Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help! I Am Out Of My League


  • This topic is locked This topic is locked
11 replies to this topic

#1 nick_unbc

nick_unbc

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 10 April 2008 - 04:33 PM

Hi, i'm new to the forums, and desperately need help. I'm usually decent with troubleshooting, but I just can't resolve this. About a month ago, I started getting an ever increasing number of errors and crashes not caused by any specific program or action. Everything from "fatal error" blue screen, to various program crashes and windows errors (winlogon etc...). This kept happening more frequently. I took some basic steps to try and fix it (clear temp files, cache, cookies etc...) with no effect. Moved on to various programs (Trend micro online scanner, AVG, spybot s&d, ad-aware. All have been updated to latest versions and files) with nothing found and no change. Used ccleaner as well to check for bad registry keys, found a few from old programs which I deleted, but no change. Also tried running these in safe mode, again, no change. More recently, the errors have stopped happening as often, but its even worse, the explorer.exe process is constantly running at 90-100% and makes the computer almost unusable. A program that would normally take 4-5 seconds to fully open, now takes upwards of 2 minutes. Once the programs finally do open, most will still take 30+ seconds for any action that is usually instant, like opening a menu. The only exception is firefox, which takes a ridiculous amount of time to open, but then acts normally once loaded. I only have 512 ram (which is low by today's standards), but it has worked perfectly well for what I need it for. Browsing the forums, I found repeated threads pointing to delete 2 registry keys associated with media file reading in Windows which people reported fixing the problem. I did that as well with no change (known issue that was solved with SP1, too bad i'm having it even with SP2). I have disabled unecessary startup items as well with no change (process still running 100% after fresh reboot). I have to try and salvage the OS as my XP install disc was lost long ago, and Microsoft and Dell have no sympathy ("sorry, would you like to upgrade to Vista?" bastards). I am taking this step as a last resort and would appreciate any help or advice I can get. Below is my Hijack This log done after a fresh reboot. Thank you all for your wisdom.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:56 PM, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ElectricPocket\Lobster\pcpService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.baby-gaga.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {844BFD9A-7EF4-4E19-911E-9C3D64AC62E7} - c:\windows\system32\corpoll.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: pdkfeqyh - C:\WINDOWS\SYSTEM32\corpoll.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LobsterMusicService - Electric Pocket - C:\Program Files\ElectricPocket\Lobster\pcpService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7188 bytes

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:52 AM

Posted 10 April 2008 - 06:10 PM

Hello nick_unbc,

Welcome to Bleeping Computer :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 nick_unbc

nick_unbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 10 April 2008 - 07:17 PM

Thanks for the reply Tea, I really appreciate it. Took the steps you asked and will post combofix log and hijack this log below. On a really weird note, I had switched to firefox because IE kept crashing (removed it through control panel, no problems or changes) and it came highly recommended. After running combofix and it rebooting the computer, IE randomly re-appeared as my default browser, although firefox is still installed. Not sure why that happened. Anyways, below are the logs you requested, thank you again for the help.

ComboFix 08-04-10.5 - Head Honcho 2008-04-10 16:48:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.208 [GMT -7:00]
Running from: C:\Documents and Settings\Head Honcho\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\corpoll.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cerccyvg
-------\Legacy_cerccyvg
-------\cerccyvg


