Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumondo?


  • This topic is locked This topic is locked
19 replies to this topic

#1 6screaminkids

6screaminkids

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:01:43 AM

Posted 25 September 2007 - 08:33 PM

Hopefully I won't forget anything that I am supposed to post.
I am running windows xp home.
It's the kids laptop and I'm glad they were not on my computer!
Not sure what they downloaded - don't know if I want to know.

I have trend anti-virus running (removed today do to issues with spybot - will put back on)
I also run ad-aware once a week.
I ran spy-bot - found a lot more than ad-aware.
I installed AVG - and it found even more!
I ran vundofix - couldn't delete one file ssqqqnn.dll - even after reboot - it said can't delete it, then it rebooted again said it was OK - but 2 hours later - it was not working again. Ran it all again - same thing - so not sure if it got it this time or not.
I also ran a combofix - And it still found more.

Please -- my kids have a 1/2 day tomorrow and if they don't have a computer - I'll have to try to entertain them!
Thanks for any help!
I just have a feeling that it still isn't over.


--Angie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:53 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: (no name) - {35BF4C1A-FF77-446F-8197-EABDE649C507} - (no file)
O2 - BHO: (no name) - {423E464D-D1E6-4295-B6F2-505FAD6D2F90} - (no file)
O2 - BHO: (no name) - {5F0DCFAC-B6B2-42D4-976F-00C47E5F006F} - (no file)
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {83A048DA-C97D-4846-869D-1DCB26115DAE} - (no file)
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: (no name) - {A9B511F6-F437-445B-B500-0BC197506625} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {CE4702B8-123E-4247-B790-E36EDF6E4A26} - (no file)
O2 - BHO: (no name) - {D16CCFCD-098F-4529-869A-2F31AD33D6D5} - (no file)
O2 - BHO: (no name) - {E560A89B-7721-49E3-8B2A-C1DB6207D97A} - (no file)
O2 - BHO: (no name) - {E9172915-3592-488E-A802-7241D08FEAA6} - (no file)
O2 - BHO: (no name) - {F97DA966-F09D-4cab-BF29-75A0026986EA} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\txwthqou.dll",sitypnow
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm128NJUS
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 6084 bytes



