BleepingComputer.com: Here Is My Log Please Help Me

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Here Is My Log Please Help Me Have a virus i cant get off

#1 User is offline   kgfire 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-December 07

Posted 06 December 2007 - 03:20 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:39 AM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [3af6c01d] rundll32.exe "C:\WINDOWS\system32\lbcxpngk.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator.RXENTRY02\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://help.live.com/ContactUs/ActiveX/MSDcode.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://netserver/ConnectComputer/nshelp.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4FDF3696-5078-4952-868C-CEEB9683B8C4} (DownloadFile Control) - http://192.168.64.251/cab/DownloadFile.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - https://autoins2.progressivedirect.com/ptt/cv/CVALAX.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://192.168.64.251/cab/Live.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.sonypictures.com/games/zuma/popcaploader_v6.cab
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} (RPBX(v6.0)) - http://64.140.14.165/cab/RPB.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: E404Helper - {9d1942de-8429-4eb1-a76c-e54a4cd7aa0c} - e404d.dll (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\fsodydarti.html

--
End of file - 8088 bytes

#2 User is offline   RichieUK 

  • Malware Assassin
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 13,612
  • Joined: 13-July 06

Posted 07 December 2007 - 06:21 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum kgfire
My name is Richie and i'll be helping you to fix your problems.

You’re running msconfig in Auto mode which means that you may have selectively unchecked some items in the past from starting up with Windows.
This can be bad if they’re malware, so please re-enable those startup entries by doing the following:
Click on Start>Run,type msconfig and then press Enter.
When the ‘System Configuration Utility’ opens click on the ‘Startup’ tab,make sure all the boxes are checkmarked.
Then press Apply/Ok to exit the utility.
If it asks you to restart your pc,please don’t,it‘s not necessary at this point.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.

Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could lead to your system becoming unusable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop
Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 User is offline   kgfire 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-December 07

Posted 07 December 2007 - 02:45 PM

ComboFix 07-12-07.5 - wayne 2007-12-07 13:05:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator.RXENTRY02\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\autorun.inf
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\ecurit~1\?ecurity\
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\FunWebProducts\ScreenSaver\Images\2AD170E8.urr
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\Rqaljyvv
C:\Program Files\Rqaljyvv\zukrvtec.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe.bak
C:\Program Files\smss.exe
C:\Program Files\vision
C:\Program Files\vision\admupdat.exe
C:\Program Files\vision\ANSITERM.exe
C:\Program Files\vision\hostexp.exe
C:\Program Files\vision\HostWiz.exe
C:\Program Files\vision\Keymap.exe
C:\Program Files\vision\MSGPAD.exe
C:\Program Files\vision\ProxyWiz.exe
C:\Program Files\vision\rps.exe
C:\Program Files\vision\system\101.KLT
C:\Program Files\vision\system\102.KLT
C:\Program Files\vision\system\ANSI.DFT
C:\Program Files\vision\system\ANSI.KDB
C:\Program Files\vision\system\ANSIX.dll
C:\Program Files\vision\system\English\Ats.hlp
C:\Program Files\vision\system\English\Cnaccess.hlp
C:\Program Files\vision\system\English\Cnterm.hlp
C:\Program Files\vision\system\English\Cnvca.hlp
C:\Program Files\vision\system\English\Cnvisn.hlp
C:\Program Files\vision\system\English\Common.hlp
C:\Program Files\vision\system\English\Conmon.hlp
C:\Program Files\vision\system\English\Hostexp.hlp
C:\Program Files\vision\system\English\Keymap.hlp
C:\Program Files\vision\system\English\Licts.hlp
C:\Program Files\vision\system\English\Msgpad.hlp
C:\Program Files\vision\system\English\Netcheck.hlp
C:\Program Files\vision\system\English\Rps.hlp
C:\Program Files\vision\system\English\Term.hlp
C:\Program Files\vision\system\English\Userview.hlp
C:\Program Files\vision\system\English\Vcats.hlp
C:\Program Files\vision\system\English\Vision.hlp
C:\Program Files\vision\system\English\Visionts.hlp
C:\Program Files\vision\system\English\Vwc32.hlp
C:\Program Files\vision\system\HOSTFCTL.dll
C:\Program Files\vision\system\LK250.KLT
C:\Program Files\vision\system\PRTCTL.dll
C:\Program Files\vision\system\PrtLocal.vcf
C:\Program Files\vision\system\rifx.exe
C:\Program Files\vision\system\rifxx.dll
C:\Program Files\vision\system\Rpsx.dll
C:\Program Files\vision\system\sni-tate.klt
C:\Program Files\vision\system\UPDTCTL.dll
C:\Program Files\vision\system\Vt420.dft
C:\Program Files\vision\system\Vt420.kdb
C:\Program Files\vision\system\VT420X.dll
C:\Program Files\vision\system\VTICONX.dll
C:\Program Files\vision\system\vwaansi.dll
C:\Program Files\vision\system\vwarps.dll
C:\Program Files\vision\system\vwavt420.dll
C:\Program Files\vision\system\vwawys60.dll
C:\Program Files\vision\system\W60X.dll
C:\Program Files\vision\system\Wyse60.dft
C:\Program Files\vision\system\Wyse60.kdb
C:\Program Files\vision\unixwizd.exe
C:\Program Files\vision\userview.exe
C:\Program Files\vision\V420TERM.exe
C:\Program Files\vision\wy60term.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\IA
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\d1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\v97

