Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtuamond, Winantivirus, Starsdoor(?), Others(?) Help Please!


  • Please log in to reply
19 replies to this topic

#1 jdorsey

jdorsey

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 15 September 2007 - 07:05 PM

I am infected. Lots of pop ups and I can't use any search engine. I have deleted temp files, cookies, etc. I have run adware and spybot and panda. Panda gave me this report (Hijackthis log below the panda report.):

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\abimsgut.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtstsr.dll
Adware:adware/commad Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Harry\Cookies\harry@azjmp[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Harry\Cookies\harry@findwhat[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Harry\Cookies\harry@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Harry\Cookies\harry@perf.overture[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Harry\Cookies\harry@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Harry\Cookies\harry@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Harry\Cookies\harry@server.iad.liveperson[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Harry\Cookies\harry@statse.webtrendslive[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Harry\Cookies\harry@tribalfusion[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Harry\Cookies\harry@winantispyware[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@112.2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@burstnet[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@c2.gostats[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@c3.gostats[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@go[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@mediaplex[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@microsofteup.112.2o7[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@perf.overture[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@phg.hitbox[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@realmedia[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@rightmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@server.iad.liveperson[1].txt
Spyware:Cookie/Servlet Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@servlet[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@statse.webtrendslive[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@target[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@terra.com[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@tucows[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@www.burstbeacon[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@www.web-stat[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@xiti[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rob\Cookies\rob@112.2o7[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Rob\Cookies\rob@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rob\Cookies\rob@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Rob\Cookies\rob@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Rob\Cookies\rob@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Rob\Cookies\rob@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Rob\Cookies\rob@ads.addynamix[1].txt
Spyware:Cookie/Gorillanation Not disinfected C:\Documents and Settings\Rob\Cookies\rob@ads.gorillanation[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Rob\Cookies\rob@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Rob\Cookies\rob@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Rob\Cookies\rob@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Rob\Cookies\rob@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rob\Cookies\rob@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Rob\Cookies\rob@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Rob\Cookies\rob@belnk[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Rob\Cookies\rob@bfast[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Rob\Cookies\rob@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Rob\Cookies\rob@bravenet[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob\Cookies\rob@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Rob\Cookies\rob@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Rob\Cookies\rob@casalemedia[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Rob\Cookies\rob@cgi-bin[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Rob\Cookies\rob@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rob\Cookies\rob@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Rob\Cookies\rob@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Rob\Cookies\rob@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Rob\Cookies\rob@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rob\Cookies\rob@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Rob\Cookies\rob@ehg-dig.hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Rob\Cookies\rob@ehg.hitbox[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Rob\Cookies\rob@entrepreneur[1].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Rob\Cookies\rob@errorguard[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Rob\Cookies\rob@fastclick[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Rob\Cookies\rob@fortunecity[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Rob\Cookies\rob@go[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Rob\Cookies\rob@hotlog[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rob\Cookies\rob@image.checkmystats.com[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Rob\Cookies\rob@landing.domainsponsor[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Rob\Cookies\rob@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Rob\Cookies\rob@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Rob\Cookies\rob@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Rob\Cookies\rob@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Rob\Cookies\rob@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Rob\Cookies\rob@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Rob\Cookies\rob@revenue[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Rob\Cookies\rob@rightmedia[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Rob\Cookies\rob@rn11[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Rob\Cookies\rob@servedby.advertising[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Rob\Cookies\rob@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob\Cookies\rob@serving-sys[1].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Rob\Cookies\rob@spylog[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Rob\Cookies\rob@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rob\Cookies\rob@statcounter[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Rob\Cookies\rob@statse.webtrendslive[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Rob\Cookies\rob@targetnet[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Rob\Cookies\rob@target[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Rob\Cookies\rob@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Rob\Cookies\rob@tradedoubler[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Rob\Cookies\rob@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Rob\Cookies\rob@tribalfusion[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Rob\Cookies\rob@valueclick[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Rob\Cookies\rob@www.burstbeacon[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Rob\Cookies\rob@www.myaffiliateprogram[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Rob\Cookies\rob@www48.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Rob\Cookies\rob@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Rob\Cookies\rob@yadro[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Rob\Cookies\rob@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Rob\Cookies\rob@zedo[2].txt
Adware:Adware/TTC Not disinfected C:\Program Files\MSN\safegujy4444.dll
Adware:Adware/TTC Not disinfected C:\Program Files\MSN\safegujy83122.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SGFycnk\m3IVwB4.vbs
Adware:Adware/ISearch Not disinfected C:\WINDOWS\SYSTEM32\A1\mid2dll.exe
Adware:Adware/TTC Not disinfected C:\WINDOWS\SYSTEM32\DLL2\MMEMDT83122.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\gebxusq.dll
Virus:Trj/Downloader.QDR Disinfected C:\WINDOWS\SYSTEM32\GRB3\rwddr2SD.exe
Adware:Adware/TTC Not disinfected C:\WINDOWS\TTC-4444.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:58 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panasonic P2\Card\P2TaskTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\kkdsrngp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: P2 Card Manager.lnk = C:\Program Files\Panasonic P2\Card\P2TaskTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SGFycnk\command.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\bazy.html