_____________________________________________________________________________
ComboFix 07-09-21.2 - "Mom Dad" 2007-09-26 18:09:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.53 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070926-173417-305.dll
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070926-173417-690.dll
C:\Program Files\TTC.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\bjnywkbd.ini
C:\WINDOWS\system32\btmjbpmc.exe
C:\WINDOWS\system32\dbkwynjb.dll
C:\WINDOWS\system32\dqqbiqwy.exe
C:\WINDOWS\system32\eueoeaok.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\hjnnglsj.exe
C:\WINDOWS\system32\hsacsrad.exe
C:\WINDOWS\system32\igkejhlw.exe
C:\WINDOWS\system32\ioynhjkw.exe
C:\WINDOWS\system32\itxhlcho.exe
C:\WINDOWS\system32\jdbyvrjq.exe
C:\WINDOWS\system32\jnujnper.exe
C:\WINDOWS\system32\kdnsbilp.exe
C:\WINDOWS\system32\kpsrbpoj.exe
C:\WINDOWS\system32\lqacjkpi.exe
C:\WINDOWS\system32\msvmgkne.exe
C:\WINDOWS\system32\mvyiwqqu.exe
C:\WINDOWS\system32\nqyxoyef.exe
C:\WINDOWS\system32\oueauoov.exe
C:\WINDOWS\system32\qepeivws.exe
C:\WINDOWS\system32\soxgjats.exe
C:\WINDOWS\system32\ssqqqnn.dll
C:\WINDOWS\system32\sxqjxlcf.exe
C:\WINDOWS\system32\tfipajlx.ini
C:\WINDOWS\system32\tgasbosd.exe
C:\WINDOWS\system32\twardsje.exe
C:\WINDOWS\system32\txcabduh.exe
C:\WINDOWS\system32\uryyenlq.exe
C:\WINDOWS\system32\wlftgbgw.exe
C:\WINDOWS\system32\xljapift.dll
C:\WINDOWS\system32\yfhdsmoq.exe
C:\WINDOWS\system32\yfsbaarc.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-26 18:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 17:54 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-26 17:04 84,032 --a------ C:\WINDOWS\system32\mqvxsyjo.dll
2007-09-26 17:02 2,007,473 ---hs---- C:\WINDOWS\system32\rttss.bak1
2007-09-26 15:51 84,032 --a------ C:\WINDOWS\system32\nkbshnmh.dll
2007-09-26 15:46 2,007,551 ---hs---- C:\WINDOWS\system32\oqtss.bak1
2007-09-26 15:07 84,032 --a------ C:\WINDOWS\system32\pcfbudrl.dll
2007-09-26 15:06 2,008,681 ---hs---- C:\WINDOWS\system32\bccdd.bak2
2007-09-26 11:43 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-26 08:51 321,632 --a------ C:\WINDOWS\system32\awtqp.dll
2007-09-26 07:33 84,032 --a------ C:\WINDOWS\system32\ufwvyjjh.dll
2007-09-25 18:12 2,004,870 ---hs---- C:\WINDOWS\system32\bccdd.bak1
2007-09-25 17:40 2,005,492 ---hs---- C:\WINDOWS\system32\yybeg.bak2
2007-09-25 12:54 6,448 ---hs---- C:\WINDOWS\system32\yybeg.bak1
2007-09-25 12:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-25 08:59 2,004,535 ---hs---- C:\WINDOWS\system32\vybeg.bak1
2007-09-25 08:29 <DIR> d-------- C:\VundoFix Backups
2007-09-24 17:43 85,568 --a------ C:\WINDOWS\system32\tednuxhf.dll
2007-09-24 17:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-24 16:43 85,568 --a------ C:\WINDOWS\system32\cnfsbged.dll
2007-09-24 15:08 85,568 --a------ C:\WINDOWS\system32\xkmedsjs.dll
2007-09-24 08:49 85,568 --a------ C:\WINDOWS\system32\vgvdoiiy.dll
2007-09-24 08:06 85,568 --a------ C:\WINDOWS\system32\qnfhwgej.dll
2007-09-22 17:01 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-09-22 17:01 <DIR> d-------- C:\Program Files\Diner Dash 2
2007-09-22 16:50 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-20 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-09-16 18:34 <DIR> d--hs---- C:\WINDOWS\QW5naWUgT2NrZXI
2007-09-16 18:33 <DIR> d-------- C:\WINDOWS\system32\GRB3
2007-09-16 18:33 <DIR> d-------- C:\WINDOWS\system32\DLL2
2007-09-16 18:33 <DIR> d-------- C:\WINDOWS\system32\chks2
2007-09-16 18:32 <DIR> d-------- C:\Temp
2007-09-16 10:33 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-09-16 10:33 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-09-16 10:33 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-16 10:33 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-13 12:15 <DIR> d-------- C:\Program Files\Fisher-Price
2007-09-11 17:34 <DIR> d-------- C:\Program Files\iPod
2007-09-03 09:07 <DIR> d-------- C:\Program Files\WildGames
2007-09-02 11:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 15:38 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-26 15:35 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-26 15:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-09-24 21:00 --------- d-------- C:\Program Files\Viewpoint
2007-09-24 21:00 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-24 15:34 --------- d-------- C:\Program Files\Trend Micro
2007-09-16 20:53 --------- d-a------ C:\Program Files\BearShare Applications
2007-09-13 12:12 --------- d-------- C:\Program Files\The Learning Company
2007-09-11 17:44 --------- d-------- C:\Program Files\Apple Software Update
2007-09-11 17:39 --------- d-------- C:\Program Files\iTunes
2007-09-03 17:30 --------- d-------- C:\Program Files\Nick Jr. Arcade
2007-08-16 16:14 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-08-16 09:42 --------- d-------- C:\Program Files\Logitech
2007-08-16 09:25 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-16 09:18 --------- d-------- C:\Program Files\Kodak
2007-08-16 09:11 --------- d-------- C:\Program Files\Palm
2007-08-08 13:03 --------- d-------- C:\Program Files\QuickTime
2007-08-08 12:57 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-08 12:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35BF4C1A-FF77-446F-8197-EABDE649C507}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{423E464D-D1E6-4295-B6F2-505FAD6D2F90}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F0DCFAC-B6B2-42D4-976F-00C47E5F006F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83A048DA-C97D-4846-869D-1DCB26115DAE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9B511F6-F437-445B-B500-0BC197506625}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE4702B8-123E-4247-B790-E36EDF6E4A26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D16CCFCD-098F-4529-869A-2F31AD33D6D5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E560A89B-7721-49E3-8B2A-C1DB6207D97A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9172915-3592-488E-A802-7241D08FEAA6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 13:43]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 09:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 09:24]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 13:48]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"SearchIndexer"="C:\WINDOWS\system32\txwthqou.dll" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\system32\drivers\cpqdfw.sys
R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\system32\drivers\cq_mem.sys
R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\system32\drivers\cqcpu.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d367cda-9e60-11db-9e16-0012f0d6aa13}]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-2K3}]
C:\WINDOWS\2k3_USR.EXE
.
Contents of the 'Scheduled Tasks' folder
"2007-09-25 03:18:52 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 18:19:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-26 18:25:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 18:24
.
--- E O F ---

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:43 AM

Posted 26 September 2007 - 09:13 PM

Hello and welcome to BC :thumbsup:

Scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: (no name) - {35BF4C1A-FF77-446F-8197-EABDE649C507} - (no file)
O2 - BHO: (no name) - {423E464D-D1E6-4295-B6F2-505FAD6D2F90} - (no file)
O2 - BHO: (no name) - {5F0DCFAC-B6B2-42D4-976F-00C47E5F006F} - (no file)
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {83A048DA-C97D-4846-869D-1DCB26115DAE} - (no file)
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: (no name) - {A9B511F6-F437-445B-B500-0BC197506625} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {CE4702B8-123E-4247-B790-E36EDF6E4A26} - (no file)
O2- BHO: (no name) - {D16CCFCD-098F-4529-869A-2F31AD33D6D5} - (no file)
O2 - BHO: (no name) - {E560A89B-7721-49E3-8B2A-C1DB6207D97A} - (no file)
O2 - BHO: (no name) - {E9172915-3592-488E-A802-7241D08FEAA6} - (no file)
O2 - BHO: (no name) - {F97DA966-F09D-4cab-BF29-75A0026986EA} - (no file)
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\txwthqou.dll",sitypnow
O8 - Extra context menu item: &Search - ?p=ZJxdm128NJUS


Close all browsers/windows other than HijackThis and click on "fix checked".

================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it (starting from File.....):

File::
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\mqvxsyjo.dll
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\nkbshnmh.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\pcfbudrl.dll
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\ufwvyjjh.dll
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\yybeg.bak2
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\tednuxhf.dll
C:\WINDOWS\system32\cnfsbged.dll
C:\WINDOWS\system32\xkmedsjs.dll
C:\WINDOWS\system32\vgvdoiiy.dll
C:\WINDOWS\system32\qnfhwgej.dll

Folder::
C:\WINDOWS\QW5naWUgT2NrZXI
C:\WINDOWS\system32\GRB3
C:\WINDOWS\system32\DLL2
C:\WINDOWS\system32\chks2
C:\VundoFix Backups


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply and a fresh HijackThis log please.

======================================

You don't appear to have an antivirus application running on this system.

Download one of these (free for personal use) anti-virus programs RIGHT NOW, update it and run a full scan. Have it fix anything it finds.

Grisoft AVG from here : http://free.grisoft.com/doc/1
AntiVir Free from here : http://www.free-av.com/
Avast Home Edition from here : http://www.avast.com/eng/down_home.html

Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

Edited by amateur, 26 September 2007 - 09:23 PM.


#3 6screaminkids

6screaminkids
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:01:43 AM

Posted 27 September 2007 - 09:39 AM

Thanks for posting.
I'm realizing that I didn't point out last time that I was running in safe mode. I hope that didn't really mess this up.
I did the CFsript and the HJT - and now it's out of safe mode - and here are the new log files.
I had trend-micro (paid version) on it but because of the conflict with spybot and tea timer - I removed it and put on AVG - I did run it before, and I'm running it again.

Thanks again!
Angie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:45 AM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PrComboFix 07-09-21.2 - "Mom Dad" 2007-09-28 7:10:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.39 [GMT -7:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\mqvxsyjo.dll
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\nkbshnmh.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\pcfbudrl.dll
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\ufwvyjjh.dll
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\yybeg.bak2
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\tednuxhf.dll
C:\WINDOWS\system32\cnfsbged.dll
C:\WINDOWS\system32\xkmedsjs.dll
C:\WINDOWS\system32\vgvdoiiy.dll
C:\WINDOWS\system32\qnfhwgej.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\ssqqqnn.dll.bad
C:\WINDOWS\QW5naWUgT2NrZXI
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\chks2
C:\WINDOWS\system32\chks2\MSI17bb.exe
C:\WINDOWS\system32\cnfsbged.dll
C:\WINDOWS\system32\DLL2
C:\WINDOWS\system32\DLL2\MMEMDT83122.exe
C:\WINDOWS\system32\GRB3
C:\WINDOWS\system32\GRB3\rwddr2SD.exe
C:\WINDOWS\system32\mqvxsyjo.dll
C:\WINDOWS\system32\nkbshnmh.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\pcfbudrl.dll
C:\WINDOWS\system32\qnfhwgej.dll
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\tednuxhf.dll
C:\WINDOWS\system32\ufwvyjjh.dll
C:\WINDOWS\system32\vgvdoiiy.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\xkmedsjs.dll
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.bak2

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-26 18:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 11:43 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-25 12:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-24 17:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-22 17:01 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-09-22 17:01 <DIR> d-------- C:\Program Files\Diner Dash 2
2007-09-22 16:50 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-20 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-09-16 18:32 <DIR> d-------- C:\Temp
2007-09-16 10:33 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-09-16 10:33 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-09-16 10:33 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-16 10:33 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-13 12:15 <DIR> d-------- C:\Program Files\Fisher-Price
2007-09-11 17:34 <DIR> d-------- C:\Program Files\iPod
2007-09-03 09:07 <DIR> d-------- C:\Program Files\WildGames
2007-09-02 11:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 15:38 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-26 15:35 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-26 15:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-09-24 21:00 --------- d-------- C:\Program Files\Viewpoint
2007-09-24 21:00 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-24 15:34 --------- d-------- C:\Program Files\Trend Micro
2007-09-16 20:53 --------- d-a------ C:\Program Files\BearShare Applications
2007-09-13 12:12 --------- d-------- C:\Program Files\The Learning Company
2007-09-11 17:44 --------- d-------- C:\Program Files\Apple Software Update
2007-09-11 17:39 --------- d-------- C:\Program Files\iTunes
2007-09-03 17:30 --------- d-------- C:\Program Files\Nick Jr. Arcade
2007-08-16 16:14 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-08-16 09:42 --------- d-------- C:\Program Files\Logitech
2007-08-16 09:25 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-16 09:18 --------- d-------- C:\Program Files\Kodak
2007-08-16 09:11 --------- d-------- C:\Program Files\Palm
2007-08-08 13:03 --------- d-------- C:\Program Files\QuickTime
2007-08-08 12:57 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-08 12:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 13:43]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 09:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 09:24]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 13:48]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\system32\drivers\cpqdfw.sys
R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\system32\drivers\cq_mem.sys
R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\system32\drivers\cqcpu.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d367cda-9e60-11db-9e16-0012f0d6aa13}]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-2K3}]
C:\WINDOWS\2k3_USR.EXE
.
Contents of the 'Scheduled Tasks' folder
"2007-09-25 03:18:52 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 07:18:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-28 7:24:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-28 07:24
C:\ComboFix2.txt ... 2007-09-26 18:25
.
--- E O F ---
ogram Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 4708 bytes


__________________________________________________________

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:43 AM

Posted 27 September 2007 - 11:25 AM

Hi,

Looks like the logs got mixed up a little. :thumbsup:

Why were you running in Safe Mode? Couldn't you boot into Normal Mode? Combo fix should be run in Normal Mode but it seems to have worked.

I had trend-micro (paid version) on it but because of the conflict with spybot and tea timer - I removed it and put on AVG - I did run it before, and I'm running it again.



I still cannot see any antivirus running. If you are referring to AVG Anti Spyware, it's not an antivirus application. AVG Anti Spyware and AVG Free are two different applications.

===============================

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.
Copy and paste that information from Kapersky in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

===================================

Please post back a fresh HijackThis log along with the Kaspersky report.

