Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups Driving Me Mad! 'hijack This' Log Posted For Analysis.. Please Help..


  • This topic is locked This topic is locked
6 replies to this topic

#1 Jessy Drastic

Jessy Drastic

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 08 August 2007 - 02:21 PM

... i am going crazy.. and have already spent all day trying to fix this mess of a computer.. i'm losing business at work because i can't do anything..!! someone, pleeease help..!!!

:thumbsup: ... my boss is about to kill me .....



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:35 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hellomoving.com/BENNYSMOVE/admin.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hellomoving.com/BENNYSMOVE/admin.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5340] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2031] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7844] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9464] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2163] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8639] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1533813397-941772049-564899912-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1533813397-941772049-564899912-1006\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-21-1533813397-941772049-564899912-1006\..\RunOnce: [SpybotDeletingB9464] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\rtekefse.html

--
End of file - 7787 bytes

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:40 PM

Posted 09 August 2007 - 06:18 AM

Hello and welcome aboard :thumbsup:

First things first, do you have McAfee anti-virus running? If so, then you should choose between AVG and McAfee. Only run one a/v at-a-time. If it's just the firewall, then it's ok.

Looks like SpyBot is going to delete some malware on reboot so please reboot then after that do the following;

Download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 Jessy Drastic

Jessy Drastic
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 09 August 2007 - 09:12 AM

ComboFix 07-08-09.3 - "David Abotbool" 2007-08-09 10:02:25.2 - NTFSx86


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-09 09:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 15:48 1,893,383 --a------ C:\Temp\stinger.exe
2007-08-08 15:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-08 12:36 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 10:46 <DIR> d-------- C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
2007-08-08 10:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-01 11:43 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MSTEE.sys
2007-08-01 11:43 5,504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstee.sys
2007-08-01 11:43 10,880 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NdisIP.sys
2007-08-01 11:43 10,880 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ndisip.sys
2007-08-01 11:42 85,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NABTSFEC.sys
2007-08-01 11:42 85,376 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\nabtsfec.sys
2007-08-01 11:42 19,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\WSTCODEC.SYS
2007-08-01 11:42 19,328 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wstcodec.sys
2007-08-01 11:42 15,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\StreamIP.sys
2007-08-01 11:42 15,360 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\streamip.sys
2007-08-01 11:42 11,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SLIP.sys
2007-08-01 11:42 11,136 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\slip.sys
2007-08-01 11:41 17,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CCDECODE.sys
2007-08-01 11:41 17,024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ccdecode.sys
2007-08-01 11:40 62,698 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Capt9080.sys
2007-08-01 11:40 53,760 --a------ C:\WINDOWS\SYSTEM32\vfwwdm32.dll
2007-08-01 11:40 53,760 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vfwwdm32.dll
2007-08-01 11:40 24,101 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Camd9080.sys
2007-07-31 12:41 <DIR> d-------- C:\Program Files\RFA
2007-07-31 12:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\RFA_Backups
2007-07-31 12:32 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-26 09:21 <DIR> d-------- C:\Program Files\Music Rescue
2007-07-25 15:41 <DIR> d-------- C:\VundoFix Backups
2007-07-24 16:52 <DIR> d-------- C:\DOCUME~1\DAVIDA~1\APPLIC~1\Apple Computer
2007-07-24 16:50 <DIR> d-------- C:\Program Files\iPod
2007-07-24 16:48 <DIR> d-------- C:\Program Files\iTunes
2007-07-24 16:44 <DIR> d-------- C:\Program Files\QuickTime
2007-07-24 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-24 16:40 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-24 16:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-24 16:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-23 12:05 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-23 11:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-23 11:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-23 10:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-20 13:35 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-07-20 12:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-17 15:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Laconic Software
2007-07-12 11:52 <DIR> d-------- C:\Program Files\MySpace
2007-07-12 11:52 <DIR> d-------- C:\DOCUME~1\DAVIDA~1\APPLIC~1\MySpace