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-09 22:50 . 2008-04-09 22:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-09 20:46 . 2008-04-09 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-09 20:37 . 2008-04-09 22:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-04-08 21:37 . 2008-04-08 21:37 <DIR> d-------- C:\Program Files\ElectricPocket
2008-04-08 21:36 . 2008-04-08 21:36 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-08 21:35 . 2008-04-08 21:35 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-07 04:10 . 2008-04-07 04:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2008-04-07 00:40 . 2008-04-07 00:40 <DIR> d-------- C:\Program Files\CCleaner
2008-04-07 00:30 . 2008-04-07 00:38 <DIR> d-------- C:\Documents and Settings\Head Honcho\Application Data\Uniblue
2008-04-07 00:16 . 2008-04-07 00:16 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-06 23:13 . 2008-04-06 23:13 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\DivX
2008-04-06 20:42 . 2008-04-09 00:28 593 --a------ C:\WINDOWS\system32\tversity.cookies
2008-04-06 18:58 . 2008-04-06 18:58 <DIR> d-------- C:\Program Files\ffdshow
2008-04-06 18:58 . 2007-04-24 17:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-04-06 18:58 . 2007-06-03 14:31 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-06 18:58 . 2007-06-03 14:31 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-04-06 18:58 . 2006-12-10 23:32 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-04-06 18:55 . 2008-04-06 18:58 <DIR> d-------- C:\Program Files\TVersity Codec Pack
2008-04-06 18:52 . 2008-04-06 18:52 <DIR> d-------- C:\Program Files\TVersity
2008-04-06 18:07 . 2008-04-06 18:56 <DIR> d-------- C:\Documents and Settings\All Users\ps3
2008-04-06 17:52 . 2008-04-06 17:52 <DIR> d-------- C:\Program Files\Red Kawa
2008-04-06 01:29 . 2008-04-06 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-05 01:26 . 2008-04-05 01:26 <DIR> d-------- C:\Documents and Settings\Head Honcho\Application Data\Talkback
2008-04-04 13:45 . 2008-04-04 13:45 <DIR> d-------- C:\WINDOWS\ASTULogTemp
2008-04-04 13:45 . 2008-04-04 13:45 124,563 --a------ C:\WINDOWS\system32\ASTULog.cab
2008-04-04 13:45 . 2008-04-04 13:45 1,050 --a------ C:\WINDOWS\system32\setup.inf
2008-04-04 13:45 . 2008-04-04 13:45 283 --a------ C:\WINDOWS\system32\setup.rpt
2008-04-03 17:35 . 2008-04-03 17:36 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-03 17:35 . 2008-04-04 17:51 6,491,392 --a------ C:\WINDOWS\system32\idxmnmar.dat
2008-03-27 19:47 . 2008-04-03 17:19 244 --ah----- C:\sqmnoopt19.sqm
2008-03-27 19:47 . 2008-04-03 17:19 244 --ah----- C:\sqmnoopt18.sqm
2008-03-27 19:47 . 2008-04-03 17:19 232 --ah----- C:\sqmdata19.sqm
2008-03-27 19:47 . 2008-04-03 17:19 232 --ah----- C:\sqmdata18.sqm
2008-03-26 23:47 . 2008-04-03 10:44 244 --ah----- C:\sqmnoopt17.sqm
2008-03-26 23:47 . 2008-04-03 10:44 232 --ah----- C:\sqmdata17.sqm
2008-03-26 15:55 . 2008-03-26 15:55 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-26 15:55 . 2008-04-01 16:59 638,208 --a------ C:\WINDOWS\system32\aesxwzre.dat
2008-03-26 15:55 . 2008-03-26 15:55 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-26 15:55 . 2008-04-03 17:35 42,752 --a------ C:\WINDOWS\system32\aikucehz.dat
2008-03-26 15:55 . 2008-03-26 15:55 36,608 --a------ C:\WINDOWS\system32\qfpwhghg.dat
2008-03-26 15:55 . 2008-03-26 15:55 35,072 --a------ C:\WINDOWS\system32\wqfnhqfc.dat
2008-03-26 15:55 . 20,224 C:\WINDOWS\system32\drivers\aadrtler.dat
2008-03-26 01:38 . 2008-03-26 01:55 <DIR> d-------- C:\Program Files\RegCleaner
2008-03-26 01:06 . 2008-04-03 10:28 244 --ah----- C:\sqmnoopt16.sqm
2008-03-26 01:06 . 2008-04-03 10:28 232 --ah----- C:\sqmdata16.sqm
2008-03-25 23:40 . 2008-04-03 00:27 268 --ah----- C:\sqmdata15.sqm
2008-03-25 23:40 . 2008-04-03 00:27 244 --ah----- C:\sqmnoopt15.sqm
2008-03-25 21:48 . 2008-03-25 21:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 21:48 . 2008-03-25 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 21:12 . 2008-03-25 21:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-25 21:12 . 2008-04-09 15:04 <DIR> d-------- C:\Documents and Settings\Head Honcho\Application Data\AVG7
2008-03-25 21:12 . 2008-03-25 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 21:12 . 2008-03-26 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 21:06 . 2008-04-02 18:23 244 --ah----- C:\sqmnoopt14.sqm
2008-03-25 21:06 . 2008-04-02 18:23 232 --ah----- C:\sqmdata14.sqm
2008-03-25 20:07 . 2007-08-01 23:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-25 15:49 . 2008-03-25 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 15:47 . 2008-04-09 18:29 110,336 --a------ C:\WINDOWS\system32\fvatobys.dat
2008-03-25 15:40 . 2008-04-10 16:57 81,920 --a------ C:\WINDOWS\system32\corpoll.dll
2008-03-25 15:40 . 2008-04-04 17:51 80,896 --a------ C:\WINDOWS\system32\corpoll.dll.bak
2008-03-25 14:08 . 2008-04-02 17:13 244 --ah----- C:\sqmnoopt13.sqm
2008-03-25 14:08 . 2008-04-02 17:13 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 09:21 --------- d-----w C:\Documents and Settings\Head Honcho\Application Data\OpenOffice.org2
2008-04-10 08:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-10 07:15 --------- d-----w C:\Program Files\Google
2008-04-09 05:22 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-07 09:40 --------- d-----w C:\Program Files\DivX
2008-04-07 00:52 --------- d-----w C:\Program Files\Java
2008-04-06 12:41 --------- d-----w C:\Documents and Settings\Head Honcho\Application Data\Ahead
2008-04-06 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-06 08:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-29 07:42 --------- d-----w C:\Program Files\Morpheus
2008-03-29 06:56 --------- d-----w C:\Program Files\WMR11
2008-03-26 09:19 --------- d-----w C:\Program Files\Morpheus Toolbar
2008-03-26 09:06 --------- d-----w C:\Program Files\MySpace
2008-03-05 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-25 00:40 --------- d-----w C:\Documents and Settings\Head Honcho\Application Data\ArcSoft
2008-02-23 00:55 --------- d-----w C:\Program Files\WinPcap
2007-04-13 16:34 56 -csh--r C:\WINDOWS\system32\EAF0C10AA0.sys
2007-04-13 16:34 1,682 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{844BFD9A-7EF4-4E19-911E-9C3D64AC62E7}]
2008-04-10 16:57 81920 --a------ c:\windows\system32\corpoll.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-09-29 17:03 393216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 21:12 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2007-09-29 14:50:47 217088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2007-03-15 09:57 356197 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-03-25 21:13 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ez2l3s0hdo]
C:\WINDOWS\system32\ez2l3s0hdo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-06-16 07:03 221184 c:\progra~1\common~1\instal~1\update~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 07:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-01 14:43 163840 C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-09-09 02:16 196608 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 17:14 49152 C:\Program Files\Brother\Brmfl04h\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-04 23:17 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-20 01:35 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\ElectricPocket\\Lobster\\pcpService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"41952:TCP"= 41952:TCP:mediaserver

R0 rstmplpz;rstmplpz;C:\WINDOWS\system32\drivers\aadrtler.dat []
R2 LobsterMusicService;LobsterMusicService;"C:\Program Files\ElectricPocket\Lobster\pcpService.exe" [2007-10-23 13:27]
R2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2001-07-11 08:59]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2001-07-11 08:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 22:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 07:29:58 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-07 07:29:56 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 17:00:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rstmplpz]
"ImagePath"="system32\drivers\aadrtler.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-04-10 17:02:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 00:02:27
Pre-Run: 5,263,605,760 bytes free
Post-Run: 6,578,917,376 bytes free
.
2008-04-09 10:04:28 --- E O F ---






HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:14 PM, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ElectricPocket\Lobster\pcpService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.baby-gaga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {844BFD9A-7EF4-4E19-911E-9C3D64AC62E7} - c:\windows\system32\corpoll.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LobsterMusicService - Electric Pocket - C:\Program Files\ElectricPocket\Lobster\pcpService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 6992 bytes

#4 nick_unbc

nick_unbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 10 April 2008 - 08:15 PM

How very odd. The problem seemed fixed.... but my newfound joy lasted all of 5 minutes. After combofix reboot, computer was acting normally and explorer.exe was no longer sucking up the cpu. Other than IE inviting itself back into the mix, everything seemed fine. But after 5 minutes, the computer started getting much slower, but not as bad as before combofix (definite improvement) But one major difference.... the explorer.exe process was not chewing up resources, and the system idle process was listed around 97 cpu. When I tried a reboot, iexplorer is not responding and must be manually ended. Also just discovered, I plugged in my windows mobile 6 phone to charge it. The phone is connected and charging, yet activesync is not reacting, and the phone is not listed in my computer as it is usually. That's never happened before. As long as it charges, I don't care if activesync notices it or not, but could this be an indication of something else?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:52 AM

Posted 10 April 2008 - 08:28 PM

Hello,

We're not done yet. :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\corpoll.dll
C:\WINDOWS\system32\corpoll.dll.bak
C:\WINDOWS\system32\fvatobys.dat
C:\WINDOWS\system32\drivers\aadrtler.dat
C:\WINDOWS\system32\aikucehz.dat
C:\WINDOWS\system32\qfpwhghg.dat
C:\WINDOWS\system32\wqfnhqfc.dat
C:\WINDOWS\system32\aesxwzre.dat
C:\WINDOWS\system32\idxmnmar.dat
C:\WINDOWS\system32\ez2l3s0hdo.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{844BFD9A-7EF4-4E19-911E-9C3D64AC62E7}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ez2l3s0hdo]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 nick_unbc

nick_unbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 10 April 2008 - 10:08 PM

Thanks Tea, followed your steps. Below are the two requested logs>

ComboFix 08-04-10.5 - Head Honcho 2008-04-10 19:58:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -7:00]
Running from: C:\Documents and Settings\Head Honcho\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Head Honcho\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\aesxwzre.dat
C:\WINDOWS\system32\aikucehz.dat
C:\WINDOWS\system32\corpoll.dll
C:\WINDOWS\system32\corpoll.dll.bak
C:\WINDOWS\system32\drivers\aadrtler.dat
C:\WINDOWS\system32\ez2l3s0hdo.exe
C:\WINDOWS\system32\fvatobys.dat
C:\WINDOWS\system32\idxmnmar.dat
C:\WINDOWS\system32\qfpwhghg.dat
C:\WINDOWS\system32\wqfnhqfc.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aesxwzre.dat
C:\WINDOWS\system32\aikucehz.dat
C:\WINDOWS\system32\corpoll.dll
C:\WINDOWS\system32\corpoll.dll.bak
C:\WINDOWS\system32\drivers\aadrtler.dat
C:\WINDOWS\system32\fvatobys.dat
C:\WINDOWS\system32\idxmnmar.dat
C:\WINDOWS\system32\qfpwhghg.dat
C:\WINDOWS\system32\wqfnhqfc.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cerccyvg
-------\Legacy_cerccyvg
-------\Legacy_rstmplpz
-------\cerccyvg
-------\rstmplpz