#5 6screaminkids

6screaminkids
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:01:43 AM

Posted 27 September 2007 - 12:02 PM

Hi.
I was running in safe mode because the computer was going Soooo slow otherwise. But I believe after reading a little that it might have been the Trend - spybot conflict. The PCSCRNSRV would run at 98% usage randomly.
I have it out of safemode - I'm running Kaspersky now (I'm on my computer now, not the laptop with the issues) and will post what I find.
And I was having a lack of sleep moment on the AVG - I do realize it's not an anti-virus and figured I would load my trend back on once it was all done. Although what ever it was slipped through that anyway. I'm sure that was because my kids downloaded it and invited it on!
Thanks - Angie

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:43 AM

Posted 27 September 2007 - 12:17 PM

OK. Let's see what Kaspersky will come up. Please remember to include a fresh HijackThis log too.

#7 6screaminkids

6screaminkids
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:01:43 AM

Posted 27 September 2007 - 02:19 PM

OK Here is what I got!

Angie


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:37 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 4808 bytes








kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 28, 2007 12:16:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 27/09/2007
Kaspersky Anti-Virus database records: 398434
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 84822
Number of viruses found: 3
Number of infected objects: 62
Number of suspicious objects: 0
Duration of the scan process: 01:44:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0106\values Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\diner dash 2 ( full version with pacth) updated-fixed 03-2007.zip/Setup.exe Infected: P2P-Worm.Win32.SpyBot.gz skipped
C:\Documents and Settings\All Users\Documents\My Music\diner dash 2 ( full version with pacth) updated-fixed 03-2007.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\RV57B9SS\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mom Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mom Dad\Desktop\diner dash 2\Setup.exe Infected: P2P-Worm.Win32.SpyBot.gz skipped
C:\Documents and Settings\Mom Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mom Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mom Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mom Dad\Local Settings\Temporary Internet Files\Content.IE5\2WO5B6S9\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Mom Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mom Dad\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mom Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\btmjbpmc.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\dqqbiqwy.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\eueoeaok.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\GRB3\rwddr2SD.exe.vir Infected: Trojan-Downloader.Win32.Small.fox skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hjnnglsj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hsacsrad.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\igkejhlw.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ioynhjkw.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\itxhlcho.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jdbyvrjq.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jnujnper.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kdnsbilp.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kpsrbpoj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\lqacjkpi.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\msvmgkne.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\mvyiwqqu.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\nqyxoyef.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oueauoov.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qepeivws.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\soxgjats.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sxqjxlcf.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\tgasbosd.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\twardsje.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\txcabduh.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\uryyenlq.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\wlftgbgw.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\yfhdsmoq.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\yfsbaarc.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-1410023354-3796368951-3135545404-1009\Dc8.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008591.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008592.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008593.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008594.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008595.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008596.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008597.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008598.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008599.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008600.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008601.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008602.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008603.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008604.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008605.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008606.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008607.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008608.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008609.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008610.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008611.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008612.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008613.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008614.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008615.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008616.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP12\A0008617.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP13\A0008682.exe Infected: Trojan-Downloader.Win32.Small.fox skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP13\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:43 AM

Posted 27 September 2007 - 03:06 PM

Hi,

There is still no antivirus application installed. Please install either your TrendMicro or one of those I suggested immediately.

Scan with HijackThis and put a checkmark against the following entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Close all browsers/windows other than HijackThis and click on "fix checked".

=====================================

In your previous posts I've seen the following programs installed:

WildTangent:It is not malware, but is sometimes thought to bring malware along and also a major resource hogger. Unless you are an extremely avid games player, I recommend you remove it.

Viewpoint: I'll let you decide whether or not you want to keep it. Viewpoint is bundled with AOL, AOL Instant Messenger, Netscape 7, etc and sometimes not mentioned in the license agreement.
Viewpoint is also bundled with Adobe Atmosphere and hardware manufacturers pre-install some of these applications
ViewPoint Toolbar will redirect your search queries and also transmits non personally identifiable information back to their servers
Viewpoint Manager is a media player often bundled with AIM software. It is not technically considered malware, but is borderline adware and is often installed without a user's knowledge.
Viewpoint Media Player is installed with AIM, AOL and a number of other products. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
If you are using AOL. For AOL and AIM it is needed to use their 3D icons known as Super Buddies and for customized themes, etc.