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 16:35 --------- d-------- C:\Program Files\Windows NT
2007-08-08 15:58 --------- d-------- C:\Program Files\Google
2007-08-08 11:36 49756 --a------ C:\DOCUME~1\DAVIDA~1\APPLIC~1\wklnhst.dat
2007-08-01 11:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 11:05 --------- d-------- C:\DOCUME~1\DAVIDA~1\APPLIC~1\Lavasoft
2007-07-18 12:11 38567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-07-06 10:32 --------- d-------- C:\Program Files\MSN Messenger
2007-07-05 16:20 --------- d-------- C:\DOCUME~1\DAVIDA~1\APPLIC~1\AdobeUM
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-01-25 10:31 93360 --a------ C:\DOCUME~1\DAVIDA~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-07-13 17:28 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2004-01-28 17:48]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2003-12-08 16:38]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-25 12:53]
"rfagent"="C:\Program Files\RFA\rfagent.exe" [2007-03-28 19:51]
"McRegWiz"="c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2004-06-07 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 09:27]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\David Abotbool\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 14:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DESKTOP.INI [2004-08-10 14:04:12]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\rtekefse.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David Abotbool^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=C:\Documents and Settings\David Abotbool\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=C:\WINDOWS\pss\Camio Viewer.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\earvjbsk]
C:\WINDOWS\system32\bnohigyv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1124988022\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssdiag]
C:\WINDOWS\ssdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe



Contents of the 'Scheduled Tasks' folder
2007-07-24 20:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-09 14:06:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DDV1VS51-David Abotbool).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-09 14:06:01 C:\WINDOWS\Tasks\McAfee.com Update Check (DDV1VS51-Owner).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-09 13:59:41 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-07-23 16:05:36 C:\WINDOWS\Tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 10:06:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 10:07:52
C:\ComboFix-quarantined-files.txt ... 2007-08-09 10:07

--- E O F ---



also, i don't know if you need this, but here is a fresh HT log, after a reboot & running the combofix...
thank you so much for your help...!!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:31 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hellomoving.com/BENNYSMOVE/admin.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1533813397-941772049-564899912-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1533813397-941772049-564899912-1006\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\rtekefse.html

--
End of file - 7025 bytes

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:40 PM

Posted 09 August 2007 - 09:35 AM

Open notepad and copy/paste the text in the quotebox into it

Registry::
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\earvjbsk]

File::
C:\Temp\stinger.exe
C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
C:\Program Files\Windows NT\rtekefse.html
C:\WINDOWS\system32\bnohigyv.exe


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Are you still getting popups? :thumbsup:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 Jessy Drastic

Jessy Drastic
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 09 August 2007 - 10:47 AM

...not getting anymore popups, so far.. THANKS!!!
.. still running a little slow.. but i think i could fix that by doing some cleaning..??