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-09 22:50 . 2008-04-09 22:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-09 20:46 . 2008-04-09 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-09 20:37 . 2008-04-09 22:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-04-08 21:37 . 2008-04-08 21:37 <DIR> d-------- C:\Program Files\ElectricPocket
2008-04-08 21:36 . 2008-04-08 21:36 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-08 21:35 . 2008-04-08 21:35 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-07 04:10 . 2008-04-07 04:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2008-04-07 00:40 . 2008-04-07 00:40 <DIR> d-------- C:\Program Files\CCleaner
2008-04-07 00:30 . 2008-04-07 00:38 <DIR> d-------- C:\Documents and Settings\Head Honcho\Application Data\Uniblue
2008-04-07 00:16 . 2008-04-07 00:16 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-06 23:13 . 2008-04-06 23:13 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\DivX
2008-04-06 20:42 . 2008-04-09 00:28 593 --a------ C:\WINDOWS\system32\tversity.cookies
2008-04-06 18:58 . 2008-04-06 18:58 <DIR> d-------- C:\Program Files\ffdshow
2008-04-06 18:58 . 2007-04-24 17:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-04-06 18:58 . 2007-06-03 14:31 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-06 18:58 . 2007-06-03 14:31 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-04-06 18:58 . 2006-12-10 23:32 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-04-06 18:55 . 2008-04-06 18:58 <DIR> d-------- C:\Program Files\TVersity Codec Pack
2008-04-06 18:52 . 2008-04-06 18:52 <DIR> d-------- C:\Program Files\TVersity
2008-04-06 18:07 . 2008-04-06 18:56 <DIR> d-------- C:\Documents and Settings\All Users\ps3
2008-04-06 17:52 . 2008-04-06 17:52 <DIR> d-------- C:\Program Files\Red Kawa
2008-04-06 01:29 . 2008-04-06 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-05 01:26 . 2008-04-05 01:26 <DIR> d-------- C:\Documents and Settings\Head Honcho\Application Data\Talkback
2008-04-04 13:45 . 2008-04-04 13:45 <DIR> d-------- C:\WINDOWS\ASTULogTemp
2008-04-04 13:45 . 2008-04-04 13:45 124,563 --a------ C:\WINDOWS\system32\ASTULog.cab
2008-04-04 13:45 . 2008-04-04 13:45 1,050 --a------ C:\WINDOWS\system32\setup.inf
2008-04-04 13:45 . 2008-04-04 13:45 283 --a------ C:\WINDOWS\system32\setup.rpt
2008-04-03 17:35 . 2008-04-03 17:36 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-03-27 19:47 . 2008-04-03 17:19 244 --ah----- C:\sqmnoopt19.sqm
2008-03-27 19:47 . 2008-04-03 17:19 244 --ah----- C:\sqmnoopt18.sqm
2008-03-27 19:47 . 2008-04-03 17:19 232 --ah----- C:\sqmdata19.sqm
2008-03-27 19:47 . 2008-04-03 17:19 232 --ah----- C:\sqmdata18.sqm
2008-03-26 23:47 . 2008-04-03 10:44 244 --ah----- C:\sqmnoopt17.sqm
2008-03-26 23:47 . 2008-04-03 10:44 232 --ah----- C:\sqmdata17.sqm
2008-03-26 15:55 . 2008-03-26 15:55 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-26 15:55 . 2008-03-26 15:55 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-26 01:38 . 2008-03-26 01:55 <DIR> d-------- C:\Program Files\RegCleaner
2008-03-26 01:06 . 2008-04-03 10:28 244 --ah----- C:\sqmnoopt16.sqm
2008-03-26 01:06 . 2008-04-03 10:28 232 --ah----- C:\sqmdata16.sqm
2008-03-25 23:40 . 2008-04-03 00:27 268 --ah----- C:\sqmdata15.sqm
2008-03-25 23:40 . 2008-04-03 00:27 244 --ah----- C:\sqmnoopt15.sqm
2008-03-25 21:48 . 2008-03-25 21:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 21:48 . 2008-03-25 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 21:12 . 2008-03-25 21:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-25 21:12 . 2008-04-09 15:04 <DIR> d-------- C:\Documents and Settings\Head Honcho\Application Data\AVG7
2008-03-25 21:12 . 2008-03-25 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 21:12 . 2008-03-26 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 21:06 . 2008-04-02 18:23 244 --ah----- C:\sqmnoopt14.sqm
2008-03-25 21:06 . 2008-04-02 18:23 232 --ah----- C:\sqmdata14.sqm
2008-03-25 20:07 . 2007-08-01 23:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-25 15:49 . 2008-03-25 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 14:08 . 2008-04-02 17:13 244 --ah----- C:\sqmnoopt13.sqm
2008-03-25 14:08 . 2008-04-02 17:13 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 09:21 --------- d-----w C:\Documents and Settings\Head Honcho\Application Data\OpenOffice.org2
2008-04-10 08:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-10 07:15 --------- d-----w C:\Program Files\Google
2008-04-09 05:22 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-07 09:40 --------- d-----w C:\Program Files\DivX
2008-04-07 00:52 --------- d-----w C:\Program Files\Java
2008-04-06 12:41 --------- d-----w C:\Documents and Settings\Head Honcho\Application Data\Ahead
2008-04-06 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-06 08:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-29 07:42 --------- d-----w C:\Program Files\Morpheus
2008-03-29 06:56 --------- d-----w C:\Program Files\WMR11
2008-03-26 09:19 --------- d-----w C:\Program Files\Morpheus Toolbar
2008-03-26 09:06 --------- d-----w C:\Program Files\MySpace
2008-03-05 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-25 00:40 --------- d-----w C:\Documents and Settings\Head Honcho\Application Data\ArcSoft
2008-02-23 00:55 --------- d-----w C:\Program Files\WinPcap
2007-04-13 16:34 56 -csh--r C:\WINDOWS\system32\EAF0C10AA0.sys
2007-04-13 16:34 1,682 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-10_17.02.10.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-10 10:33:52 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-11 01:00:13 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-10 10:33:53 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-11 01:00:13 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 23:17 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-09-29 17:03 393216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 21:12 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2007-09-29 14:50:47 217088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2007-03-15 09:57 356197 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-03-25 21:13 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-06-16 07:03 221184 c:\progra~1\common~1\instal~1\update~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 07:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-01 14:43 163840 C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-09-09 02:16 196608 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 17:14 49152 C:\Program Files\Brother\Brmfl04h\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-04 23:17 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-20 01:35 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\ElectricPocket\\Lobster\\pcpService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"41952:TCP"= 41952:TCP:mediaserver