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.

2007-12-07 12:49 . 2007-12-07 12:49 <DIR> d-------- C:\Program Files\Sun
2007-12-07 12:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-07 12:37 . 2007-12-07 12:38 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\.SunDownloadManager
2007-12-06 12:42 . 2007-12-07 12:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-06 12:42 . 2007-12-06 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 12:42 . 2007-12-06 12:42 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\Application Data\SUPERAntiSpyware.com
2007-12-06 12:14 . 2007-12-06 12:14 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-06 11:55 . 2007-12-06 12:19 <DIR> d-------- C:\VundoFix Backups
2007-12-06 11:40 . 2007-12-06 11:40 <DIR> d-------- C:\Program Files\SonicWallES
2007-12-06 01:42 . 2007-12-07 12:14 1,276 --a------ C:\rollback.ini
2007-12-05 22:06 . 2007-12-06 11:40 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\Application Data\MailFrontier
2007-12-05 22:00 . 2007-12-07 13:17 2,863,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-05 22:00 . 2007-12-07 13:17 39,140 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-05 21:53 . 2007-12-06 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-05 21:53 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-05 21:53 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-05 21:53 . 2007-12-06 23:09 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-05 21:51 . 2007-12-07 13:15 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-05 21:47 . 2007-12-05 21:47 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-05 10:42 . 2007-12-06 01:41 807,606 --ahs---- C:\WINDOWS\system32\kgnpxcbl.ini
2007-12-01 13:11 . 2007-12-01 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-12-01 13:11 . 2007-12-01 13:12 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\Application Data\MSN6
2007-12-01 12:44 . 2007-12-01 12:44 <DIR> d-------- C:\Program Files\Microsoft Easy Assist
2007-12-01 11:20 . 2007-12-01 11:21 <DIR> d-------- C:\OneCareSupportData
2007-12-01 10:56 . 2007-12-01 11:00 <DIR> d-------- C:\Program Files\RegCure
2007-11-28 08:29 . 2007-12-01 11:22 1,459,356 --a------ C:\OneCareSupportData.zip
2007-11-27 19:47 . 2007-09-21 10:35 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-11-27 19:47 . 2007-09-21 10:35 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-11-27 19:46 . 2007-07-06 16:09 70,928 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-11-27 19:44 . 2007-03-29 06:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2007-11-27 19:44 . 2007-03-29 06:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2007-11-27 19:44 . 2007-03-29 06:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-11-27 19:44 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2007-11-27 19:44 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-11-27 19:44 . 2007-03-29 06:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2007-11-27 18:59 . 2007-11-27 18:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-27 16:23 . 2007-12-07 13:00 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-11-27 15:42 . 2007-12-06 11:40 <DIR> d-------- C:\WINDOWS\system32\tpcwdoia
2007-11-27 15:42 . 2007-11-27 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-27 15:42 . 2007-11-27 15:42 131 --a------ C:\Documents and Settings\Administrator.RXENTRY02\mit.bat
2007-11-27 15:41 . 2007-12-06 11:40 <DIR> d-------- C:\Program Files\kfqrsped
2007-11-27 15:41 . 2007-11-27 15:42 1,149,472 --a------ C:\Install
2007-11-26 10:15 . 2007-03-07 17:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-11-15 11:50 . 2007-11-15 11:50 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-15 11:50 . 2007-12-06 12:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 13:33 . 2007-11-13 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 13:32 . 2007-11-13 13:32 <DIR> d-------- C:\Program Files\DivX
2007-11-13 10:30 . 2007-11-13 10:30 <DIR> d-------- C:\Program Files\MySlideShow Plug-ins
2007-11-13 10:30 . 2007-11-13 10:30 <DIR> d-------- C:\Program Files\MySlideShow Gold 2
2007-11-13 10:30 . 2007-11-13 10:30 <DIR> d-------- C:\Program Files\Common Files\Anix Shared
2007-11-13 10:30 . 2007-11-13 10:30 <DIR> d-------- C:\Documents and Settings\Administrator.RXENTRY02\Application Data\Anix Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 18:51 --------- d-----w C:\Program Files\Java
2007-12-06 17:50 --------- d-----w C:\Program Files\QuickTime
2007-12-06 17:40 --------- d-----w C:\Program Files\Virtools Web Player 3.5
2007-12-06 08:05 --------- d-----w C:\Program Files\Trend Micro
2007-12-06 02:16 --------- d-----w C:\Program Files\Compaq
2007-12-01 21:59 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2007-12-01 21:58 524,288 ----a-w C:\Documents and Settings\__sbs_netsetup__\ntuser.dat
2007-12-01 21:58 --------- d-----w C:\Program Files\MySpace
2007-11-28 02:09 --------- d-----w C:\Program Files\Lavasoft
2007-11-27 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 16:00 --------- d-----w C:\Program Files\Google
2007-11-27 15:59 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-27 15:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-27 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-27 15:55 --------- d---a-w C:\Program Files\Lycos
2007-11-26 16:16 --------- d-----w C:\Program Files\Winamp
2007-11-19 14:11 --------- d-----w C:\Program Files\UI Central
2007-11-14 22:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 19:33 --------- d--h--r C:\Documents and Settings\Administrator.RXENTRY02\Application Data\yahoo!
2007-11-07 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-24 23:28 202,240 ----a-w C:\WINDOWS\system32\Dr Pepper Go For More 23.scr
2004-06-22 13:04 94,438 ------w C:\Program Files\hposcu08.inf
2004-06-22 13:04 9,777 ------w C:\Program Files\hpzipr13.inf
2004-06-22 13:04 9,773 ------w C:\Program Files\hpousc08.inf
2004-06-22 13:04 70,656 ------w C:\Program Files\msvcirt.dll
2004-06-22 13:04 7,579 ------w C:\Program Files\hpound08.inf
2004-06-22 13:04 66,431 ------w C:\Program Files\hpoprl04.dat
2004-06-22 13:04 65,420 ------w C:\Program Files\hpoprl05.dat
2004-06-22 13:04 65 ------w C:\Program Files\dxprl.dat
2004-06-22 13:04 6,704 ------w C:\Program Files\hpounp08.inf
2004-06-22 13:04 53,670 ------w C:\Program Files\hposcu08.cat
2004-06-22 13:04 52,349 ------w C:\Program Files\hpzius13.cat
2004-06-22 13:04 52,349 ------w C:\Program Files\HPZius12.cat
2004-06-22 13:04 51,467 ------w C:\Program Files\hpzist13.cat
2004-06-22 13:04 51,467 ------w C:\Program Files\hpzist12.cat
2004-06-22 13:04 51,467 ------w C:\Program Files\hpzipr13.cat
2004-06-22 13:04 51,467 ------w C:\Program Files\HPZipr12.cat
2004-06-22 13:04 51,467 ------w C:\Program Files\hpzid413.cat
