Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yellow Triangle Taskbar, Popups, Ie Secuirty Toolbar 7.1 .lnk On Desktop


  • Please log in to reply
5 replies to this topic

#1 kevhed0072745

kevhed0072745

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 07 November 2007 - 08:13 PM

Here is my log. Looks like the BHO's and winlogon is causing the problem. Can the experts help me remove them? I think so....... :thumbsup:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:11, on 2007-11-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HighjackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\cboavogh.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [50aed634] rundll32.exe "C:\WINDOWS\system32\ewgliosm.dll",b
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7253 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 07 November 2007 - 08:50 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum kevhed0072745 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


Now go to:
C:\Program Files\HighjackThis\HiJackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 kevhed0072745

kevhed0072745
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 07 November 2007 - 10:44 PM

ComboFix 07-11-08.1 - HP_Owner 2007-11-07 21:06:46.5 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-07 19:03 <DIR> d-------- C:\Program Files\HighjackThis
2007-11-07 17:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-07 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 14:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 11:55 79,936 --a------ C:\WINDOWS\system32\gjhmgike.dll
2007-11-07 11:49 86,080 --a------ C:\WINDOWS\system32\ewgliosm.dll
2007-11-07 11:43 145,984 --a------ C:\WINDOWS\system32\xeyokckg.dll
2007-11-06 20:42 87,104 --a------ C:\WINDOWS\system32\qlqmwhwo.dll
2007-11-06 20:40 81,472 --a------ C:\WINDOWS\system32\raoyoaxu.dll
2007-11-06 20:39 145,984 --a------ C:\WINDOWS\system32\uwjgrnmf.dll
2007-11-06 20:39 71,232 --a------ C:\WINDOWS\system32\tjiihlvr.exe
2007-11-05 20:32 225,117 --a------ C:\temp\ocli.exe
2007-11-05 20:32 36,352 --a------ C:\WINDOWS\system32\byxvspo.dll
2007-11-05 20:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 12:24 85,568 --a------ C:\WINDOWS\system32\gocqqhke.dll
2007-11-05 12:22 83,008 --a------ C:\WINDOWS\system32\kvellkwl.dll
2007-11-04 19:28 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-04 12:25 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-04 12:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-04 12:25 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-04 12:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-04 12:25 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 12:07 164 --a------ C:\install.dat
2007-11-04 11:47 <DIR> d-------- C:\VundoFix Backups
2007-11-04 10:28 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-04 10:28 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-04 10:28 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-04 10:28 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-04 10:28 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-04 10:28 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-04 10:27 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-04 10:27 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-04 01:48 86,080 --a------ C:\WINDOWS\system32\gbgsuxyv.dll
2007-11-04 01:48 78,912 --a------ C:\WINDOWS\system32\lvtwnbtx.dll
2007-11-04 01:48 2,304 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-03 00:41 87,616 --a------ C:\WINDOWS\system32\ajpmkxyy.dll
2007-11-03 00:41 81,472 --a------ C:\WINDOWS\system32\vvoibtli.dll
2007-11-02 20:04 <DIR> d-------- C:\Program Files\CCleaner
2007-11-02 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 11:55 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-02 10:15 86,080 --a------ C:\WINDOWS\system32\onfkdqth.dll
2007-11-02 10:12 82,496 --a------ C:\WINDOWS\system32\eijwgxcw.dll
2007-10-30 22:56 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-30 22:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-30 22:49 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-10-30 22:48 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-30 22:48 <DIR> d-------- C:\temp\mZOr
2007-10-30 22:48 35,840 --a------ C:\WINDOWS\mrofinu572.exe
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-24 09:47 <DIR> d-------- C:\epson
2007-10-22 16:00 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Aim
2007-10-19 16:11 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-10-19 16:11 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-19 16:06 <DIR> d-------- C:\Program Files\TVersity Codec Pack
2007-10-19 16:02 <DIR> d-------- C:\Program Files\Total Video Converter
2007-10-19 15:55 <DIR> d-------- C:\Program Files\Riva
2007-10-19 15:55 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-10-17 15:35 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Nero
