group: HJT Team Posts: 10,390 Joined: 13-July 06 Member No.: 75,975 jre1.5.0_03 could this be listed as something else it is not on my add and remove files

kgfire View Member Profile	Dec 8 2007, 12:50 PM Post #8
New Member Group: Members Posts: 9 Joined: 6-December 07 Member No.: 174,794	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:48:48 AM, on 12/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe O4 - Global Startup: ZIM SMS Mail.lnk = C:\Program Files\ZIM\SMS Mail\ZIMSMSMail.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5553 bytes you are awsome my computer is running 100% betetr no popups and i got my background back

RichieUK View Member Profile	Dec 8 2007, 01:05 PM Post #9
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975	Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok. Please double-click OTMoveIt.exe to run it. Click on the 'Cleanup' button When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. When the 'Confirm' box appears click 'Yes'. Restart your pc when prompted. Click on Start/All Programs/Accessories/System Tools/System Restore. In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'. In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'. The date and time will be created automatically. Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup. The 'Select Drive' box will appear,click on Ok. The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab. At the bottom in the 'System Restore' window,click on the 'Clean up...' button. A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'. Click on 'Yes' at 'Are you sure you want to perform these actions?'. Now wait until 'Disk Cleanup' finishes and the box disappears. Download ATF Cleaner by Atribune: http://www.atribune.org/ccount/click.php?id=1 Do not run it just yet. Download\install 'SuperAntiSpyware Home Edition Free Version' from here: http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE Launch SuperAntiSpyware and click on 'Check for updates'. Once the updates have been installed,exit SuperAntiSpyware. Do not run it just yet. You might want to print/copy the following as you need to be in Safe Mode from here on. Reboot your computer into SAFE MODE using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode". Now double-click ATF-Cleaner.exe to run the program. Click 'Select All' found at the bottom of the list. Click the 'Empty Selected' button. If you use Firefox browser, do this also: Click Firefox at the top and choose 'Select All' from the list. Click the 'Empty Selected' button. NOTE: If you would like to keep your saved passwords,please click 'No' at the prompt. If you use Opera browser,do this also: Click Opera at the top and choose 'Select All' from the list. Click the 'Empty Selected' button. NOTE: If you would like to keep your saved passwords,please click 'No' at the prompt. Click 'Exit' on the Main menu to close the program. Now Start SuperAntiSpyware. On the main screen click on 'Scan your computer'. Check: 'Perform Complete Scan'. Click 'Next' to start the scan. Superantispyware will now scan your computer,when it's finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press 'Next'. Click on 'Finish' when you've done. It's possible that the program will ask you to reboot in order to delete some files. Obtain the SuperAntiSpyware log as follows: Click on 'Preferences'. Click on the 'Statistics/Logs' tab. Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'. It will then open in your default text editor,such as Notepad. Copy and paste the contents of that report into your next reply. Also post a new Hijackthis log,let me know how your pc is running now. -------------------- If I have helped you in any way, please consider a donation: *Proud Member of ASAP (Alliance of Security Analysis Professionals).* *Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).*

kgfire View Member Profile	Dec 8 2007, 03:00 PM Post #10
New Member Group: Members Posts: 9 Joined: 6-December 07 Member No.: 174,794	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:57:11 PM, on 12/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe O4 - Global Startup: ZIM SMS Mail.lnk = C:\Program Files\ZIM\SMS Mail\ZIMSMSMail.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe -- End of file - 5149 bytes SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 12/08/2007 at 01:42 PM Application Version : 3.9.1008 Core Rules Database Version : 3357 Trace Rules Database Version: 1356 Scan type : Complete Scan Total Scan Time : 01:00:41 Memory items scanned : 174 Memory threats detected : 0 Registry items scanned : 6439 Registry threats detected : 0 File items scanned : 39862 File threats detected : 0 computer is running great a little slow on start up seems to be alot running on start up. Thank for all you have done your great

RichieUK View Member Profile	Dec 8 2007, 07:45 PM Post #11
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975	QUOTE computer is running great a little slow on start up seems to be alot running on start up. Its not a good idea to have more than one antivirus program installed on your computer. Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities. It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other. I suggest you remove/uninstall Microsoft Windows OneCare Live via Start/Control Panel/Add or Remove Programs,then restart your pc. Keep AntiVir PersonalEdition Classic installed,its a better product than Microsoft Windows OneCare Live Antivirus. You should now see a diffence at system startup. I suggest you now install a third party firewall from below: Sygate Personal Firewall Free Edition: http://www.filehippo.com/download_sygate_personal_firewall/ Zone Alarm Free: http://download.zonelabs.com/bin/free/1001..._737_000_en.exe Comodo Personal Firewall: http://www.personalfirewall.comodo.com/ Outpost Firewall Free: http://www.agnitum.com/products/outpostfree/index.php You should take the time to read the following: Understanding and Using Firewalls http://www.bleepingcomputer.com/tutorials/tutorial60.html Let me know how you get on please. -------------------- If I have helped you in any way, please consider a donation: *Proud Member of ASAP (Alliance of Security Analysis Professionals).* *Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).*

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 4th July 2009 - 10:56 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive