Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hrrmmm...where Do I Start?


  • This topic is locked This topic is locked
11 replies to this topic

#1 protozero

protozero

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada,
  • Local time:02:46 AM

Posted 09 April 2008 - 08:40 PM

Well, I believe it all started today! I'm not going to lie, but I'd like not to get baned either. Downloaded a game ( Yes, torrents, but I won't say anything else), if you're familiar with it. I had an image of the game compressed, was extracting it with winrar and it said about 20 minutes. I went and took a nap and when I came back my computer was in it's current state. ( Not happy ) Now I'll try and explain to what's wrong.

1, My backround's been replaced by some warning asking to click for a PC scan, I don't trust it and I can't change it.

2, It seems I've lost administrator controls. I can't Ctrl+Alt+Delete.....

3, I recieve little pop ups from my task bar saying I'm infected.

4, Everythings slow as hell, and even on this webpage I can't see ANY images.

5, I'm not idoit and I can usually handle stuff, though all my options seem to be screwed. Spybot fixs some crap but others are "still in the use" or something and I can't kill them with Crl+Alt+Delete. Even when I had it run before anything was booted up.

6, Safemode doesn't want to work :thumbsup:

7, HiJackThis isn't working either for me...I'll kill the bad crap and it just comes back.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:15 PM, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\system32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\Dennis\HiJackThis_v2.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\csrssc.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZD5AZ3H2\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {01a33d85-4706-452a-b71a-99510ada8c0c} - C:\WINDOWS\system32\xxyxUlif.dll
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {80d4f522-6a15-4f77-9f00-874a9c2994ea} - C:\WINDOWS\system32\nnnmljjH.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\csrssc.exe
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\PhotoPC 700\Image Expert\IXApplet.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O20 - Winlogon Notify: xxyxulif - C:\WINDOWS\SYSTEM32\xxyxUlif.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8807 bytes


Even I see theres like 30 abd registry lines.

So who's the lucky winner to tackle this puppy with me!? If you need anything else just ask.

Update: I believe I fixed the majority of the crap. Fake task tray pop ups and locked back round image trying to lead me to a fake site is gone but I still can't Ctrl+Alt+Del and IE7 is still messed. I use LSP-fix to get rid of the WebHancer crap. Then combination of HjT and Killbox for the wmsdkns.exe that's been the majority of my annoyance! If you want I'll post another log. Sorry for kinda' wasting anyones time that read this.

Edited by protozero, 09 April 2008 - 10:03 PM.

Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:46 AM

Posted 10 April 2008 - 12:53 PM

Update: I believe I fixed the majority of the crap. Fake task tray pop ups and locked back round image trying to lead me to a fake site is gone but I still can't Ctrl+Alt+Del and IE7 is still messed. I use LSP-fix to get rid of the WebHancer crap. Then combination of HjT and Killbox for the wmsdkns.exe that's been the majority of my annoyance! If you want I'll post another log. Sorry for kinda' wasting anyones time that read this.

Hello protozero. :thumbsup:

That update bit sounds good..

Please follow the instructions for running ComboFix here and post back with it's log.
Hi there, stranger!

#3 protozero

protozero
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada,
  • Local time:02:46 AM

Posted 10 April 2008 - 02:11 PM

Looks like it deleted a bunch of crap I missed. And I think IE7's working now, one of those items that were deleted must've been changing the "display images" box in the settings and it kept changing it back after I would do it manually.
Oh, and here's the Combofix log.

ComboFix 08-04-09.9 - Compaq_Administrator 2008-04-10 14:50:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 28672 bytes in 1 streams.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Administrator\Application Data\.#
C:\Documents and Settings\Compaq_Administrator\Application Data\.#\MBX@11F4@D248E0.###
C:\Documents and Settings\Compaq_Administrator\Application Data\.#\MBX@11F4@D248F0.###
C:\Documents and Settings\Compaq_Administrator\Application Data\.#\MBX@1740@D248E0.###
C:\Documents and Settings\Compaq_Administrator\Application Data\.#\MBX@1740@D248F0.###
C:\Documents and Settings\Compaq_Administrator\Application Data\.#\MBX@81C@D248E0.###
C:\Documents and Settings\Compaq_Administrator\Application Data\.#\MBX@81C@D248F0.###
C:\WINDOWS\17PHolmes1645.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\dfNoonpo.ini
C:\WINDOWS\system32\dfNoonpo.ini2
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\lop50.sys
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Hjjlmnnn.ini
C:\WINDOWS\system32\Hjjlmnnn.ini2
C:\WINDOWS\system32\khfDwxwv.dll
C:\WINDOWS\system32\pmnmkjHW.dll
C:\WINDOWS\system32\qoMfFxWq.dll
C:\WINDOWS\system32\rqRLdDWm.dll
C:\WINDOWS\system32\tuvTmLfC.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\voiceip.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_fci
-------\Legacy_lop50
-------\Service_FCI
-------\Service_lop50


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 07:33 . 2008-04-10 07:33 268 --ah----- C:\sqmdata01.sqm
2008-04-10 07:33 . 2008-04-10 07:33 244 --ah----- C:\sqmnoopt01.sqm
2008-04-10 07:07 . 2008-04-10 07:07 268 --ah----- C:\sqmdata00.sqm
2008-04-10 07:07 . 2008-04-10 07:07 244 --ah----- C:\sqmnoopt00.sqm
2008-04-09 22:29 . 2008-04-09 22:29 <DIR> d-------- C:\Program Files\Unlocker
2008-04-09 22:09 . 2008-04-09 22:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 22:00 . 2008-04-09 22:00 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\ATI
2008-04-09 21:59 . 2005-11-29 05:05 <DIR> d-------- C:\Documents and Settings\Moose(backup)\WINDOWS
2008-04-09 21:59 . 2008-04-10 07:16 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Symantec
2008-04-09 21:59 . 2005-11-29 05:06 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Intuit
2008-04-09 21:59 . 2005-11-29 04:53 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Digital Interactive Systems Corporation
2008-04-09 21:56 . 2008-04-09 21:56 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-09 21:44 . 2008-04-09 21:45 <DIR> d-------- C:\SDFix
2008-04-09 21:09 . 2008-04-09 21:09 270,336 --------- C:\WINDOWS\system32\nnnmljjH.dll_old
2008-04-09 21:00 . 2008-04-09 21:00 <DIR> d-------- C:\Deckard
2008-04-09 17:48 . 2008-04-09 17:48 29 --a------ C:\WINDOWS\system32\ftwgigst.tmp
2008-04-09 17:47 . 2008-04-09 17:47 58,880 --a------ C:\njhxmjb.exe
2008-04-09 17:47 . 2008-04-09 17:47 55,218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-09 17:47 . 2008-04-09 17:47 10,000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-04-09 17:47 . 2008-04-09 17:47 6,656 --a------ C:\vhyp.exe
2008-04-09 17:27 . 2008-04-09 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-09 17:25 . 2008-04-09 17:47 705 --a------ C:\d1.exe
2008-04-09 17:25 . 2008-04-09 17:47 2 --a------ C:\747418724
2008-04-07 18:52 . 2008-04-09 20:14 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-07 18:52 . 2008-04-07 18:52 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-06 03:05 . 2008-04-06 03:05 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-06 03:05 . 2003-07-17 14:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-06 03:05 . 2005-01-01 05:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-06 03:04 . 2008-04-06 03:06 <DIR> d--h----- C:\Documents and Settings\Compaq_Administrator\Application Data\ijjigame
2008-04-06 03:03 . 2007-06-21 18:59 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2008-04-06 03:02 . 2008-01-16 18:25 679,936 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2008-04-06 02:56 . 2008-04-06 02:56 <DIR> d-------- C:\ijji
2008-04-04 21:54 . 2008-04-09 22:07 <DIR> d-------- C:\Program Files\SpeedFan
2008-04-04 21:54 . 2008-04-04 21:54 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-04-04 17:11 . 2008-04-04 17:11 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\.AMD Power Monitor Settings
2008-04-04 17:11 . 2007-06-29 14:47 34,304 --a------ C:\WINDOWS\system32\drivers\AmdLLD.sys
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-01 13:28 . 2008-04-01 13:28 <DIR> d-------- C:\ppmaterecord
2008-03-31 20:13 . 2008-04-06 03:06 32 --a------ C:\WINDOWS\GunzLauncher.INI
2008-03-31 20:09 . 2008-03-31 20:09 <DIR> d-------- C:\Program Files\MAIET
2008-03-30 18:11 . 2008-04-07 06:45 <DIR> d-------- C:\Program Files\Winamp Remote
2008-03-30 18:11 . 2008-03-30 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-03-30 18:10 . 2008-03-30 18:11 <DIR> d-------- C:\Program Files\Winamp
2008-03-30 18:10 . 2008-03-30 18:25 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Winamp
2008-03-29 17:32 . 2008-04-08 23:01 <DIR> d-------- C:\Program Files\DOSBox-0.72
2008-03-26 01:42 . 2008-03-26 01:42 <DIR> d-------- C:\Program Files\Valve
2008-03-25 16:28 . 1999-12-17 08:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-03-25 16:26 . 2008-03-25 16:33 <DIR> d-------- C:\Program Files\Postal2STP
2008-03-11 08:44 . 2008-03-11 08:44 2,296 --a------ C:\WINDOWS\ATICIM.INI
2008-03-11 08:36 . 2008-03-11 08:36 0 --a------ C:\WINDOWS\ativpsrm.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 18:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-10 17:38 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Xfire
2008-04-10 16:48 --------- d-----w C:\Program Files\Graal
2008-04-10 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 05:18 --------- d-----w C:\Program Files\Xfire
2008-04-10 05:18 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Azureus
2008-04-09 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-08 23:46 --------- d-----w C:\Program Files\Steam
2008-04-07 22:55 --------- d-----w C:\Program Files\Windows Live
2008-04-07 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-07 00:13 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2008-04-06 07:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 01:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 21:11 --------- d-----w C:\Program Files\AMD
2008-04-04 21:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 18:41 --------- d-----w C:\Program Files\EA SPORTS
2008-03-11 02:44 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Hamachi
2008-03-11 01:15 17,480 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-03-07 20:49 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\InstallShield
2008-03-07 07:55 --------- d-----w C:\Program Files\Microsoft Games
2008-03-07 07:55 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Microsoft Games
2008-03-07 05:03 --------- d-----w C:\Program Files\SEGA
2008-03-06 23:34 --------- d-----w C:\Program Files\WinUHA
2008-03-06 20:51 --------- d-----w C:\Program Files\Azureus
2008-03-02 17:51 --------- d-----w C:\Program Files\MicroProse
2008-02-20 12:24 --------- d-----w C:\Program Files\LimeWire
2008-02-11 17:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-11 04:22 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-10 20:20 --------- d-----w C:\Program Files\TVAnts
2008-02-10 19:42 --------- d-----w C:\Program Files\FDRLab
2008-02-10 19:42 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\FDRLab
2008-02-10 13:32 --------- d-----w C:\Program Files\SopCast
2008-02-10 13:31 --------- d-----w C:\Program Files\PPMate
2008-02-10 13:30 --------- d-----w C:\Program Files\Common Files\Synacast
2008-02-10 13:30 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\PPMate
2008-02-10 13:29 --------- d-----w C:\Program Files\TVUPlayer
2008-02-10 13:29 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\TVU networks
2008-02-10 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-09 07:33 691,545 ----a-w C:\WINDOWS\unins001.exe
2007-12-01 19:01 22,328 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]
2008-04-09 17:47 10000 --a------ C:\WINDOWS\system32\jfiehayd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-22 08:06 167368]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-03-24 22:59 507904]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Jnskdfmf9eldfd"="C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\csrssc.exe" [2008-04-10 14:59 15505]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-08 17:03 49768]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2002-10-31 09:14 327680]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-25 14:40 155648]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 13:41 1605740]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CHotkey"="mHotkey.exe" [2004-10-20 16:59 550912 C:\WINDOWS\mHotkey.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 02:35 36352]
"AMD_Display"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [2008-04-09 17:47 10000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-08-09 11:32 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxulif]
xxyxUlif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup=C:\WINDOWS\pss\NetAssistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=C:\WINDOWS\pss\Camio Viewer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-03 03:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
--a------ 2007-06-29 16:03 36864 C:\Program Files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
--a------ 2007-07-12 03:15 913064 C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-09-21 13:41 1605740 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 08:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-28 15:14 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2007-07-25 14:02 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
--a------ 2005-03-29 20:03 22656 c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic_ds.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\PPMate\\ppmnet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-07 15:15]
S2 EZWINIT;EZWINIT;C:\WINDOWS\system32\Drivers\ezwinit.sys [2005-06-06 10:18]
S2 EZWRITER;EZWRITER;C:\WINDOWS\system32\Drivers\ezwriter.sys [2006-01-12 16:09]
S3 ATICDSDr;ATICDSDr;C:\ATI\SUPPORT\7-11_X~1\Driver\bin\atiicdxx.sys [2007-11-16 23:58]
S3 EraserUtilDrv10733;EraserUtilDrv10733;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 18:11:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-05 01:02:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Compaq_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
"2008-04-10 18:25:20 C:\WINDOWS\Tasks\User_Feed_Synchronization-{CFCBCDAB-4C78-4ED0-903B-FC75251E7D23}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-07-25 17:35:07 C:\WINDOWS\Tasks\Warranty Reminder 11 Months.job"
- c:\hp\bin\cloaker.exe>c:\\windows\\system32\\pcintro\\reminder\\Warranty\months.ba
- c:\hp\bin
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 14:58:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FCI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:ext.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FCI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:ext.exe"
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\lop50]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
-> C:\WINDOWS\system32\jfiehayd.dll
.
Completion time: 2008-04-10 15:03:30
ComboFix-quarantined-files.txt 2008-04-10 19:03:08
Pre-Run: 65,599,926,272 bytes free
Post-Run: 65,605,083,136 bytes free
.
2008-04-09 07:05:09 --- E O F ---
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:46 AM

Posted 10 April 2008 - 02:27 PM

Open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\system32\nnnmljjH.dll_old
C:\WINDOWS\system32\ftwgigst.tmp
C:\njhxmjb.exe
C:\WINDOWS\zeqbqwp.sys
C:\WINDOWS\system32\jfiehayd.dll
C:\vhyp.exe
C:\d1.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxulif]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

--------------

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download SDFix and save it to your desktop.
  • Double-click on SDFix.exe to extract the files to C:\SDFix
  • DO NOT use it just yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer.
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear.
4) Select the first option, to run Windows in Safe Mode.
5) Login to your usual account.
  • Once in Safe Mode, open the SDFix folder & double-click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply along with a fresh HijackThis log. :thumbsup:
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Hi there, stranger!

#5 protozero

protozero
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada,
  • Local time:02:46 AM

Posted 10 April 2008 - 03:11 PM

Okay, attempted it your way. Did Combofix with the notepad list and it still stalled for 5 minutes saying it was rebooting untill I got fed up and pulled the plug. It seemed to work as Combofix booted up on reboot and gave me another log. Safemode does not work, when I select safemde like I tried way before it just gives me a long list of drivers and stalls, I used SD-fix, installed it and it seemed to work but theres no GUI to tell me anything.

Here's the newest Combofix scan.

ComboFix 08-04-09.9 - Compaq_Administrator 2008-04-10 15:42:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\Dennis\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\d1.exe
C:\njhxmjb.exe
C:\vhyp.exe
C:\WINDOWS\system32\ftwgigst.tmp
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\nnnmljjH.dll_old
C:\WINDOWS\zeqbqwp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\d1.exe
C:\njhxmjb.exe
C:\vhyp.exe
C:\WINDOWS\system32\ftwgigst.tmp
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\nnnmljjH.dll_old
C:\WINDOWS\zeqbqwp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\zeqbqwp


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 07:33 . 2008-04-10 07:33 268 --ah----- C:\sqmdata01.sqm
2008-04-10 07:33 . 2008-04-10 07:33 244 --ah----- C:\sqmnoopt01.sqm
2008-04-10 07:07 . 2008-04-10 07:07 268 --ah----- C:\sqmdata00.sqm
2008-04-10 07:07 . 2008-04-10 07:07 244 --ah----- C:\sqmnoopt00.sqm
2008-04-09 22:29 . 2008-04-09 22:29 <DIR> d-------- C:\Program Files\Unlocker
2008-04-09 22:09 . 2008-04-09 22:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 22:00 . 2008-04-09 22:00 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\ATI
2008-04-09 21:59 . 2005-11-29 05:05 <DIR> d-------- C:\Documents and Settings\Moose(backup)\WINDOWS
2008-04-09 21:59 . 2008-04-10 07:16 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Symantec
2008-04-09 21:59 . 2005-11-29 05:06 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Intuit
2008-04-09 21:59 . 2005-11-29 04:53 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Digital Interactive Systems Corporation
2008-04-09 21:56 . 2008-04-09 21:56 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-09 21:44 . 2008-04-09 21:45 <DIR> d-------- C:\SDFix
2008-04-09 21:00 . 2008-04-09 21:00 <DIR> d-------- C:\Deckard
2008-04-09 17:27 . 2008-04-09 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-09 17:25 . 2008-04-09 17:47 2 --a------ C:\747418724
2008-04-07 18:52 . 2008-04-09 20:14 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-07 18:52 . 2008-04-07 18:52 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-06 03:05 . 2008-04-06 03:05 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-06 03:05 . 2003-07-17 14:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-06 03:05 . 2005-01-01 05:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-06 03:04 . 2008-04-06 03:06 <DIR> d--h----- C:\Documents and Settings\Compaq_Administrator\Application Data\ijjigame
2008-04-06 03:03 . 2007-06-21 18:59 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2008-04-06 03:02 . 2008-01-16 18:25 679,936 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2008-04-06 02:56 . 2008-04-06 02:56 <DIR> d-------- C:\ijji
2008-04-04 21:54 . 2008-04-09 22:07 <DIR> d-------- C:\Program Files\SpeedFan
2008-04-04 21:54 . 2008-04-04 21:54 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-04-04 17:11 . 2008-04-04 17:11 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\.AMD Power Monitor Settings
2008-04-04 17:11 . 2007-06-29 14:47 34,304 --a------ C:\WINDOWS\system32\drivers\AmdLLD.sys
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-01 13:28 . 2008-04-01 13:28 <DIR> d-------- C:\ppmaterecord
2008-03-31 20:13 . 2008-04-06 03:06 32 --a------ C:\WINDOWS\GunzLauncher.INI
2008-03-31 20:09 . 2008-03-31 20:09 <DIR> d-------- C:\Program Files\MAIET
2008-03-30 18:11 . 2008-04-07 06:45 <DIR> d-------- C:\Program Files\Winamp Remote
2008-03-30 18:11 . 2008-03-30 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-03-30 18:10 . 2008-03-30 18:11 <DIR> d-------- C:\Program Files\Winamp
2008-03-30 18:10 . 2008-03-30 18:25 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Winamp
2008-03-29 17:32 . 2008-04-08 23:01 <DIR> d-------- C:\Program Files\DOSBox-0.72
2008-03-26 01:42 . 2008-03-26 01:42 <DIR> d-------- C:\Program Files\Valve
2008-03-25 16:28 . 1999-12-17 08:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-03-25 16:26 . 2008-03-25 16:33 <DIR> d-------- C:\Program Files\Postal2STP
2008-03-11 08:44 . 2008-03-11 08:44 2,296 --a------ C:\WINDOWS\ATICIM.INI
2008-03-11 08:36 . 2008-03-11 08:36 0 --a------ C:\WINDOWS\ativpsrm.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 18:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-10 17:38 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Xfire
2008-04-10 16:48 --------- d-----w C:\Program Files\Graal
2008-04-10 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 05:18 --------- d-----w C:\Program Files\Xfire
2008-04-10 05:18 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Azureus
2008-04-09 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-08 23:46 --------- d-----w C:\Program Files\Steam
2008-04-07 22:55 --------- d-----w C:\Program Files\Windows Live
2008-04-07 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-07 00:13 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2008-04-06 07:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 01:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 21:11 --------- d-----w C:\Program Files\AMD
2008-04-04 21:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 18:41 --------- d-----w C:\Program Files\EA SPORTS
2008-03-11 02:44 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Hamachi
2008-03-11 01:15 17,480 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-03-07 20:49 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\InstallShield
2008-03-07 07:55 --------- d-----w C:\Program Files\Microsoft Games
2008-03-07 07:55 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Microsoft Games
2008-03-07 05:03 --------- d-----w C:\Program Files\SEGA
2008-03-06 23:34 --------- d-----w C:\Program Files\WinUHA
2008-03-06 20:51 --------- d-----w C:\Program Files\Azureus
2008-03-02 17:51 --------- d-----w C:\Program Files\MicroProse
2008-02-20 12:24 --------- d-----w C:\Program Files\LimeWire
2008-02-11 17:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-11 04:22 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-10 20:20 --------- d-----w C:\Program Files\TVAnts
2008-02-10 19:42 --------- d-----w C:\Program Files\FDRLab
2008-02-10 19:42 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\FDRLab
2008-02-10 13:32 --------- d-----w C:\Program Files\SopCast
2008-02-10 13:31 --------- d-----w C:\Program Files\PPMate
2008-02-10 13:30 --------- d-----w C:\Program Files\Common Files\Synacast
2008-02-10 13:30 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\PPMate
2008-02-10 13:29 --------- d-----w C:\Program Files\TVUPlayer
2008-02-10 13:29 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\TVU networks
2008-02-10 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-09 07:33 691,545 ----a-w C:\WINDOWS\unins001.exe
2007-12-01 19:01 22,328 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-10_15.02.45.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-10 18:57:38 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
+ 2008-04-10 19:49:02 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-22 08:06 167368]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-03-24 22:59 507904]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-08 17:03 49768]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2002-10-31 09:14 327680]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-25 14:40 155648]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 13:41 1605740]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CHotkey"="mHotkey.exe" [2004-10-20 16:59 550912 C:\WINDOWS\mHotkey.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 02:35 36352]
"AMD_Display"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-08-09 11:32 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup=C:\WINDOWS\pss\NetAssistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=C:\WINDOWS\pss\Camio Viewer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-03 03:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
--a------ 2007-06-29 16:03 36864 C:\Program Files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
--a------ 2007-07-12 03:15 913064 C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-09-21 13:41 1605740 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 08:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-28 15:14 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2007-07-25 14:02 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
--a------ 2005-03-29 20:03 22656 c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic_ds.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\PPMate\\ppmnet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-07 15:15]
S2 EZWINIT;EZWINIT;C:\WINDOWS\system32\Drivers\ezwinit.sys [2005-06-06 10:18]
S2 EZWRITER;EZWRITER;C:\WINDOWS\system32\Drivers\ezwriter.sys [2006-01-12 16:09]
S3 ATICDSDr;ATICDSDr;C:\ATI\SUPPORT\7-11_X~1\Driver\bin\atiicdxx.sys [2007-11-16 23:58]
S3 EraserUtilDrv10733;EraserUtilDrv10733;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 19:11:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-05 01:02:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Compaq_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
"2008-04-10 18:25:20 C:\WINDOWS\Tasks\User_Feed_Synchronization-{CFCBCDAB-4C78-4ED0-903B-FC75251E7D23}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-07-25 17:35:07 C:\WINDOWS\Tasks\Warranty Reminder 11 Months.job"
- c:\hp\bin\cloaker.exe>c:\\windows\\system32\\pcintro\\reminder\\Warranty\months.ba
- c:\hp\bin
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 15:49:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\zeqbqwp]
"ImagePath"="\??\C:\WINDOWS\zeqbqwp.sys"
.
Completion time: 2008-04-10 15:54:32
ComboFix-quarantined-files.txt 2008-04-10 19:54:26
ComboFix2.txt 2008-04-10 19:03:31
Pre-Run: 65,570,791,424 bytes free
Post-Run: 65,568,993,280 bytes free
.
2008-04-09 07:05:09 --- E O F ---


And here's my HJT log just incase, I can't see anything wrong with it anymore, and my computer seems to be fine, nothing's not working.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:26 PM, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\PhotoPC 700\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\PhotoPC 700\Image Expert\IXApplet.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7231 bytes
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:46 AM

Posted 10 April 2008 - 03:26 PM

As far as I'm concerned....

And here's my HJT log just incase, I can't see anything wrong with it anymore, and my computer seems to be fine, nothing's not working.


... Safemode does not work, when I select safemde like I tried way before it just gives me a long list of drivers and stalls, I used SD-fix, installed it and it seemed to work but theres no GUI to tell me anything.

That's a problem.

Let's try to get this sorted. :thumbsup:

Please download AVZ4 and save it to your desktop.
  • Unzip the file and place it on your desktop.
  • Open the avz4 folder and double-click avz.exe to start the tool.
  • On top in the menu, click File, System Recovery and select Restore Safeboot Reg keys (Choice #10).
  • Click the "Execute selected Operations" button below.
  • Close avz.exe.
  • Delete AVZ4.ZIP, and the AVZ4 folder.
After you have done this....

Open notepad again and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\zeqbqwp.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\zeqbqwp]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#7 protozero

protozero
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada,
  • Local time:02:46 AM

Posted 10 April 2008 - 03:39 PM

Why, there's something wrong with my log, it looks fine to me!? I'm downloading the file right now. The link you gave is pretty slow but it's not a big file. And if Combofix stalls again I'll get angry! Not really, but don't tell me to do it again. Last time I didn't even touch it once the window poped up until it stalled at the point where it said it was going to reboot!

Update:

Alright, it worked that time, I don't think it rebooted though? Just ran and made a logfile, here it is.



ComboFix 08-04-09.9 - Compaq_Administrator 2008-04-10 16:44:54.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.513 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\zeqbqwp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Administrator\Application Data\.#

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 15:56 . 2008-04-10 15:56 268 --ah----- C:\sqmdata02.sqm
2008-04-10 15:56 . 2008-04-10 15:56 244 --ah----- C:\sqmnoopt02.sqm
2008-04-10 07:33 . 2008-04-10 07:33 268 --ah----- C:\sqmdata01.sqm
2008-04-10 07:33 . 2008-04-10 07:33 244 --ah----- C:\sqmnoopt01.sqm
2008-04-10 07:07 . 2008-04-10 07:07 268 --ah----- C:\sqmdata00.sqm
2008-04-10 07:07 . 2008-04-10 07:07 244 --ah----- C:\sqmnoopt00.sqm
2008-04-09 22:29 . 2008-04-09 22:29 <DIR> d-------- C:\Program Files\Unlocker
2008-04-09 22:09 . 2008-04-09 22:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 22:00 . 2008-04-09 22:00 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\ATI
2008-04-09 21:59 . 2005-11-29 05:05 <DIR> d-------- C:\Documents and Settings\Moose(backup)\WINDOWS
2008-04-09 21:59 . 2008-04-10 07:16 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Symantec
2008-04-09 21:59 . 2005-11-29 05:06 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Intuit
2008-04-09 21:59 . 2005-11-29 04:53 <DIR> d-------- C:\Documents and Settings\Moose(backup)\Application Data\Digital Interactive Systems Corporation
2008-04-09 21:56 . 2008-04-09 21:56 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-09 21:44 . 2008-04-09 10:46 <DIR> d-------- C:\SDFix
2008-04-09 21:00 . 2008-04-09 21:00 <DIR> d-------- C:\Deckard
2008-04-09 17:27 . 2008-04-09 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-09 17:25 . 2008-04-09 17:47 2 --a------ C:\747418724
2008-04-07 18:52 . 2008-04-09 20:14 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-07 18:52 . 2008-04-07 18:52 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-06 03:05 . 2008-04-06 03:05 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-06 03:05 . 2003-07-17 14:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-06 03:05 . 2005-01-01 05:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-06 03:04 . 2008-04-06 03:06 <DIR> d--h----- C:\Documents and Settings\Compaq_Administrator\Application Data\ijjigame
2008-04-06 03:03 . 2007-06-21 18:59 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2008-04-06 03:02 . 2008-01-16 18:25 679,936 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2008-04-06 02:56 . 2008-04-06 02:56 <DIR> d-------- C:\ijji
2008-04-04 21:54 . 2008-04-09 22:07 <DIR> d-------- C:\Program Files\SpeedFan
2008-04-04 21:54 . 2008-04-04 21:54 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-04-04 17:11 . 2008-04-04 17:11 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\.AMD Power Monitor Settings
2008-04-04 17:11 . 2007-06-29 14:47 34,304 --a------ C:\WINDOWS\system32\drivers\AmdLLD.sys
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-01 13:28 . 2008-04-01 13:28 <DIR> d-------- C:\ppmaterecord
2008-03-31 20:13 . 2008-04-06 03:06 32 --a------ C:\WINDOWS\GunzLauncher.INI
2008-03-31 20:09 . 2008-03-31 20:09 <DIR> d-------- C:\Program Files\MAIET
2008-03-30 18:11 . 2008-04-07 06:45 <DIR> d-------- C:\Program Files\Winamp Remote
2008-03-30 18:11 . 2008-03-30 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-03-30 18:10 . 2008-03-30 18:11 <DIR> d-------- C:\Program Files\Winamp
2008-03-30 18:10 . 2008-03-30 18:25 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Winamp
2008-03-29 17:32 . 2008-04-08 23:01 <DIR> d-------- C:\Program Files\DOSBox-0.72
2008-03-26 01:42 . 2008-03-26 01:42 <DIR> d-------- C:\Program Files\Valve
2008-03-25 16:28 . 1999-12-17 08:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-03-25 16:26 . 2008-03-25 16:33 <DIR> d-------- C:\Program Files\Postal2STP
2008-03-11 08:44 . 2008-03-11 08:44 2,296 --a------ C:\WINDOWS\ATICIM.INI
2008-03-11 08:36 . 2008-03-11 08:36 0 --a------ C:\WINDOWS\ativpsrm.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 20:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-10 20:23 --------- d-----w C:\Program Files\Graal
2008-04-10 17:38 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Xfire
2008-04-10 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 05:18 --------- d-----w C:\Program Files\Xfire
2008-04-10 05:18 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Azureus
2008-04-09 21:47 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-09 21:47 14,336 ----a-w C:\WINDOWS\system32\dllcache\svchost.exe
2008-04-09 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-08 23:46 --------- d-----w C:\Program Files\Steam
2008-04-07 22:55 --------- d-----w C:\Program Files\Windows Live
2008-04-07 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-07 00:13 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2008-04-06 07:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 01:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 21:11 --------- d-----w C:\Program Files\AMD
2008-04-04 21:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 18:41 --------- d-----w C:\Program Files\EA SPORTS
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-11 02:44 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Hamachi
2008-03-11 01:15 17,480 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-03-07 20:49 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\InstallShield
2008-03-07 07:55 --------- d-----w C:\Program Files\Microsoft Games
2008-03-07 07:55 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Microsoft Games
2008-03-07 05:03 --------- d-----w C:\Program Files\SEGA
2008-03-06 23:34 --------- d-----w C:\Program Files\WinUHA
2008-03-06 20:51 --------- d-----w C:\Program Files\Azureus
2008-03-02 17:51 --------- d-----w C:\Program Files\MicroProse
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\system32\SET2A3.tmp
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\system32\SET280.tmp