--
End of file - 7195 bytes

THANKS for any help on getting this all cleaned up! JD

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 16 September 2007 - 09:42 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jdorsey :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

You've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 jdorsey

jdorsey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 16 September 2007 - 05:32 PM

Thank you! Here is my combofix.txt file and my hijackthis log:

ComboFix 07-09-14.2 - "Harry" 2007-09-16 18:11:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.124 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\Harry\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\Harry\STARTM~1\Programs\Startup\ta_start.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\A1
C:\WINDOWS\SYSTEM32\bvbcrbdq.ini
C:\WINDOWS\system32\cknwtote.exe
C:\WINDOWS\SYSTEM32\dffhk.bak2
C:\WINDOWS\SYSTEM32\dffhk.ini
C:\WINDOWS\SYSTEM32\dffhk.ini2
C:\WINDOWS\SYSTEM32\dffhk.tmp
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\H2
C:\WINDOWS\SYSTEM32\hlxhvkrh.ini
C:\WINDOWS\system32\hrkvhxlh.dll
C:\WINDOWS\system32\khffd.dll
C:\WINDOWS\system32\qdbrcbvb.dll
C:\WINDOWS\system32\qmfcnqwm.exe
C:\WINDOWS\system32\rjxnntlp.dll
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-16 to 2007-09-16 )))))))))))))))))))))))))))))))
.

2007-09-16 18:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 09:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-16 09:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-16 09:25 <DIR> d-------- C:\DOCUME~1\Harry\APPLIC~1\SUPERAntiSpyware.com
2007-09-15 16:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-15 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-14 19:48 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-09-14 19:40 <DIR> d-------- C:\DOCUME~1\Harry\APPLIC~1\AntiSpyware
2007-09-14 17:40 <DIR> d-------- C:\Program Files\WinAble
2007-09-14 17:37 <DIR> d--hs---- C:\WINDOWS\SGFycnk
2007-09-14 17:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\GRB3
2007-09-14 17:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\DLL2
2007-09-01 13:51 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enum1394.sys
2007-09-01 13:51 6,400 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\enum1394.sys
2007-09-01 13:50 61,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ohci1394.sys
2007-09-01 13:50 61,056 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ohci1394.sys
2007-09-01 13:50 53,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\1394bus.sys
2007-09-01 13:50 53,248 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\1394bus.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 09:23 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-15 18:26 --------- d-------- C:\Program Files\QuickTime
2007-09-15 18:22 --------- d-------- C:\Program Files\iTunes
2007-09-15 18:21 --------- d-------- C:\Program Files\I8kfanGUI
2007-09-15 18:21 --------- d-------- C:\Program Files\Google
2007-09-15 18:21 --------- d-------- C:\Program Files\DellSupport
2007-09-15 18:18 --------- d-------- C:\Program Files\Bonjour
2007-09-15 14:10 246 --a------ C:\Program Files\Common Files\woqu
2007-09-15 14:01 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-08 11:48 --------- d-------- C:\Program Files\Ultra Video To Flash Converter
2007-08-08 11:31 --------- d-------- C:\Program Files\Riva
2005-05-20 12:15 487424 --a------ C:\DOCUME~1\Harry\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 09:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 09:59]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 07:59 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 19:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 19:15]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 18:47]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 16:18]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 12:18]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-16 16:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"i8kfangui"="C:\Program Files\I8kfanGUI\I8kfanGUI.exe" [2004-01-24 10:26]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 10:31]
"WinAble"="C:\Program Files\WinAble\winable.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
DESKTOP.INI [2002-09-03 15:36:04]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
P2 Card Manager.lnk - C:\Program Files\Panasonic P2\Card\P2TaskTray.exe [2006-05-30 16:46:16]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-11-16 10:23:25]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

