Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Possibly Infected...slow Running......


  • Please log in to reply
12 replies to this topic

#1 DIRTY_JERZ

DIRTY_JERZ

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new jersey
  • Local time:02:29 PM

Posted 03 April 2008 - 11:48 AM

I got on internet today and my computer was running crazy slow and also when i got on yahoo messenger my text box is blank someone help if you can!!
Thank you :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:26 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: (no name) - {52837C45-0F7F-AABE-2183-0ABA0DB2EB11} - C:\WINDOWS\system32\haoitjey.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [b8f6e614] rundll32.exe "C:\WINDOWS\system32\lwcqkbon.dll",b
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184971867968
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.fubar.com/imgs/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{724980EB-CA30-4CE4-A395-28E7248AA35D}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: iSecurity.cpl
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10672 bytes

/mod edit - added member's log from misplaced section

Edited by rigel, 03 April 2008 - 02:13 PM.


BC AdBot (Login to Remove)

 


#2 DIRTY_JERZ

DIRTY_JERZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new jersey
  • Local time:02:29 PM

Posted 09 April 2008 - 12:47 PM

Could someone help me please my yahoo messenger text is blank when i send messages it tells me not enough storage to complete this operation. It's not my laptop's storage spacve cause i have over 40 gigs still free on here. Here is my log if you see anything else wrong please let me know!!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:55 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LG Software Innovations\1Click DVD Copy 5\1ClickDvdCopy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {01A33D85-4706-452A-B71A-99510ADA8C0C} - C:\WINDOWS\system32\xxYOfgdA.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: (no name) - {52837C45-0F7F-AABE-2183-0ABA0DB2EB11} - C:\WINDOWS\system32\haoitjey.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA489] command /c del "C:\WINDOWS\userconfig9x.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6650] cmd /c del "C:\WINDOWS\userconfig9x.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [SpybotDeletingB7005] command /c del "C:\WINDOWS\userconfig9x.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1918] cmd /c del "C:\WINDOWS\userconfig9x.dll"
O4 - HKCU\..\RunOnce: [ypagerps1] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL"
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184971867968
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.fubar.com/imgs/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{724980EB-CA30-4CE4-A395-28E7248AA35D}: NameServer = 4.2.2.3,4.2.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: iSecurity.cpl,avgrsstx.dll
O20 - Winlogon Notify: xxYOfgdA - xxYOfgdA.dll (file missing)
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 11846 bytes

#3 little eagle

little eagle

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 12 April 2008 - 08:21 AM

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Posted Image

MS-MVP Windows Security 2006, 2007, & 2008
ASAP member since 2004

#4 DIRTY_JERZ

DIRTY_JERZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new jersey
  • Local time:02:29 PM

Posted 13 April 2008 - 07:30 AM

ok I ran ComboFix here is the log:



ComboFix 08-04-11.8 - Sheri 2008-04-13 7:46:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT -4:00]
Running from: G:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbbc5d588.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\pywehild.ini
C:\WINDOWS\system32\pywehild.ini2
C:\WINDOWS\system32\StwxENnn.ini
C:\WINDOWS\system32\StwxENnn.ini2
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\Web\def.htm

.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-09 17:39 . 2008-04-09 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-09 16:28 . 2008-04-09 16:28 538,115 --a------ C:\WINDOWS\h_eJay5.inf
2008-04-09 16:12 . 2008-04-09 16:12 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-09 16:12 . 2008-04-09 16:12 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-09 16:09 . 2000-05-01 23:02 97,280 --a------ C:\WINDOWS\system32\ccrpbds5.dll
2008-04-09 12:56 . 2008-04-09 13:27 <DIR> d-------- C:\Program Files\Trillian
2008-04-08 18:50 . 2008-04-12 11:29 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-08 18:50 . 2008-04-08 18:50 <DIR> d-------- C:\Program Files\AVG
2008-04-08 18:50 . 2008-04-09 10:11 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\AVGTOOLBAR
2008-04-08 18:50 . 2008-04-08 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-08 18:50 . 2008-04-08 18:50 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-08 18:50 . 2008-04-08 19:14 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-08 18:50 . 2008-04-08 18:50 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-08 18:50 . 2008-04-08 19:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-08 14:24 . 2008-04-08 14:24 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-08 13:05 . 2008-04-08 15:54 <DIR> d-------- C:\Documents and Settings\Sheri\.housecall6.6
2008-04-08 09:50 . 2008-04-08 09:50 3,648 --a------ C:\WINDOWS\system32\dxgfcnea.dll
2008-04-08 07:52 . 2008-04-08 07:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 07:52 . 2008-04-08 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 23:34 . 2008-04-08 07:47 474 ---hs---- C:\WINDOWS\system32\ogwgvekb.ini
2008-04-07 23:01 . 2008-04-07 23:02 294 ---hs---- C:\WINDOWS\system32\rdjucvqm.ini
2008-04-07 21:18 . 2008-04-07 23:01 414 ---hs---- C:\WINDOWS\system32\hbpyaqmn.ini
2008-04-04 16:00 . 2008-04-04 16:00 <DIR> d-------- C:\Program Files\Real
2008-04-04 13:17 . 2008-04-04 17:03 <DIR> d-------- C:\WINDOWS\system32\cab
2008-04-02 20:43 . 2008-04-13 07:45 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-02 10:46 . 2008-04-02 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 07:31 . 2008-04-02 07:31 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Malwarebytes
2008-04-02 07:30 . 2008-04-02 07:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-02 07:30 . 2008-04-02 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-02 01:20 . 2008-04-02 01:20 <DIR> d-------- C:\Temp
2008-04-01 13:20 . 2008-04-01 13:20 320 --ahs---- C:\WINDOWS\system32\KSAdffii.ini
2008-04-01 12:20 . 2008-04-01 12:20 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-01 12:16 . 2008-04-06 20:10 <DIR> d--hs---- C:\found.000
2008-04-01 11:48 . 2008-04-01 11:48 3,664 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-01 11:46 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-01 11:46 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-01 11:46 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-01 11:46 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-01 11:46 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-01 11:46 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-01 11:46 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-01 10:24 . 2008-04-01 10:41 320 --ahs---- C:\WINDOWS\system32\xEKQYcfe.ini
2008-04-01 10:20 . 2008-04-01 10:20 98,304 --a------ C:\WINDOWS\system32\haoitjey.dll
2008-04-01 10:20 . 2008-04-01 10:20 98,304 --a------ C:\Documents and Settings\All Users\Application Data\sxezmdgr.dll
2008-04-01 06:55 . 2008-04-01 06:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-01 06:44 . 2008-04-01 06:44 <DIR> d-------- C:\Program Files\Xilisoft
2008-04-01 06:40 . 2008-04-01 06:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-01 06:37 . 2007-07-09 09:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-01 06:32 . 2008-04-01 06:32 <DIR> d-------- C:\Program Files\WheresJames
2008-04-01 06:26 . 2008-04-01 06:39 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-04-01 06:26 . 2008-04-01 06:26 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\URSoft
2008-04-01 06:22 . 2008-04-01 06:22 <DIR> d-------- C:\Program Files\MagicISO
2008-04-01 06:17 . 2008-04-03 18:18 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Ahead
2008-04-01 06:15 . 2008-04-01 06:15 <DIR> d-------- C:\Program Files\Nero
2008-04-01 06:15 . 2008-04-01 06:15 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-01 06:08 . 2008-04-01 06:08 <DIR> d-------- C:\Program Files\uTorrent
2008-04-01 06:08 . 2008-04-09 12:55 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\uTorrent
2008-04-01 06:02 . 2008-04-01 06:02 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Spyware Terminator
2008-04-01 06:02 . 2008-04-01 06:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-01 06:02 . 2008-04-01 06:02 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-31 21:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-31 21:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-31 21:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-31 21:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-31 21:31 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-31 21:31 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 03:17 --------- d-----w C:\Documents and Settings\Sheri\Application Data\U3
2008-04-12 13:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-04-10 21:46 --------- d-----w C:\Documents and Settings\Sheri\Application Data\AdobeUM
2008-04-09 21:39 --------- d-----w C:\Program Files\Yahoo!
2008-04-09 17:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-09 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-09 17:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 14:22 --------- d-----w C:\Program Files\Java
2008-04-09 12:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-04-08 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 00:03 --------- d-----w C:\Program Files\Common Files\Real
2008-04-06 15:20 --------- d-----w C:\Documents and Settings\Sheri\Application Data\LimeWire
2008-04-03 23:25 --------- d-----w C:\Documents and Settings\Sheri\Application Data\Intuit
2008-04-03 23:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 23:22 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-03 23:18 --------- d-----w C:\Program Files\TurboTax
2008-04-01 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-01 10:57 --------- d-----w C:\Program Files\Winamp
2007-07-21 16:47 87,608 ----a-w C:\Documents and Settings\Sheri\Application Data\inst.exe
2007-07-21 16:47 47,360 ----a-w C:\Documents and Settings\Sheri\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52837C45-0F7F-AABE-2183-0ABA0DB2EB11}]
2008-04-01 10:20 98304 --a------ C:\WINDOWS\system32\haoitjey.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-09 08:20 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-09 08:20 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-09 08:20 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00 15360]
"WheresJames Startup Manager"="C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe" [2008-04-01 06:32 475136]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 22:49 454656]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30 249856]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 11:03 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 13:23 1187840]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 16:26 694272]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-14 14:39 98304]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-09 08:20 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxYOfgdA]
xxYOfgdA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=iSecurity.cpl,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-08 18:50]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-08 18:50]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-09 08:20]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-08 19:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{550c7473-373b-11dc-9dda-0013024594da}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a03646d0-37a7-11dc-9ddc-0013024594da}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1d96027-36f5-11dc-8475-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdd4d77a-3be5-11dc-9de4-0013024594da}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 08:00:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???8Y??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-13 8:06:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 12:06:13
Pre-Run: 84,280,524,800 bytes free
Post-Run: 84,151,181,312 bytes free
.
2008-04-08 22:41:11 --- E O F ---

#5 little eagle

little eagle

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 13 April 2008 - 09:27 AM

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\ogwgvekb.ini
C:\WINDOWS\system32\rdjucvqm.ini
C:\WINDOWS\system32\hbpyaqmn.ini
C:\WINDOWS\system32\dxgfcnea.dll
C:\WINDOWS\h_eJay5.inf
C:\WINDOWS\system32\xEKQYcfe.ini
C:\WINDOWS\system32\haoitjey.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52837C45-0F7F-AABE-2183-0ABA0DB2EB11}]

Save this as Save this as "CFScript"


Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Posted Image

MS-MVP Windows Security 2006, 2007, & 2008
ASAP member since 2004

#6 DIRTY_JERZ

DIRTY_JERZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new jersey
  • Local time:02:29 PM

Posted 14 April 2008 - 08:52 AM

ok here is the log:


ComboFix 08-04-11.8 - Sheri 2008-04-14 9:39:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.130 [GMT -4:00]
Running from: C:\Documents and Settings\Sheri\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sheri\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\h_eJay5.inf
C:\WINDOWS\system32\dxgfcnea.dll
C:\WINDOWS\system32\haoitjey.dll
C:\WINDOWS\system32\hbpyaqmn.ini
C:\WINDOWS\system32\ogwgvekb.ini
C:\WINDOWS\system32\rdjucvqm.ini
C:\WINDOWS\system32\xEKQYcfe.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sheri\Application Data\inst.exe
C:\WINDOWS\h_eJay5.inf
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000025_.tmp.dll
C:\WINDOWS\system32\dxgfcnea.dll
C:\WINDOWS\system32\haoitjey.dll
C:\WINDOWS\system32\hbpyaqmn.ini
C:\WINDOWS\system32\ogwgvekb.ini
C:\WINDOWS\system32\rdjucvqm.ini
C:\WINDOWS\system32\xEKQYcfe.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-09 17:39 . 2008-04-09 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-09 16:14 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-04-09 16:12 . 2008-04-09 16:12 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-09 16:12 . 2008-04-09 16:12 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-09 16:09 . 2000-05-01 23:02 97,280 --a------ C:\WINDOWS\system32\ccrpbds5.dll
2008-04-09 12:56 . 2008-04-09 13:27 <DIR> d-------- C:\Program Files\Trillian
2008-04-08 18:50 . 2008-04-14 08:04 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-08 18:50 . 2008-04-08 18:50 <DIR> d-------- C:\Program Files\AVG
2008-04-08 18:50 . 2008-04-09 10:11 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\AVGTOOLBAR
2008-04-08 18:50 . 2008-04-08 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-08 18:50 . 2008-04-08 18:50 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-08 18:50 . 2008-04-08 19:14 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-08 18:50 . 2008-04-08 18:50 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-08 18:50 . 2008-04-08 19:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-08 14:24 . 2008-04-08 14:24 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-08 13:05 . 2008-04-08 15:54 <DIR> d-------- C:\Documents and Settings\Sheri\.housecall6.6
2008-04-08 07:52 . 2008-04-08 07:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 07:52 . 2008-04-08 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 16:00 . 2008-04-04 16:00 <DIR> d-------- C:\Program Files\Real
2008-04-04 13:17 . 2008-04-04 17:03 <DIR> d-------- C:\WINDOWS\system32\cab
2008-04-02 20:43 . 2008-04-14 09:38 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-02 10:46 . 2008-04-02 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 07:31 . 2008-04-02 07:31 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Malwarebytes
2008-04-02 07:30 . 2008-04-02 07:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-02 07:30 . 2008-04-02 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-02 01:20 . 2008-04-02 01:20 <DIR> d-------- C:\Temp
2008-04-01 13:20 . 2008-04-01 13:20 320 --ahs---- C:\WINDOWS\system32\KSAdffii.ini
2008-04-01 12:20 . 2008-04-01 12:20 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-01 12:16 . 2008-04-06 20:10 <DIR> d--hs---- C:\found.000
2008-04-01 11:48 . 2008-04-01 11:48 3,664 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-01 11:46 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-01 11:46 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-01 11:46 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-01 11:46 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-01 11:46 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-01 11:46 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-01 11:46 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-01 10:20 . 2008-04-01 10:20 98,304 --a------ C:\Documents and Settings\All Users\Application Data\sxezmdgr.dll
2008-04-01 06:55 . 2008-04-01 06:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-01 06:44 . 2008-04-01 06:44 <DIR> d-------- C:\Program Files\Xilisoft
2008-04-01 06:40 . 2008-04-01 06:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-01 06:37 . 2007-07-09 09:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-01 06:32 . 2008-04-01 06:32 <DIR> d-------- C:\Program Files\WheresJames
2008-04-01 06:26 . 2008-04-01 06:39 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-04-01 06:26 . 2008-04-01 06:26 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\URSoft
2008-04-01 06:22 . 2008-04-01 06:22 <DIR> d-------- C:\Program Files\MagicISO
2008-04-01 06:17 . 2008-04-03 18:18 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Ahead
2008-04-01 06:15 . 2008-04-01 06:15 <DIR> d-------- C:\Program Files\Nero
2008-04-01 06:15 . 2008-04-01 06:15 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-01 06:08 . 2008-04-01 06:08 <DIR> d-------- C:\Program Files\uTorrent
2008-04-01 06:08 . 2008-04-09 12:55 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\uTorrent
2008-04-01 06:02 . 2008-04-01 06:02 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Spyware Terminator
2008-04-01 06:02 . 2008-04-01 06:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-01 06:02 . 2008-04-01 06:02 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-31 21:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-31 21:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-31 21:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-31 21:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-31 21:31 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-31 21:31 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 13:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-04-14 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-04-13 03:17 --------- d-----w C:\Documents and Settings\Sheri\Application Data\U3
2008-04-10 21:46 --------- d-----w C:\Documents and Settings\Sheri\Application Data\AdobeUM
2008-04-09 21:39 --------- d-----w C:\Program Files\Yahoo!
2008-04-09 17:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-09 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-09 17:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 14:22 --------- d-----w C:\Program Files\Java
2008-04-08 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 00:03 --------- d-----w C:\Program Files\Common Files\Real
2008-04-06 15:20 --------- d-----w C:\Documents and Settings\Sheri\Application Data\LimeWire
2008-04-03 23:25 --------- d-----w C:\Documents and Settings\Sheri\Application Data\Intuit
2008-04-03 23:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 23:22 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-03 23:18 --------- d-----w C:\Program Files\TurboTax
2008-04-01 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-01 10:57 --------- d-----w C:\Program Files\Winamp
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-05 20:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 19:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-06 03:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
2007-07-21 16:47 47,360 ----a-w C:\Documents and Settings\Sheri\Application Data\pcouffin.sys
2005-09-24 16:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-09 08:20 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-09 08:20 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-09 08:20 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00 15360]
"WheresJames Startup Manager"="C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe" [2008-04-01 06:32 475136]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 22:49 454656]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30 249856]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 11:03 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 13:23 1187840]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 16:26 694272]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-14 14:39 98304]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-09 08:20 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxYOfgdA]
xxYOfgdA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=iSecurity.cpl,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-08 18:50]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-08 18:50]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-09 08:20]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-08 19:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{550c7473-373b-11dc-9dda-0013024594da}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a03646d0-37a7-11dc-9ddc-0013024594da}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1d96027-36f5-11dc-8475-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdd4d77a-3be5-11dc-9de4-0013024594da}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 09:43:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???8Y??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 9:44:37
ComboFix-quarantined-files.txt 2008-04-14 13:44:20
ComboFix2.txt 2008-04-13 12:06:24
Pre-Run: 84,408,877,056 bytes free
Post-Run: 84,383,657,984 bytes free
.
2008-04-08 22:41:11 --- E O F ---

#7 little eagle

little eagle

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 14 April 2008 - 10:16 AM

Then post the results log and a new HijackThis log.

Can I see this log please.
Posted Image

MS-MVP Windows Security 2006, 2007, & 2008
ASAP member since 2004

#8 DIRTY_JERZ

DIRTY_JERZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new jersey
  • Local time:02:29 PM

Posted 14 April 2008 - 10:23 AM

Then post the results log and a new HijackThis log.

Can I see this log please.




Here it is :

ComboFix 08-04-11.8 - Sheri 2008-04-14 9:39:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.130 [GMT -4:00]
Running from: C:\Documents and Settings\Sheri\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sheri\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\h_eJay5.inf
C:\WINDOWS\system32\dxgfcnea.dll
C:\WINDOWS\system32\haoitjey.dll
C:\WINDOWS\system32\hbpyaqmn.ini
C:\WINDOWS\system32\ogwgvekb.ini
C:\WINDOWS\system32\rdjucvqm.ini
C:\WINDOWS\system32\xEKQYcfe.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sheri\Application Data\inst.exe
C:\WINDOWS\h_eJay5.inf
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000025_.tmp.dll
C:\WINDOWS\system32\dxgfcnea.dll
C:\WINDOWS\system32\haoitjey.dll
C:\WINDOWS\system32\hbpyaqmn.ini
C:\WINDOWS\system32\ogwgvekb.ini
C:\WINDOWS\system32\rdjucvqm.ini
C:\WINDOWS\system32\xEKQYcfe.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-09 17:39 . 2008-04-09 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-09 16:14 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-04-09 16:12 . 2008-04-09 16:12 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-09 16:12 . 2008-04-09 16:12 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-09 16:09 . 2000-05-01 23:02 97,280 --a------ C:\WINDOWS\system32\ccrpbds5.dll
2008-04-09 12:56 . 2008-04-09 13:27 <DIR> d-------- C:\Program Files\Trillian
2008-04-08 18:50 . 2008-04-14 08:04 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-08 18:50 . 2008-04-08 18:50 <DIR> d-------- C:\Program Files\AVG
2008-04-08 18:50 . 2008-04-09 10:11 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\AVGTOOLBAR
2008-04-08 18:50 . 2008-04-08 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-08 18:50 . 2008-04-08 18:50 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-08 18:50 . 2008-04-08 19:14 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-08 18:50 . 2008-04-08 18:50 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-08 18:50 . 2008-04-08 19:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-08 14:24 . 2008-04-08 14:24 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-08 13:05 . 2008-04-08 15:54 <DIR> d-------- C:\Documents and Settings\Sheri\.housecall6.6
2008-04-08 07:52 . 2008-04-08 07:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 07:52 . 2008-04-08 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 16:00 . 2008-04-04 16:00 <DIR> d-------- C:\Program Files\Real
2008-04-04 13:17 . 2008-04-04 17:03 <DIR> d-------- C:\WINDOWS\system32\cab
2008-04-02 20:43 . 2008-04-14 09:38 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-02 10:46 . 2008-04-02 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 07:31 . 2008-04-02 07:31 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Malwarebytes
2008-04-02 07:30 . 2008-04-02 07:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-02 07:30 . 2008-04-02 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-02 01:20 . 2008-04-02 01:20 <DIR> d-------- C:\Temp
2008-04-01 13:20 . 2008-04-01 13:20 320 --ahs---- C:\WINDOWS\system32\KSAdffii.ini
2008-04-01 12:20 . 2008-04-01 12:20 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-01 12:16 . 2008-04-06 20:10 <DIR> d--hs---- C:\found.000
2008-04-01 11:48 . 2008-04-01 11:48 3,664 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-01 11:46 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-01 11:46 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-01 11:46 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-01 11:46 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-01 11:46 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-01 11:46 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-01 11:46 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-01 10:20 . 2008-04-01 10:20 98,304 --a------ C:\Documents and Settings\All Users\Application Data\sxezmdgr.dll
2008-04-01 06:55 . 2008-04-01 06:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-01 06:44 . 2008-04-01 06:44 <DIR> d-------- C:\Program Files\Xilisoft
2008-04-01 06:40 . 2008-04-01 06:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-01 06:37 . 2007-07-09 09:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-01 06:32 . 2008-04-01 06:32 <DIR> d-------- C:\Program Files\WheresJames
2008-04-01 06:26 . 2008-04-01 06:39 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-04-01 06:26 . 2008-04-01 06:26 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\URSoft
2008-04-01 06:22 . 2008-04-01 06:22 <DIR> d-------- C:\Program Files\MagicISO
2008-04-01 06:17 . 2008-04-03 18:18 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Ahead
2008-04-01 06:15 . 2008-04-01 06:15 <DIR> d-------- C:\Program Files\Nero
2008-04-01 06:15 . 2008-04-01 06:15 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-01 06:08 . 2008-04-01 06:08 <DIR> d-------- C:\Program Files\uTorrent
2008-04-01 06:08 . 2008-04-09 12:55 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\uTorrent
2008-04-01 06:02 . 2008-04-01 06:02 <DIR> d-------- C:\Documents and Settings\Sheri\Application Data\Spyware Terminator
2008-04-01 06:02 . 2008-04-01 06:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-01 06:02 . 2008-04-01 06:02 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-31 21:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-31 21:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-31 21:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-31 21:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-31 21:31 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-31 21:31 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 13:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-04-14 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-04-13 03:17 --------- d-----w C:\Documents and Settings\Sheri\Application Data\U3
2008-04-10 21:46 --------- d-----w C:\Documents and Settings\Sheri\Application Data\AdobeUM
2008-04-09 21:39 --------- d-----w C:\Program Files\Yahoo!
2008-04-09 17:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-09 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-09 17:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 14:22 --------- d-----w C:\Program Files\Java
2008-04-08 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 00:03 --------- d-----w C:\Program Files\Common Files\Real
2008-04-06 15:20 --------- d-----w C:\Documents and Settings\Sheri\Application Data\LimeWire
2008-04-03 23:25 --------- d-----w C:\Documents and Settings\Sheri\Application Data\Intuit
2008-04-03 23:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 23:22 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-03 23:18 --------- d-----w C:\Program Files\TurboTax
2008-04-01 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-01 10:57 --------- d-----w C:\Program Files\Winamp
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-05 20:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 19:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-06 03:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
2007-07-21 16:47 47,360 ----a-w C:\Documents and Settings\Sheri\Application Data\pcouffin.sys
2005-09-24 16:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-09 08:20 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-09 08:20 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-09 08:20 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00 15360]
"WheresJames Startup Manager"="C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe" [2008-04-01 06:32 475136]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 22:49 454656]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30 249856]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 11:03 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 13:23 1187840]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 16:26 694272]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-14 14:39 98304]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-09 08:20 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxYOfgdA]
xxYOfgdA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=iSecurity.cpl,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-08 18:50]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-08 18:50]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-09 08:20]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-08 19:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{550c7473-373b-11dc-9dda-0013024594da}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a03646d0-37a7-11dc-9ddc-0013024594da}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1d96027-36f5-11dc-8475-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdd4d77a-3be5-11dc-9de4-0013024594da}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 09:43:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???8Y??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 9:44:37
ComboFix-quarantined-files.txt 2008-04-14 13:44:20
ComboFix2.txt 2008-04-13 12:06:24
Pre-Run: 84,408,877,056 bytes free
Post-Run: 84,383,657,984 bytes free
.
2008-04-08 22:41:11 --- E O F ---