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\SET291.tmp
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\SET255.tmp
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\system32\SET29D.tmp
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\system32\SET274.tmp
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\system32\SET29F.tmp
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\system32\SET27A.tmp
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\system32\SET29B.tmp
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\system32\SET271.tmp
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\system32\SET299.tmp
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\system32\SET26E.tmp
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\SET295.tmp
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\SET25E.tmp
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\SET297.tmp
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\SET261.tmp
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\system32\SET2A1.tmp
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\system32\SET27D.tmp
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\system32\SET2A5.tmp
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\system32\SET286.tmp
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\SET293.tmp
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\SET258.tmp
2008-02-22 10:00 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 12:24 --------- d-----w C:\Program Files\LimeWire
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-11 17:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-11 04:22 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-10 20:20 --------- d-----w C:\Program Files\TVAnts
2008-02-10 19:42 --------- d-----w C:\Program Files\FDRLab
2008-02-10 19:42 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\FDRLab
2008-02-10 13:32 --------- d-----w C:\Program Files\SopCast
2008-02-10 13:31 --------- d-----w C:\Program Files\PPMate
2008-02-10 13:30 --------- d-----w C:\Program Files\Common Files\Synacast
2008-02-10 13:30 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\PPMate
2008-02-10 13:29 --------- d-----w C:\Program Files\TVUPlayer
2008-02-10 13:29 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\TVU networks
2008-02-10 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-09 07:33 691,545 ----a-w C:\WINDOWS\unins001.exe
2007-12-01 19:01 22,328 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\PnkBstrK.sys
2005-05-12 14:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-10_15.02.45.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-10 18:57:38 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
+ 2008-04-10 20:47:21 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-22 08:06 167368]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-08 17:03 49768]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2002-10-31 09:14 327680]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-25 14:40 155648]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 13:41 1605740]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CHotkey"="mHotkey.exe" [2004-10-20 16:59 550912 C:\WINDOWS\mHotkey.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 02:35 36352]
"AMD_Display"="" []
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-10 08:00 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-08-09 11:32 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup=C:\WINDOWS\pss\NetAssistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=C:\WINDOWS\pss\Camio Viewer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-03 03:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
--a------ 2007-06-29 16:03 36864 C:\Program Files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
--a------ 2007-07-12 03:15 913064 C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-09-21 13:41 1605740 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-03-24 22:59 507904 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 08:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-28 15:14 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2007-07-25 14:02 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
--a------ 2005-03-29 20:03 22656 c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\wic_ds.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\PPMate\\ppmnet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-07 15:15]
S2 EZWINIT;EZWINIT;C:\WINDOWS\system32\Drivers\ezwinit.sys [2005-06-06 10:18]
S2 EZWRITER;EZWRITER;C:\WINDOWS\system32\Drivers\ezwriter.sys [2006-01-12 16:09]
S3 ATICDSDr;ATICDSDr;C:\ATI\SUPPORT\7-11_X~1\Driver\bin\atiicdxx.sys [2007-11-16 23:58]
S3 EraserUtilDrv10733;EraserUtilDrv10733;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 20:11:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-05 01:02:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Compaq_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
"2008-04-10 20:47:43 C:\WINDOWS\Tasks\User_Feed_Synchronization-{CFCBCDAB-4C78-4ED0-903B-FC75251E7D23}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-07-25 17:35:07 C:\WINDOWS\Tasks\Warranty Reminder 11 Months.job"
- c:\hp\bin\cloaker.exe>c:\\windows\\system32\\pcintro\\reminder\\Warranty\months.ba
- c:\hp\bin
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 16:48:35
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-04-10 16:48:39
ComboFix-quarantined-files.txt 2008-04-10 20:47:46
ComboFix2.txt 2008-04-10 19:54:33
ComboFix3.txt 2008-04-10 19:03:31
Pre-Run: 65,516,474,368 bytes free
Post-Run: 65,499,471,872 bytes free
.
2008-04-09 07:05:09 --- E O F ---