2004-06-22 13:04 51,467 ------w C:\Program Files\HPZid412.cat
2004-06-22 13:04 51,026 ------w C:\Program Files\HPOunp08.cat
2004-06-22 13:04 50,615 ------w C:\Program Files\hpzid412.inf
2004-06-22 13:04 5,538 ------w C:\Program Files\hpzist12.inf
2004-06-22 13:04 49,212 ------w C:\Program Files\hpzjvp01.dll
2004-06-22 13:04 458,752 ------w C:\Program Files\tls704d.dll
2004-06-22 13:04 447,400 ------w C:\Program Files\hpoprn08.cat
2004-06-22 13:04 442,425 ------w C:\Program Files\hpzjpp01.dll
2004-06-22 13:04 4,779 ------w C:\Program Files\hpoglu08.inf
2004-06-22 13:04 4,768 ------w C:\Program Files\hpoprl01.dat
2004-06-22 13:04 4,144 ------w C:\Program Files\hpousb08.inf
2004-06-22 13:04 4,132 ------w C:\Program Files\hpzist13.inf
2004-06-22 13:04 4,014 ------w C:\Program Files\hpoprl08.dat
2004-06-22 13:04 399 ------w C:\Program Files\hpzprl01.dat
2004-06-22 13:04 314 ------w C:\Program Files\hpqprl01.dat
2004-06-22 13:04 3,448 ------w C:\Program Files\hpohub08.inf
2004-06-22 13:04 297 ------w C:\Program Files\Readme.html
2004-06-22 13:04 290,873 ------w C:\Program Files\hpzjut01.dll
2004-06-22 13:04 28,722 ------w C:\Program Files\hpzjlog.dll
2004-06-22 13:04 270,336 ------w C:\Program Files\hpzglu10.exe
2004-06-22 13:04 270,336 ------w C:\Program Files\hpzc3212.dll
2004-06-22 13:04 26,768 ------w C:\Program Files\usbhub.sys
2004-06-22 13:04 254,005 ------w C:\Program Files\msvcrt.dll
2004-06-22 13:04 22,636 ------w C:\Program Files\hpzid413.inf
2004-06-22 13:04 22,608 ------w C:\Program Files\usbprint.sys
2004-06-22 13:04 205 ------w C:\Program Files\hpzprl02.dat
2004-06-22 13:04 200,704 ------w C:\Program Files\hpzpnp10.dll
2004-06-22 13:04 20,168 ------w C:\Program Files\hpzius12.inf
2004-06-22 13:04 2,542 ------w C:\Program Files\hpoprl02.dat
2004-06-22 13:04 19,578 ------w C:\Program Files\hpoprl03.dat
2004-06-22 13:04 176,128 ------w C:\Program Files\hpzscr10.dll
2004-06-22 13:04 17,176 ------w C:\Program Files\hpomdl04.dat
2004-06-22 13:04 16,416 ------w C:\Program Files\HPZUCI12.DLL
2004-06-22 13:04 14,845 ------w C:\Program Files\hpoapd01.dat
2004-06-22 13:04 14,815 ------w C:\Program Files\hpzius13.inf
2004-06-22 13:04 137,124 ------w C:\Program Files\hpoprn08.inf
2004-06-22 13:04 12,922 ------w C:\Program Files\hpzipr12.inf
2004-06-22 13:04 12,288 ------w C:\Program Files\usbmon.dll
2004-06-22 13:04 1,980 ------w C:\Program Files\hpoprl07.dat
2004-06-22 13:04 1,479 ------w C:\Program Files\license.txt
2004-06-22 13:04 1,391 ------w C:\Program Files\readme.txt
2004-06-22 13:04 1,073,152 ------w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-04 19:00]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 15:34]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 10:57]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 12:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-11-19 09:38]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" []
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 06:34]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 22:06:36]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Vision Services.lnk - C:\Program Files\Common Files\Vision\vservice.exe [2004-06-10 09:03:46]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmlisten"=2 (0x2)
"ntrtscan"=2 (0x2)
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"DomainService"=2 (0x2)
"Belkin Wireless USB Network Adapter Service"=2 (0x2)
"wuauserv"=2 (0x2)