#9 little eagle

little eagle

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 14 April 2008 - 10:27 AM

A new hijackthis log?
Posted Image

MS-MVP Windows Security 2006, 2007, & 2008
ASAP member since 2004

#10 DIRTY_JERZ

DIRTY_JERZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new jersey
  • Local time:02:29 PM

Posted 14 April 2008 - 10:33 AM

A new hijackthis log?




here is the new hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:00 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
G:\programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184971867968
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.fubar.com/imgs/ImageUploader4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{724980EB-CA30-4CE4-A395-28E7248AA35D}: NameServer = 4.2.2.3,4.2.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: iSecurity.cpl,avgrsstx.dll
O20 - Winlogon Notify: xxYOfgdA - xxYOfgdA.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9342 bytes

#11 little eagle

little eagle

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 14 April 2008 - 07:51 PM

Close all programs leaving only HijackThis running. Place a check against each of the following, :

O20 - Winlogon Notify: xxYOfgdA - xxYOfgdA.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.



---------------------------------

Run this online scan from ESET

You will need to use Internet explorer for this scan!
  • First, accept the Terms of Use
  • Click: Start
  • When asked, allow the ActiveX control to install
  • Click: Start
  • Make sure the options:
    Remove found threats, and Scan unwanted applications
    are both checked!
  • Click: Scan

When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt
Posted Image

MS-MVP Windows Security 2006, 2007, & 2008
ASAP member since 2004

#12 DIRTY_JERZ

DIRTY_JERZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new jersey
  • Local time:02:29 PM

Posted 22 April 2008 - 06:47 AM

Here is the log from the scan I ran from ESET:


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3030 (20080416)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=8931d89904727c41bb931ea858331b4a
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-04-16 04:19:54
# local_time=2008-04-16 12:19:54 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1064351
# found=0
# scan_time=8800

#13 little eagle

little eagle

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 22 April 2008 - 10:31 PM

Sorry for the delay was on the road.

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.
Posted Image

MS-MVP Windows Security 2006, 2007, & 2008
ASAP member since 2004




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users