If you want to remove Viewpoint, end the process on ViewManager in Task Manager (Ctrl+Alt+Del). Go to the Start>Control Panel>Add/Remove Programs and remove Viewpoint.

Then delete the Viewpoint folder here, using Windows Explorer(right click on Start, click on Explore) to locate it.:
C:\Program Files\Viewpoint

BearShare: In case you didn't pay for it, I strongly recommend you uninstall it -- because the free version is bundled with spyware.

Then delete the BearShare Applications folder here, using Windows Explorer(right click on Start, click on Explore) to locate it:
C:\Program Files\BearShare Applications


=======================================

Please check what's inside this folder and let me know. If it's empty, just delete it, using Windows Explorer(right click on Start, click on Explore) to locate it..
C:\Temp

Also delete the following files and folders:

C:\Documents and Settings\All Users\Documents\My Music\diner dash 2 ( full version with pacth) updated-fixed 03-2007.zip
C:\Documents and Settings\Mom Dad\Desktop\diner dash 2\Setup.exe
C:\Documents and Settings\Mom Dad\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5

C:\qoobox

and empty the Recycle bin.
=======================================


We'll also flush the System Restore, not just yet but in the next post, to prevent you from getting infected from old restore points .

=======================================

Please restart your computer

=======================================

Post a fresh HijackThis log and let me know how all that went and how the system is behaving now. Make sure that you've installed the antivirus application before you post the HijackThis log.

#9 6screaminkids

6screaminkids
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:01:43 AM

Posted 27 September 2007 - 07:54 PM

OK - I reloaded my anti-virus, but it won't run....not sure why. I did remove spybot also.
This is the latest log... but like I said - I can't get the trend micro to run, it says it's not able to scan.
Thanks so much -- your help is greatly appreciated. I'm sure I would have thrown this laptop out a window by now!
Viewpoint and Wildtangent were NOT in the add/remove programs, but I did delete the folders. And the temp folder was empty and is now gone.
Thanks - Angie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:51 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccVScan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 5770 bytes

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:43 AM

Posted 27 September 2007 - 08:45 PM

OK - I reloaded my anti-virus, but it won't run....not sure why.


What do you mean by that? In the log, it appears to be running. Does it give any reason why it cannot scan. Did you pay for it, or is it a trial version?

Edited by amateur, 27 September 2007 - 08:54 PM.


#11 6screaminkids

6screaminkids
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:01:43 AM

Posted 27 September 2007 - 09:44 PM

The application starts - I have an icon on the startup, but when I open the control panel and click on scan now - it tells me The scan did not succeed. Please consult the Online help system for instructions.
I will get online to see if there are any hints there.
It is legit -- I paid for it -- It expires in Jan or Feb of 2008. It did update. so that's a plus.
I'll see what I can find out online and post. I read that the spybot adds immunizations that Trend considers as a spyware - so that can cause issues. Is it possible to change that?
-Angie

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:43 AM

Posted 27 September 2007 - 10:02 PM

I'll see what I can find out online and post.


It's a good idea to contact their online help system.

I read that the spybot adds immunizations that Trend considers as a spyware - so that can cause issues. Is it possible to change that?


I thought you uninstalled spybot anyway. In any case, I don't think it would cause it not to scan.

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:43 AM

Posted 27 September 2007 - 10:16 PM

Please check if the following link helps you. Looks like AVG Anti Spyware might be interfering and you have to uninstall it via Add/Remove Programs in Control Panel and also start the Trend's service as instructed there:

http://esupport.trendmicro.com/support/vie...ntID=EN-1034493

Edited by amateur, 27 September 2007 - 10:21 PM.


#14 6screaminkids

6screaminkids
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:01:43 AM

Posted 29 September 2007 - 08:18 PM

Sorry for the delay in posting.
Even after uninstalling -- and re-installing I couldn't get it to scan, so I removed trend and put on AVG free.

It only found 2 -- in the backups of hijack this.
Hopefully we are clean!

Here is the new log!
Thanks- Angie
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:25 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5090 bytes

#15 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:43 AM

Posted 29 September 2007 - 08:33 PM

How is the computer running now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users