Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.coreservices Infection.


  • Please log in to reply
7 replies to this topic

#1 Daimeion

Daimeion

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 04 February 2008 - 07:29 PM

Greetings all,

I'm working on a friends computer. He's been behind in his OS updates and Spyware protection, and I'm helping him try to get rid of the spyware/malware and viruses he's accumulated because of this. I've gotten rid of most of it, but this new variant of smitrfaud won't let go. Can't get rid of core.cache.dsk.

I've followed the processes in the sticky, plus ran VirtumondeBegone, VundoFix, and SmitFraudfix so far.

Here's the HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:17 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {2AF3A7C4-FA11-4D0F-AB90-D3ADAB8C4545} - C:\WINDOWS\System32\hggfe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {877DB9CB-53FD-4164-B3F2-784FD043B7C6} - \
O2 - BHO: {57a62c51-24a6-07f8-05e4-532ebd55bb7a} - {a7bb55db-e235-4e50-8f70-6a4215c26a75} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {C426D206-2102-4740-8711-2154368E8F94} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.1.3.21/hold...m-ob-assets.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/b...trap/iegils.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201883109814
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe

--
End of file - 7868 bytes


Thanks for your help in advance.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 05 February 2008 - 03:31 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Daimeion

Daimeion
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 05 February 2008 - 06:39 PM

Thank you, Charles, for assisting me!

Here's the combofix log:

ComboFix 08-02.05.3 - Ronald Heidrick 2008-02-05 15:27:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT -8:00]
Running from: C:\Documents and Settings\Ronald Heidrick\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rndismpp.sys
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rndismpp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RNDISMPP
-------\rndismpp