R2 LobsterMusicService;LobsterMusicService;"C:\Program Files\ElectricPocket\Lobster\pcpService.exe" [2007-10-23 13:27]
S2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2001-07-11 08:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 22:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 07:29:58 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-07 07:29:56 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 20:02:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-04-10 20:04:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 03:04:43
ComboFix2.txt 2008-04-11 00:02:43
Pre-Run: 6,087,839,744 bytes free
Post-Run: 6,080,147,456 bytes free
.
2008-04-09 10:04:28 --- E O F ---





HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:05 PM, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\ElectricPocket\Lobster\pcpService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.baby-gaga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LobsterMusicService - Electric Pocket - C:\Program Files\ElectricPocket\Lobster\pcpService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7216 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:52 AM

Posted 11 April 2008 - 12:09 AM

Hi there,

How is it now please? :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 nick_unbc

nick_unbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 11 April 2008 - 12:30 AM

MUCH better than before, thank you so much. It is still slower than before, but at least now it's usable :thumbsup: Did you see anything odd in the logs that could account for this?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:52 AM

Posted 11 April 2008 - 01:15 AM

Hello,

Good! Now let's tidy up a bit. :thumbsup:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
  • The update will start and a progress bar will show the updates being installed.
  • Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the "Settings" screen:
    • Click on "Recommended actions" -> select "Quarantine".
    • Under "Reports:" -> select "Do not automatically generate reports".
  • Close AVG Anti-Spyware. Please do NOT run a scan yet!
Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 nick_unbc

nick_unbc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 11 April 2008 - 03:53 AM

Hi Tea, followed the steps you detailed and below are the two logs. Computer speed has not changed.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:42:23 AM 11/04/2008

+ Scan result:



:mozilla.39:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.41:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lacph54i.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.104:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.105:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.112:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.113:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.114:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.115:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.116:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.47:C:\Documents and Settings\Head Honcho\Application Data\Mozilla\Firefox\Profiles\vt3uhndb.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.


::Report end






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:52 AM, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ElectricPocket\Lobster\pcpService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.baby-gaga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LobsterMusicService - Electric Pocket - C:\Program Files\ElectricPocket\Lobster\pcpService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7465 bytes

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:52 AM

Posted 11 April 2008 - 01:52 PM

Hello,

Well, your logs look good, so have a look here: http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Let me know how you come out. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:52 AM

Posted 16 April 2008 - 08:19 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users