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 Machnm32;Machnm32 Driver;\??\C:\WINDOWS\system32\Machnm32.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys
S4 Belkin Wireless USB Network Adapter Service;Belkin Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a9ddc6f-dc16-11db-a95a-001150bec44a}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 06:11:37 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe
"2007-12-07 19:18:25 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-06 09:00:12 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 13:23:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-07 13:30:46 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:28 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O4 - Global Startup: ZIM SMS Mail.lnk = C:\Program Files\ZIM\SMS Mail\ZIMSMSMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5800 bytes

#4 User is offline   RichieUK 

  • Malware Assassin
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 13,612
  • Joined: 13-July 06

Posted 07 December 2007 - 03:36 PM

Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

Click Start/Control Panel/Add or Remove Programs and remove MyWebSearch,then restart your pc.

You have SpywareBot installed on your pc,it's a rogue Antispyware program because it uses the name Search & Destroy on its pages which can trick novice uses into thinking they are downloading the genuine Spybot Search & Destroy.
If this is free then i suggest you uninstall/remove it via Start/Control Panel/Add or Remove Programs,then restart your pc.
If you have payed for this remover then its really up to you to decide if you trust the company that makes it,i most certainly would not.
SpywareBot is listed on the Rogue/Suspect Anti-Spyware Products list here:
http://spywarewarrior.com/rogue_anti-spyware.htm

Copy and paste the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

Quote

@echo off
sc stop DomainService
sc delete DomainService

Restart your pc.

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\kgnpxcbl.ini
C:\Documents and Settings\Administrator.RXENTRY02\mit.bat
C:\VundoFix Backups
C:\WINDOWS\system32\tpcwdoia
C:\Program Files\kfqrsped
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply along with a new HijackThislog.

This post has been edited by RichieUK: 07 December 2007 - 03:37 PM

Posted Image
Posted Image

#5 User is offline   kgfire 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-December 07

Posted 08 December 2007 - 09:43 AM

AntiVir PersonalEdition Classic
Report file date: Friday, December 07, 2007 23:48

Scanning for 1036370 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: GIPSONFAMILY

Version information:
BUILD.DAT : 269 15604 Bytes 9/10/2007 14:31:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 20:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 19:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 22:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 19:35:20
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 19:32:40
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 7/10/2007 19:32:46
ANTIVIR2.VDF : 6.39.1.43 1542656 Bytes 8/25/2007 00:21:02
ANTIVIR3.VDF : 6.39.1.51 29696 Bytes 8/28/2007 14:22:36
AVEWIN32.DLL : 7.6.0.5 2789888 Bytes 8/30/2007 00:09:10
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 17:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 14:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 20:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 15:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 14:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 19:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 14:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 18:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 19:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 19:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 16:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, December 07, 2007 23:48