2007-10-17 15:27 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-17 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-08 01:03 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-10-08 01:02 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-08 01:00 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-08 01:00 <DIR> d-------- C:\Program Files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 02:55 --------- d-----w C:\Program Files\Java
2007-11-07 21:00 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2007-11-07 16:43 --------- d-----w C:\Program Files\LogMeIn
2007-11-05 00:08 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Ahead
2007-11-04 16:36 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\proc user
2007-11-04 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave
2007-11-02 18:34 --------- d-----w C:\Program Files\Symantec
2007-11-01 23:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 16:30 --------- d-----w C:\Program Files\emoze
2007-10-19 16:30 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\emoze
2007-10-17 21:27 --------- d-----w C:\Program Files\Nero
2007-10-14 10:27 --------- d-----w C:\Program Files\Azureus
2007-10-06 20:34 --------- d-----w C:\Program Files\HP
2007-10-06 20:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-06 18:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-03 03:38 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-09-28 00:19 --------- d-----w C:\Program Files\Essentials Codec Pack
2007-09-24 23:06 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
2007-09-24 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-09-24 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 14:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 14:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-23 21:59 --------- d-----w C:\Program Files\WinTV
2007-09-23 20:14 --------- d-----w C:\Program Files\MTV Networks
2007-09-23 19:43 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-23 19:33 --------- d-----w C:\Program Files\Xvid
2007-09-22 20:35 --------- d-----w C:\Program Files\Help and Support Additions
2007-09-22 20:29 --------- d-----w C:\Program Files\Easy Internet signup
2007-09-22 20:04 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-09-22 20:03 1,889 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PS563AA-ABA a1010n_YC_0Pavi_QCNH513_E52NAheBLU1_47_IGuppy_SASUSTek Computer INC._V1.03_B3.04_T050126_WXH2_L409_M504_J160_7Intel_8Celeron_92.93_#050714_N10EC8139_Z11C1048C_G80862562.MRK
2007-09-22 17:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-20 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 14:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 14:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-19 03:31 --------- d-----w C:\Program Files\Common Files\Remote Control USB Driver
2007-09-19 03:26 --------- d-----w C:\Program Files\Common Files\Remote Control Software Shared
2007-09-19 03:25 --------- d-----w C:\Program Files\Logitech
2007-09-19 03:24 118,784 ------r C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
2007-09-18 23:46 --------- d-----w C:\Program Files\3wPlayer
2007-09-18 23:44 --------- d-----w C:\Program Files\proc user
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ----a-w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ----a-w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ----a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ----a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ----a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ----a-w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2005-05-26 19:35 1,422 ----a-w C:\Program Files\ReadMe.txt
2005-11-02 02:57:36 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1835e687-ddc3-4868-adf4-42d811151fcf}]
2007-11-07 11:55 79936 --a------ C:\WINDOWS\system32\gjhmgike.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-05 20:32 36352 --a------ C:\WINDOWS\system32\byxvspo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 16:59]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"50aed634"="C:\WINDOWS\system32\ewgliosm.dll" [2007-11-07 11:49]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-11-07 13:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\byxvspo.dll [2007-11-05 20:32 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvspo]
byxvspo.dll 2007-11-05 20:32 36352 C:\WINDOWS\system32\byxvspo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cboavogh]
cboavogh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 14:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Button Manager v1.836.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Button Manager v1.836.lnk
backup=C:\WINDOWS\pss\Button Manager v1.836.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
backup=C:\WINDOWS\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
C:\Program Files\Essentials Codec Pack\update.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 12:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-08 03:04:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 21:21:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-07 21:26:28
.
--- E O F ---