ComboFix 07-08-09.3 - "David Abotbool" 2007-08-09 11:30:41.3 - NTFSx86


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-09 09:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 15:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-08 12:36 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 10:46 <DIR> d-------- C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
2007-08-08 10:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-01 11:43 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MSTEE.sys
2007-08-01 11:43 5,504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstee.sys
2007-08-01 11:43 10,880 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NdisIP.sys
2007-08-01 11:43 10,880 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ndisip.sys
2007-08-01 11:42 85,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NABTSFEC.sys
2007-08-01 11:42 85,376 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\nabtsfec.sys
2007-08-01 11:42 19,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\WSTCODEC.SYS
2007-08-01 11:42 19,328 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wstcodec.sys
2007-08-01 11:42 15,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\StreamIP.sys
2007-08-01 11:42 15,360 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\streamip.sys
2007-08-01 11:42 11,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SLIP.sys
2007-08-01 11:42 11,136 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\slip.sys
2007-08-01 11:41 17,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CCDECODE.sys
2007-08-01 11:41 17,024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ccdecode.sys
2007-08-01 11:40 62,698 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Capt9080.sys
2007-08-01 11:40 53,760 --a------ C:\WINDOWS\SYSTEM32\vfwwdm32.dll
2007-08-01 11:40 53,760 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vfwwdm32.dll
2007-08-01 11:40 24,101 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Camd9080.sys
2007-07-31 12:41 <DIR> d-------- C:\Program Files\RFA
2007-07-31 12:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\RFA_Backups
2007-07-31 12:32 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-26 09:21 <DIR> d-------- C:\Program Files\Music Rescue
2007-07-25 15:41 <DIR> d-------- C:\VundoFix Backups
2007-07-24 16:52 <DIR> d-------- C:\DOCUME~1\DAVIDA~1\APPLIC~1\Apple Computer
2007-07-24 16:50 <DIR> d-------- C:\Program Files\iPod
2007-07-24 16:48 <DIR> d-------- C:\Program Files\iTunes
2007-07-24 16:44 <DIR> d-------- C:\Program Files\QuickTime
2007-07-24 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-24 16:40 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-24 16:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-24 16:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-23 12:05 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-23 11:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-23 11:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-23 10:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-20 13:35 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-07-20 12:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-17 15:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Laconic Software
2007-07-12 11:52 <DIR> d-------- C:\Program Files\MySpace
2007-07-12 11:52 <DIR> d-------- C:\DOCUME~1\DAVIDA~1\APPLIC~1\MySpace


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 16:35 --------- d-------- C:\Program Files\Windows NT
2007-08-08 15:58 --------- d-------- C:\Program Files\Google
2007-08-08 11:36 49756 --a------ C:\DOCUME~1\DAVIDA~1\APPLIC~1\wklnhst.dat
2007-08-01 11:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 11:05 --------- d-------- C:\DOCUME~1\DAVIDA~1\APPLIC~1\Lavasoft
2007-07-18 12:11 38567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-07-06 10:32 --------- d-------- C:\Program Files\MSN Messenger
2007-07-05 16:20 --------- d-------- C:\DOCUME~1\DAVIDA~1\APPLIC~1\AdobeUM
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-01-25 10:31 93360 --a------ C:\DOCUME~1\DAVIDA~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-07-13 17:28 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2004-01-28 17:48]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2003-12-08 16:38]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-25 12:53]
"rfagent"="C:\Program Files\RFA\rfagent.exe" [2007-03-28 19:51]
"McRegWiz"="c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2004-06-07 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 09:27]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\David Abotbool\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 14:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DESKTOP.INI [2004-08-10 14:04:12]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\rtekefse.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David Abotbool^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=C:\Documents and Settings\David Abotbool\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=C:\WINDOWS\pss\Camio Viewer.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\earvjbsk]
C:\WINDOWS\system32\bnohigyv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1124988022\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssdiag]
C:\WINDOWS\ssdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-07-24 20:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-09 15:36:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DDV1VS51-David Abotbool).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-09 15:36:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DDV1VS51-Owner).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-09 13:59:41 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-07-23 16:05:36 C:\WINDOWS\Tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 11:35:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 11:38:51
C:\ComboFix-quarantined-files.txt ... 2007-08-09 11:38
C:\ComboFix2.txt ... 2007-08-09 10:07

--- E O F ---

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:40 PM

Posted 09 August 2007 - 11:44 AM

These, for example are safe to fix with HijackThis to prevent them from starting in startup, might quicken up startup a bit (it in no way prevents you to run the programs manually):

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe


Run this: http://www.atribune.org/content/view/25/2/

Also you might want to run disc defrag (Start -> Run type in: Dfrg.msc then hit Enter)

Like I said earlier, if you have both McAfee and AVG anti-virus apps running please uninstall the other one. McAfee uses a lot of system resources; quite a hog really; but if you have payed for a subscription, then you might want to uninstall AVG instead. Using two a/v apps at a time is a quaranteed lag for your PC and they will also cause problems by interfering with each other.

AVG is much lighter app, and also completely free. But choose whichever you want :thumbsup: As long as they aren't both running at the same time.

Let me know hows it going.
Hi there, stranger!

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:40 PM

Posted 22 August 2007 - 07:49 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users