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'Ventrilo.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'hpqgalry.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'Hotsync.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'DrvLsnr.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'SMTray.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'msfwsvc.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '49' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071206-025420-161.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47bd8344.qua'!
C:\qoobox\Quarantine\catchme2007-12-07_132042.82.zip
[0] Archive type: ZIP
--> core.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '47ce88d7.qua'!
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP850\A0077431.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '478a893c.qua'!
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP868\A0080740.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '478a8f6c.qua'!
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP868\A0080741.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '478a8f6f.qua'!
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP876\A0083199.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '478a8fa7.qua'!
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP883\A0086628.inf
[DETECTION] Is the Trojan horse TR/Dldr.IstBar.FA
[INFO] The file was moved to '478a8fd8.qua'!
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP883\A0086629.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46f4dff9.qua'!


End of the scan: Saturday, December 08, 2007 07:17
Used time: 7:29:14 min

The scan has been done completely.

9214 Scanning directories
646067 Files were scanned
5 viruses and/or unwanted programs were found
3 Files were classified as suspicious:
0 files were deleted
0 files were repaired
8 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
646062 Files not concerned
7620 Archives were scanned
1 Warnings
11 Notes


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:49 AM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O4 - Global Startup: ZIM SMS Mail.lnk = C:\Program Files\ZIM\SMS Mail\ZIMSMSMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6110 bytes

#6 User is offline   RichieUK 

  • Malware Assassin
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 13,612
  • Joined: 13-July 06

Posted 08 December 2007 - 10:37 AM

jre1.5.0_03 is still running in processes,you did'nt uninstall it when updating to the latest version of Sun Java,please remove/uninstall it now via Add/Remove Programs.

Have Hijack This fix the following if still present,by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
Exit Hijackthis.

Restart your pc.
Post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#7 User is offline   kgfire 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-December 07

Posted 08 December 2007 - 12:44 PM

Malware Assassin


Group: HJT Team
Posts: 10,390
Joined: 13-July 06
Member No.: 75,975



jre1.5.0_03
could this be listed as something else it is not on my add and remove files

#8 User is offline   kgfire 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-December 07

Posted 08 December 2007 - 12:50 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:48 AM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O4 - Global Startup: ZIM SMS Mail.lnk = C:\Program Files\ZIM\SMS Mail\ZIMSMSMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5553 bytes


you are awsome my computer is running 100% betetr no popups and i got my background back

#9 User is offline   RichieUK 

  • Malware Assassin
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 13,612
  • Joined: 13-July 06

Posted 08 December 2007 - 01:05 PM

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#10 User is offline   kgfire 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-December 07

Posted 08 December 2007 - 03:00 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:11 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Outlook\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O4 - Global Startup: ZIM SMS Mail.lnk = C:\Program Files\ZIM\SMS Mail\ZIMSMSMail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 5149 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/08/2007 at 01:42 PM

Application Version : 3.9.1008

Core Rules Database Version : 3357
Trace Rules Database Version: 1356

Scan type : Complete Scan
Total Scan Time : 01:00:41

Memory items scanned : 174
Memory threats detected : 0
Registry items scanned : 6439
Registry threats detected : 0
File items scanned : 39862
File threats detected : 0


computer is running great a little slow on start up seems to be alot running on start up.
Thank for all you have done your great

#11 User is offline   RichieUK 

  • Malware Assassin
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 13,612
  • Joined: 13-July 06

Posted 08 December 2007 - 07:45 PM

Quote

computer is running great a little slow on start up seems to be alot running on start up.

Its not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
I suggest you remove/uninstall Microsoft Windows OneCare Live via Start/Control Panel/Add or Remove Programs,then restart your pc.
Keep AntiVir PersonalEdition Classic installed,its a better product than Microsoft Windows OneCare Live Antivirus.
You should now see a diffence at system startup.


I suggest you now install a third party firewall from below:

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/
Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe
Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/
Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

You should take the time to read the following:
Understanding and Using Firewalls
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

Let me know how you get on please.
Posted Image
Posted Image

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users