((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 15:13 . 2008-02-04 15:13 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-04 13:15 . 2008-02-04 13:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-01 14:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-01 14:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-01 14:14 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-01 14:14 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-01 14:14 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-01 14:14 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-01 14:14 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-01 14:14 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-01 14:14 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-01 14:14 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-01 14:14 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-01 14:08 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-01 08:47 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-01 08:30 . 2008-02-01 14:23 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-01 08:16 . 2008-02-04 14:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-01 08:16 . 2008-02-01 08:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-31 18:24 . 2008-02-01 14:16 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-01-31 18:14 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-31 18:13 . 2008-02-01 08:12 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-01-31 18:07 . 2008-01-31 18:07 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-31 18:07 . 2008-01-31 18:07 <DIR> d-------- C:\WINDOWS\peernet
2008-01-31 17:59 . 2008-01-31 17:59 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-31 17:45 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-31 17:38 . 2008-01-31 17:38 <DIR> d-------- C:\WINDOWS\EHome
2008-01-31 17:15 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-01-31 17:15 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-01-31 17:15 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-01-31 13:17 . 2008-01-31 13:17 236,836 --a------ C:\cc_20080131_1317.reg
2008-01-31 13:13 . 2008-01-31 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 12:44 . 2008-01-31 12:44 2,550 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-30 16:16 . 2008-01-30 16:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-30 16:16 . 2008-01-30 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 14:39 . 2008-01-30 14:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-30 13:45 . 2008-02-05 08:00 <DIR> d-------- C:\Documents and Settings\Ronald Heidrick\Application Data\AVG7
2008-01-30 13:43 . 2008-01-30 13:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-30 13:43 . 2008-01-30 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-30 13:43 . 2008-01-31 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-30 08:10 . 2008-01-30 08:10 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 08:08 . 2008-01-30 08:08 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-30 08:08 . 2008-01-31 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 11:58 . 2008-01-27 11:58 <DIR> d--hs---- C:\WINDOWS\Um9uYWxkICAgSGVpZHJpY2s
2008-01-27 11:58 . 2008-01-27 11:58 <DIR> d-------- C:\WINDOWS\system32\wnis6
2008-01-27 11:58 . 2008-01-30 16:04 <DIR> d-------- C:\WINDOWS\system32\nip4
2008-01-27 11:58 . 2008-02-01 17:39 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-27 11:58 . 2008-01-27 11:58 <DIR> d-------- C:\WINDOWS\system32\ets1
2008-01-27 11:58 . 2008-01-27 20:14 <DIR> d-------- C:\WINDOWS\system32\comg9
2008-01-27 11:58 . 2008-01-27 11:58 <DIR> d-------- C:\Temp\gTiis19
2008-01-27 11:58 . 2008-01-27 11:58 <DIR> d-------- C:\Temp\cXzz9
2008-01-27 11:58 . 2008-02-05 15:27 <DIR> d-------- C:\Temp
2008-01-24 14:16 . 2008-01-24 14:17 8 --a------ C:\WINDOWS\msoffice.ini
2008-01-23 20:05 . 2008-01-23 20:05 <DIR> d-------- C:\Documents and Settings\Sheldon Heidrick\Application Data\funkitron
2008-01-23 20:04 . 2008-01-23 20:04 <DIR> d-------- C:\Program Files\Poker Superstars 3
2008-01-23 20:04 . 2008-01-23 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-01-19 15:18 . 2008-01-19 15:18 6,172 --a------ C:\winqtki.exe
2008-01-15 17:03 . 2008-01-27 11:23 <DIR> d-------- C:\Documents and Settings\Sheldon Heidrick\Application Data\LimeWire
2008-01-15 16:58 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 16:57 . 2008-01-15 16:58 <DIR> d-------- C:\Program Files\Java
2008-01-15 16:54 . 2008-01-15 16:54 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-15 16:53 . 2008-01-15 16:58 <DIR> d-------- C:\Program Files\LimeWire
2008-01-13 14:32 . 2008-01-13 14:32 <DIR> d---s---- C:\Documents and Settings\Sheldon Heidrick\UserData
2008-01-13 11:06 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-13 11:06 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-13 11:06 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-13 11:06 . 2004-08-03 23:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-01-13 11:06 . 2007-03-08 07:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-01-13 11:06 . 2004-03-29 17:25 40,960 -----c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2008-01-13 10:57 . 2004-08-03 23:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2008-01-13 10:55 . 2008-01-13 11:07 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-01-13 10:55 . 2008-01-13 10:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-13 10:55 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-01-12 21:27 . 2008-01-12 21:28 <DIR> d-------- C:\Program Files\iTunes
2008-01-12 21:23 . 2008-01-12 21:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-12 21:23 . 2008-01-12 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-10 19:42 . 2008-01-10 19:42 <DIR> d-------- C:\Documents and Settings\Sheldon Heidrick\Application Data\Yahoo!
2008-01-10 18:20 . 2008-01-10 18:20 <DIR> d-------- C:\Documents and Settings\Ronald Heidrick\Application Data\Yahoo!
2008-01-10 18:20 . 2008-01-10 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-10 11:11 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-10 11:11 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-10 11:11 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-10 11:11 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-08 06:50 . 2008-01-08 06:50 <DIR> d-------- C:\Documents and Settings\Sheldon Heidrick\Application Data\HPAppData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 23:31 11,513 ----a-w C:\WINDOWS\compaq.reg
2008-01-30 21:15 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-30 21:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-30 21:12 --------- d-----w C:\Program Files\Symantec
2008-01-30 16:02 --------- d-----w C:\Program Files\DashBar
2008-01-24 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-13 22:35 --------- d-----w C:\Documents and Settings\Ronald Heidrick\Application Data\MSN6
2008-01-13 05:27 --------- d-----w C:\Program Files\iPod
2008-01-13 05:25 --------- d-----w C:\Program Files\QuickTime
2008-01-13 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-10 18:02 --------- d-----w C:\Documents and Settings\Ronald Heidrick\Application Data\HPAppData
2008-01-10 14:27 --------- d-----w C:\Program Files\Yahoo!
2008-01-02 18:55 --------- d-----w C:\Program Files\CompuServe 2000
2008-01-02 18:16 --------- d-----w C:\Documents and Settings\Ronald Heidrick\Application Data\HP
2008-01-02 11:46 --------- d-----w C:\Program Files\Maptech
2007-12-30 15:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-30 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-30 15:25 --------- d-----w C:\Program Files\HP
2007-12-30 15:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-12-30 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-12-30 15:22 --------- d-----w C:\Program Files\Common Files\HP
2007-12-30 15:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-12-30 15:21 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-30 15:21 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-12-19 12:03 --------- d-----w C:\Documents and Settings\Sheldon Heidrick\Application Data\Template
2007-12-17 17:37 --------- d-----w C:\Documents and Settings\Ronald Heidrick\Application Data\Template
2005-08-03 00:46 187,904 --sha-r C:\WINDOWS\Um9uYWxkICAgSGVpZHJpY2s\asappsrv.dll
2005-08-03 00:58 293,888 --sha-r C:\WINDOWS\Um9uYWxkICAgSGVpZHJpY2s\command.exe
2005-07-30 00:24 472 --sha-r C:\WINDOWS\Um9uYWxkICAgSGVpZHJpY2s\oA6RsqU4KFE0m3pDtJLDsZP.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AF3A7C4-FA11-4D0F-AB90-D3ADAB8C4545}]
C:\WINDOWS\System32\hggfe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{877DB9CB-53FD-4164-B3F2-784FD043B7C6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a7bb55db-e235-4e50-8f70-6a4215c26a75}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2001-08-15 14:50 131072]
"Smapp"="Smtray.exe" [2001-05-31 19:32 224256 C:\WINDOWS\system32\SMTray.exe]
"WorksFUD"="" []
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 13:34 36864]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-10 08:32 655360]
"CMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE" [2001-05-07 14:53 40960]
"PCTVOICE"="pctspk.exe" [2001-08-30 15:33 155648 C:\WINDOWS\system32\pctspk.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-07-24 20:55 26112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-30 13:43 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-30 13:43 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Sheldon Heidrick\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-01-10 10:08:24 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-07-13 12:00 311350 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-07-13 12:00 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ML1HelperStartUp]
C:\PROGRA~1\MIDNIG~1\ML1HEL~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXPLoad]