Edited by protozero, 10 April 2008 - 03:51 PM.

Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:46 AM

Posted 10 April 2008 - 04:04 PM

Your combofix log looks good. :thumbsup:

Please try booting into Safe Mode now and let me know if it works? AVZ should have fixed it if the registry keys were borked -- possibly the infections were causing it. :blink: We can figure out something else if it still doesn't work.

Delete this file aswell:

C:\747418724

As for some clean up...

Click Start -> Run and type in:

ComboFix /u

Click on OK. When shown the disclaimer, select 2.

This will clear up all the files that came with ComboFix, empty your system restore points and create a new, clean restore point, etc.

This one will clear out Deckard's System Scan and SDFix:

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select YES.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Why, there's something wrong with my log, it looks fine to me!? I'm downloading the file right now. The link you gave is pretty slow but it's not a big file.

So, you would rather just keep your safe mode boot screwed and not working? I don't understand what're you complaining about. Everything doesn't happen in a blink of an eye.
Hi there, stranger!

#9 protozero

protozero
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada,
  • Local time:02:46 AM

Posted 10 April 2008 - 04:53 PM

Did what you said, ran AVZ and the others you pointed out. I'm better with hardware then malware. I've had hardrive crashes before ( Well OS crash I geuss as the HDs still working )

This is what I get when I attempt safemode, a long list of lines like this

[/code]Multi(0)disk(0)rdisk(0)Partition(2)\Windows\System32\Drivers\[code]

Looks like that but each line with a different driver at the end.


As far as I'm concerned....


QUOTE
And here's my HJT log just incase, I can't see anything wrong with it anymore, and my computer seems to be fine, nothing's not working.



QUOTE
... Safemode does not work, when I select safemde like I tried way before it just gives me a long list of drivers and stalls, I used SD-fix, installed it and it seemed to work but theres no GUI to tell me anything.


I thought you were refering to my log when you said "That's a problem."

Edited by protozero, 10 April 2008 - 05:15 PM.

Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:46 AM

Posted 11 April 2008 - 03:38 PM

Sorry for the delay. :thumbsup:

I think I missed the email notification.

As for the Safe Mode problem, I don't think it's a malware issue.

You should check the drivers it lists, and disconnect the hardware you have indicating to them, then try again to see if it's them causing the problems. You can post about it in the Windows XP forum.

Other than that, looks good.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?

Setup guide for Comodo Firewall
Setup guide for Avast! 4 Free
Setup guide for AVG Free Antivirus
Hi there, stranger!

#11 protozero

protozero
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada,
  • Local time:02:46 AM

Posted 11 April 2008 - 05:40 PM

I was thinking it probably wasn't a malware problem as well. I've had my OS crash twice before and have to restart from scratch. Uhhmm...the list it puts up is about maybe 40 different drivers. I'll look into it on another section of the forums. Thanks alot for the help!
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:46 AM

Posted 11 April 2008 - 06:08 PM

You're welcome - thanks for taking the time to thank. :thumbsup:

Since this issue appears to be resolved, this topic has been closed.

Should another issue arise, feel free to start a new topic. :blink:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users