C:\DOCUME~1\Harry\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\khffd

R1 fanio;FanIO driver;\??\C:\WINDOWS\system32\drivers\fanio.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 23:44:45 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
"2007-05-08 19:48:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-02-06 00:57:49 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 18:24:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-16 18:27:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 18:27
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:57 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panasonic P2\Card\P2TaskTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: P2 Card Manager.lnk = C:\Program Files\Panasonic P2\Card\P2TaskTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8623 bytes


THANK YOU!!

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 16 September 2007 - 06:04 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Exit Hijackthis.

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.

Restart your pc.
Post a new Hijackthis log.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 jdorsey

jdorsey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 16 September 2007 - 06:30 PM

Seems to be working better now. Thank you! Here is my hijackthis log now:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:32 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Panasonic P2\Card\P2TaskTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: P2 Card Manager.lnk = C:\Program Files\Panasonic P2\Card\P2TaskTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8068 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 16 September 2007 - 06:39 PM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete the following,then empty the Recycle Bin:
Combofix.exe
fix.reg

C:\Qoobox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 jdorsey

jdorsey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 16 September 2007 - 07:28 PM

Thanks, Richie. Just two more questions:

1. I have a second laptop that's infected. Should I start a new thread for this separate machine? Or can you help with it too on this thread? (I have done everything right up to posting the combfix log and hijackthis log).
2. I'd like to make a *small* donation, but I'd like to think it goes to the person that helps me--namely you. Is that how it works?

Thanks again.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 16 September 2007 - 07:38 PM

1. I have a second laptop that's infected. Should I start a new thread for this separate machine? Or can you help with it too on this thread? (I have done everything right up to posting the combfix log and hijackthis log).

Stick to this thread if you wish,post the Combofix.txt and the Hijackthis log in your next reply.

2. I'd like to make a *small* donation, but I'd like to think it goes to the person that helps me--namely you. Is that how it works?

If you would like to donate to me personally,click on the 'Make a Donation' button at the bottom of this reply/post.
Posted Image
Posted Image

#9 jdorsey

jdorsey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 16 September 2007 - 07:44 PM

Nevermind to the first question. The second laptop will not startup now at all. Guess I'll have to take it somewhere. Thanks anyway.

Edited by jdorsey, 16 September 2007 - 08:10 PM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 16 September 2007 - 08:16 PM

The second laptop will not startup now at all. Guess I'll have to take it somewhere.


Sorry to hear that,what happens exactly when you try to turn it on.
Posted Image
Posted Image

#11 jdorsey

jdorsey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 16 September 2007 - 10:26 PM

Even when I try to boot in safe mode, I get a blue screen that says an error was detected and lists: UNMOUNTABLE_BOOT_VOLUME. It instructs me to reboot in safe mode.

Tomorrow I will try booting off a disk, I guess.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 17 September 2007 - 03:29 AM

If you have the Microsoft Windows XP installation disk.
Configure your laptop to start from the CD-ROM drive.
[Boot into the Bios and set your CD-Rom drive as first boot device].
For more information about how to do this,refer to your laptops documentation or contact your laptops manufacturer.
Then insert your Microsoft Windows XP Setup CD,and restart your laptop.
Boot to the Recovery Console.
At the prompt type chkdsk /r then press Enter.
This process is extremely time consuming,allow chkdsk to finish in its own good time.