R3 EN1207D;Accton EN1207D/2242A Adapter Driver;C:\WINDOWS\system32\DRIVERS\ACC07D.SYS [2001-07-09 16:57]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-30 15:33]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 05:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 16:59:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-05 23:34:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2002-02-03 15:20:14 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-07-31 01:41:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 15:32:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-05 15:35:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 23:35:01
.
2008-02-05 23:23:41 --- E O F ---

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 06 February 2008 - 05:22 PM

Sorry, can I have a new HijackThis log too please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Daimeion

Daimeion
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 06 February 2008 - 06:15 PM

Sure, here you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:04 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {2AF3A7C4-FA11-4D0F-AB90-D3ADAB8C4545} - C:\WINDOWS\System32\hggfe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {877DB9CB-53FD-4164-B3F2-784FD043B7C6} - \
O2 - BHO: {57a62c51-24a6-07f8-05e4-532ebd55bb7a} - {a7bb55db-e235-4e50-8f70-6a4215c26a75} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1411071275-4088190255-1608279117-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Sheldon Heidrick')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-1411071275-4088190255-1608279117-1007 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Sheldon Heidrick')
O4 - S-1-5-21-1411071275-4088190255-1608279117-1007 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Sheldon Heidrick')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {C426D206-2102-4740-8711-2154368E8F94} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.1.3.21/hold...m-ob-assets.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/b...trap/iegils.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201883109814
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe

--
End of file - 8181 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 07 February 2008 - 04:46 PM

Please print off a copy of these instructions, and also save them to a Notepad file on your Desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Download AVG Anti-Spyware to your Desktop.
Start the set-up program by double clicking the installer.
Follow the on screen instructions to install the program, making sure that "Launch AVG Anti-Spyware" is checked.
Click the Update tab then select Start update; a progress bar will show the updates being installed.
Now press the Scanner icon, and click the Settings tab.
Click Recommended actions, then set it to Quarantine.
Close the programme now, we will scan with it later on.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {2AF3A7C4-FA11-4D0F-AB90-D3ADAB8C4545} - C:\WINDOWS\System32\hggfe.dll (file missing)
O2 - BHO: (no name) - {877DB9CB-53FD-4164-B3F2-784FD043B7C6} - \
O2 - BHO: {57a62c51-24a6-07f8-05e4-532ebd55bb7a} - {a7bb55db-e235-4e50-8f70-6a4215c26a75} - (no file)


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Launch AVG Anti-Spyware by double clicking the icon on your Desktop.
Press the Scanner icon.
Then click on the Complete System Scan button.
If any infections are found, you will be asked for an action; select Apply all actions.
Now press the Reports icon at the top.
Choose Save report as and save the text file to your Desktop.
Please post this log in your next reply.

Reboot into Normal Mode again.

Please post the AVG log with a new Combofix log in your reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Daimeion

Daimeion
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 08 February 2008 - 11:44 AM

Charles,

My friend took his computer back home (he's a bit impatient). I had already removed the 3 BHO's you listed. I have told him to download AVG Anti-spyware, and told him of this thread if he wants to follow up. Thanks for all your help, the PC seems pretty clean now.

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 09 February 2008 - 04:45 PM

Okay, let me know how things go :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users