And HJT log...(ran as abc.dat)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:45 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HighjackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: {fcf15111-8d24-4fda-8684-3cdd786e5381} - {1835e687-ddc3-4868-adf4-42d811151fcf} - C:\WINDOWS\system32\gjhmgike.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\byxvspo.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [50aed634] rundll32.exe "C:\WINDOWS\system32\ewgliosm.dll",b
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: byxvspo - C:\WINDOWS\SYSTEM32\byxvspo.dll
O20 - Winlogon Notify: cboavogh - cboavogh.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 8221 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 08 November 2007 - 04:34 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\gjhmgike.dll
C:\WINDOWS\system32\ewgliosm.dll
C:\WINDOWS\system32\xeyokckg.dll
C:\WINDOWS\system32\qlqmwhwo.dll
C:\WINDOWS\system32\raoyoaxu.dll
C:\WINDOWS\system32\uwjgrnmf.dll
C:\WINDOWS\system32\tjiihlvr.exe
C:\temp\ocli.exe
C:\WINDOWS\system32\byxvspo.dll
C:\WINDOWS\system32\gocqqhke.dll
C:\WINDOWS\system32\kvellkwl.dll
C:\WINDOWS\system32\gbgsuxyv.dll
C:\WINDOWS\system32\lvtwnbtx.dll
C:\WINDOWS\system32\ajpmkxyy.dll
C:\WINDOWS\system32\vvoibtli.dll
C:\WINDOWS\system32\onfkdqth.dll
C:\WINDOWS\system32\eijwgxcw.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\Mz02r
C:\temp\mZOr
C:\Program Files\proc user
C:\Documents and Settings\HP_Owner\Application Data\proc user
C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1835e687-ddc3-4868-adf4-42d811151fcf}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"50aed634"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvspo]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cboavogh]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 kevhed0072745

kevhed0072745
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 08 November 2007 - 10:30 AM

Both logs look good...but you're the expert :thumbsup: Can you recommend a good real time spyware protection? I have ad aware pro as well as windows defender. I also have real time protection with avast.

Here are the logs:

ComboFix 07-11-08.1 - HP_Owner 2007-11-08 9:01:17.6 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\temp\ocli.exe
C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\ajpmkxyy.dll
C:\WINDOWS\system32\byxvspo.dll
C:\WINDOWS\system32\eijwgxcw.dll
C:\WINDOWS\system32\ewgliosm.dll
C:\WINDOWS\system32\gbgsuxyv.dll
C:\WINDOWS\system32\gjhmgike.dll
C:\WINDOWS\system32\gocqqhke.dll
C:\WINDOWS\system32\kvellkwl.dll
C:\WINDOWS\system32\lvtwnbtx.dll
C:\WINDOWS\system32\onfkdqth.dll
C:\WINDOWS\system32\qlqmwhwo.dll
C:\WINDOWS\system32\raoyoaxu.dll
C:\WINDOWS\system32\tjiihlvr.exe
C:\WINDOWS\system32\uwjgrnmf.dll
C:\WINDOWS\system32\vvoibtli.dll
C:\WINDOWS\system32\xeyokckg.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave
C:\Documents and Settings\HP_Owner\Application Data\proc user
C:\Program Files\proc user
C:\temp\mZOr
C:\temp\mZOr\tOasF.log
C:\temp\ocli.exe
C:\VundoFix Backups
C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\ajpmkxyy.dll
C:\WINDOWS\system32\byxvspo.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\eijwgxcw.dll
C:\WINDOWS\system32\ewgliosm.dll
C:\WINDOWS\system32\gbgsuxyv.dll
C:\WINDOWS\system32\gjhmgike.dll
C:\WINDOWS\system32\gocqqhke.dll
C:\WINDOWS\system32\kvellkwl.dll
C:\WINDOWS\system32\lvtwnbtx.dll
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\onfkdqth.dll
C:\WINDOWS\system32\qlqmwhwo.dll
C:\WINDOWS\system32\raoyoaxu.dll
C:\WINDOWS\system32\tjiihlvr.exe
C:\WINDOWS\system32\uwjgrnmf.dll
C:\WINDOWS\system32\vvoibtli.dll
C:\WINDOWS\system32\xeyokckg.dll
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-07 19:03 <DIR> d-------- C:\Program Files\HighjackThis
2007-11-07 17:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-07 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 14:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 20:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 19:28 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-04 12:25 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-04 12:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-04 12:25 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-04 12:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-04 12:25 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 12:07 164 --a------ C:\install.dat
2007-11-04 10:28 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-04 10:28 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-04 10:28 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-04 10:28 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-04 10:28 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-04 10:28 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-04 10:27 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-04 10:27 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-04 01:48 2,304 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 20:04 <DIR> d-------- C:\Program Files\CCleaner
2007-11-02 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 11:55 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-30 22:56 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-30 22:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-24 09:47 <DIR> d-------- C:\epson
2007-10-22 16:00 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Aim
2007-10-19 16:11 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-10-19 16:11 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-19 16:06 <DIR> d-------- C:\Program Files\TVersity Codec Pack
2007-10-19 16:02 <DIR> d-------- C:\Program Files\Total Video Converter
2007-10-19 15:55 <DIR> d-------- C:\Program Files\Riva
2007-10-19 15:55 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-10-17 15:35 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Nero
2007-10-17 15:27 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-17 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-08 01:03 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-10-08 01:02 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-08 01:00 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-08 01:00 <DIR> d-------- C:\Program Files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 15:18 --------- d-----w C:\Program Files\LogMeIn
2007-11-08 02:55 --------- d-----w C:\Program Files\Java
2007-11-07 21:00 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2007-11-05 00:08 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Ahead
2007-11-02 18:34 --------- d-----w C:\Program Files\Symantec
2007-11-01 23:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 16:30 --------- d-----w C:\Program Files\emoze
2007-10-19 16:30 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\emoze
2007-10-17 21:27 --------- d-----w C:\Program Files\Nero
2007-10-14 10:27 --------- d-----w C:\Program Files\Azureus
2007-10-06 20:34 --------- d-----w C:\Program Files\HP
2007-10-06 20:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-06 18:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-03 03:38 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-09-28 00:19 --------- d-----w C:\Program Files\Essentials Codec Pack
2007-09-24 23:06 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
2007-09-24 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-09-24 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 14:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 14:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-23 21:59 --------- d-----w C:\Program Files\WinTV
2007-09-23 20:14 --------- d-----w C:\Program Files\MTV Networks
2007-09-23 19:43 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-23 19:33 --------- d-----w C:\Program Files\Xvid
2007-09-22 20:35 --------- d-----w C:\Program Files\Help and Support Additions
2007-09-22 20:29 --------- d-----w C:\Program Files\Easy Internet signup
2007-09-22 20:04 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-09-22 20:03 1,889 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PS563AA-ABA a1010n_YC_0Pavi_QCNH513_E52NAheBLU1_47_IGuppy_SASUSTek Computer INC._V1.03_B3.04_T050126_WXH2_L409_M504_J160_7Intel_8Celeron_92.93_#050714_N10EC8139_Z11C1048C_G80862562.MRK
2007-09-22 17:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-20 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 14:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-19 03:31 --------- d-----w C:\Program Files\Common Files\Remote Control USB Driver
2007-09-19 03:26 --------- d-----w C:\Program Files\Common Files\Remote Control Software Shared
2007-09-19 03:25 --------- d-----w C:\Program Files\Logitech
2007-09-18 23:46 --------- d-----w C:\Program Files\3wPlayer
2005-05-26 19:35 1,422 ----a-w C:\Program Files\ReadMe.txt
2005-11-02 02:57:36 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 16:59]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-11-07 13:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 14:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Button Manager v1.836.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Button Manager v1.836.lnk
backup=C:\WINDOWS\pss\Button Manager v1.836.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.3.lnk
backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
backup=C:\WINDOWS\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
C:\Program Files\Essentials Codec Pack\update.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 12:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-08 08:25:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 09:21:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 9:23:45 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-07 21:26
.
--- E O F ---


and HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:38 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HighjackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7856 bytes


Thank you for all your help!!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 08 November 2007 - 10:58 AM

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users