If still no joy,and you do indeed have the Microsoft Windows XP installation disk,try doing a Repair Install.
Insert your Microsoft Windows XP Setup CD,and restart your laptop.
When the 'Press any key to boot from CD' message is displayed on screen, press a key.
Press ENTER when you see the message to setup Windows XP now, and then press ENTER displayed on the 'Welcome to Setup' screen.
Do not choose the option to press R to use the Recovery Console.
In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.
Make sure that your current installation of Windows XP is selected in the box,and then press R to repair Windows XP.
Follow the instructions on the screen to complete Setup.
Posted Image
Posted Image

#13 jdorsey

jdorsey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 17 September 2007 - 10:17 AM

Wow, you're good. Thanks. I used the XP disk and your instructions and it repaired the issue. THANKS.

Here is my combofix file and my hijackthis log:

ComboFix 07-09-17.2 - "LILLIAN_G" 2007-09-17 10:57:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\restore_pt.vbs".
Script execution was terminated.
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\LILLIA~1\APPLIC~1\WinAntiSpyware 2007 Free
C:\DOCUME~1\LILLIA~1\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\DOCUME~1\LILLIA~1\Desktop\internet.lnk
C:\DOCUME~1\LILLIA~1\err.log
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\hnfcxgf.dll
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\ApiMon


((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-17 10:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 17:05 7,139 --ahs---- C:\WINDOWS\SYSTEM32\edggh.ini2
2007-09-16 16:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-16 16:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-16 16:18 <DIR> d-------- C:\DOCUME~1\LILLIA~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-16 16:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-16 16:10 <DIR> d-------- C:\Program Files\Words
2007-09-16 16:05 <DIR> d-------- C:\Program Files\Insider
2007-09-16 16:00 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-09-16 15:59 <DIR> d-------- C:\Program Files\WinAble
2007-09-16 15:58 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-16 09:37 6,448 --ahs---- C:\WINDOWS\SYSTEM32\edggh.bak1
2007-09-16 09:30 <DIR> d--hs---- C:\WINDOWS\TElMTElBTl9H
2007-09-16 09:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\GRB3
2007-09-16 09:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\DLL2
2007-09-16 09:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\chks2
2007-09-16 09:30 <DIR> d-------- C:\Temp
2007-09-16 09:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-09-15 18:29 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MSTEE.sys
2007-09-15 18:29 5,504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstee.sys
2007-09-15 18:15 61,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ohci1394.sys
2007-09-15 18:15 61,056 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ohci1394.sys
2007-09-15 18:15 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enum1394.sys
2007-09-15 18:15 6,400 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\enum1394.sys
2007-09-15 18:15 53,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\1394bus.sys
2007-09-15 18:15 53,248 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\1394bus.sys
2007-09-04 16:18 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-31 19:01 --------- d-------- C:\Program Files\LEGO Chic Boutique
2007-07-31 19:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-07-27 14:40 --------- d-------- C:\Program Files\Virtools
2004-09-09 10:47 487424 --a------ C:\DOCUME~1\LILLIA~1\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97646AEC-2794-4E49-AF98-16CDC3C26EE2}]
C:\WINDOWS\system32\hggde.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d45e28d6-b803-4f05-816b-541f0f800731}]
C:\WINDOWS\system32\nxmrjtle.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 09:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 09:59]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 19:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 19:15]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 18:47]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 16:18]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 12:18]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 13:24]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 09:43]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-09 13:15]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-16 18:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"ISMModule4"="C:\Program Files\ISM\ISMModule4.exe" []
"Insider"="C:\Program Files\Insider\Insider.exe" [2007-09-16 16:05]
"Words"="C:\Program Files\Words\Words.exe" [2007-09-16 16:10]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkVwMon.exe.lnk - C:\Program Files\Nikon\NkView4\NkVwMon.exe [2005-10-17 14:18:48]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

C:\DOCUME~1\LILLIA~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]
PowerReg Scheduler V3.exe [2004-12-22 11:35:21]

C:\DOCUME~1\ROB\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstrp]
C:\WINDOWS\system32\sstrp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\hggde

R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 11:09:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-17 11:11:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-17 11:11
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:58 AM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Words\Words.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blogger.com./home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = hppt://library.advanced.org/10966/flags.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {97646AEC-2794-4E49-AF98-16CDC3C26EE2} - C:\WINDOWS\system32\hggde.dll (file missing)
O2 - BHO: (no name) - {d45e28d6-b803-4f05-816b-541f0f800731} - C:\WINDOWS\system32\nxmrjtle.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: sstrp - C:\WINDOWS\system32\sstrp.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8221 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 17 September 2007 - 10:45 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\edggh.ini2
C:\WINDOWS\SYSTEM32\edggh.bak1
C:\DOCUME~1\LILLIA~1\STARTM~1\Programs\Startup\PowerReg Scheduler V3.exe

LookDir::
C:\WINDOWS\TElMTElBTl9H
C:\WINDOWS\SYSTEM32\GRB3
C:\WINDOWS\SYSTEM32\DLL2
C:\WINDOWS\SYSTEM32\chks2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97646AEC-2794-4E49-AF98-16CDC3C26EE2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d45e28d6-b803-4f05-816b-541f0f800731}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstrp]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#15 jdorsey

jdorsey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 17 September 2007 - 11:01 AM

Here is the new ComboFix file and Hijackthis log:

ComboFix 07-09-17.2 - "LILLIAN_G" 2007-09-17 10:57:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\restore_pt.vbs".
Script execution was terminated.
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\LILLIA~1\APPLIC~1\WinAntiSpyware 2007 Free
C:\DOCUME~1\LILLIA~1\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\DOCUME~1\LILLIA~1\Desktop\internet.lnk
C:\DOCUME~1\LILLIA~1\err.log
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\hnfcxgf.dll
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\ApiMon


((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-17 10:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 17:05 7,139 --ahs---- C:\WINDOWS\SYSTEM32\edggh.ini2
2007-09-16 16:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-16 16:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-16 16:18 <DIR> d-------- C:\DOCUME~1\LILLIA~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-16 16:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-16 16:10 <DIR> d-------- C:\Program Files\Words
2007-09-16 16:05 <DIR> d-------- C:\Program Files\Insider
2007-09-16 16:00 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-09-16 15:59 <DIR> d-------- C:\Program Files\WinAble
2007-09-16 15:58 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-16 09:37 6,448 --ahs---- C:\WINDOWS\SYSTEM32\edggh.bak1
2007-09-16 09:30 <DIR> d--hs---- C:\WINDOWS\TElMTElBTl9H
2007-09-16 09:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\GRB3
2007-09-16 09:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\DLL2
2007-09-16 09:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\chks2
2007-09-16 09:30 <DIR> d-------- C:\Temp
2007-09-16 09:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-09-15 18:29 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MSTEE.sys
2007-09-15 18:29 5,504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstee.sys
2007-09-15 18:15 61,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ohci1394.sys
2007-09-15 18:15 61,056 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ohci1394.sys
2007-09-15 18:15 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enum1394.sys
2007-09-15 18:15 6,400 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\enum1394.sys
2007-09-15 18:15 53,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\1394bus.sys
2007-09-15 18:15 53,248 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\1394bus.sys
2007-09-04 16:18 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-31 19:01 --------- d-------- C:\Program Files\LEGO Chic Boutique
2007-07-31 19:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-07-27 14:40 --------- d-------- C:\Program Files\Virtools
2004-09-09 10:47 487424 --a------ C:\DOCUME~1\LILLIA~1\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97646AEC-2794-4E49-AF98-16CDC3C26EE2}]
C:\WINDOWS\system32\hggde.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d45e28d6-b803-4f05-816b-541f0f800731}]
C:\WINDOWS\system32\nxmrjtle.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 09:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 09:59]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 19:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 19:15]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 18:47]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 16:18]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 12:18]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 13:24]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 09:43]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-09 13:15]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-16 18:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"ISMModule4"="C:\Program Files\ISM\ISMModule4.exe" []
"Insider"="C:\Program Files\Insider\Insider.exe" [2007-09-16 16:05]
"Words"="C:\Program Files\Words\Words.exe" [2007-09-16 16:10]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkVwMon.exe.lnk - C:\Program Files\Nikon\NkView4\NkVwMon.exe [2005-10-17 14:18:48]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

C:\DOCUME~1\LILLIA~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]
PowerReg Scheduler V3.exe [2004-12-22 11:35:21]

C:\DOCUME~1\ROB\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstrp]
C:\WINDOWS\system32\sstrp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\hggde

R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 11:09:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-17 11:11:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-17 11:11
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:31 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Words\Words.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blogger.com./home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = hppt://library.advanced.org/10966/flags.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7838 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users