Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Sure What It Is But Found Winself.exe And Wmsdkns.exe? Help


  • This topic is locked This topic is locked
22 replies to this topic

#1 ferrari51592

ferrari51592

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 18 May 2008 - 09:25 AM

Hi guys thanks for all the help here is my situation my desktop has a white screen saver w/a blue triangle and exclamation point this has only come up recently before this it was one of those fake blue screens saying i was infected. I looked through the task manager and found winself.exe and wmsdkns.exe so i looked for there files and deleted them and since they haven't come up but i still have this white screen even when i change my desktop. Another problem is that i cant but in safe mode so i cant run sdfix and i've ran both avg and spybot and niether found anything. I am running windows XP w/service pack 2 here are my logs (main one is here extra file is attached) thanks:

Deckard's System Scanner v20071014.68
Run by Jesus on 2008-05-17 13:17:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-05-17 18:17:37 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-17 13:20:41
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Jesus\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7B7170F8-6300-4E47-8F5D-16CA329D6632} - C:\WINDOWS\System32\rqRJBQii.dll (file missing)
O2 - BHO: (no name) - {90CB3768-065A-4A65-90BA-067A86D37A50} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINDOWS\system32\awtrQGxY.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: (no name) - SITEguard - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\EmlProxy.exe
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
O10 - Unknown file in Winsock LSP: C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
O10 - Unknown file in Winsock LSP: C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
O15 - Trusted Zone: *.att.net (HKCU)
O15 - Trusted Zone: http://att.net (HKCU)
O15 - Trusted Zone: https://att.net (HKCU)
O15 - Trusted Zone: *.sbcglobal.net (HKCU)
O15 - Trusted Zone: http://sbcglobal.net (HKCU)
O15 - Trusted Zone: https://sbcglobal.net (HKCU)
O15 - Trusted Zone: *.yahoo.com (HKCU)
O15 - Trusted Zone: http://yahoo.com (HKCU)
O15 - Trusted Zone: https://yahoo.com (HKCU)
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206835374366
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...7872.0883217593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O20 - Winlogon Notify: awtrQGxY - C:\WINDOWS\system32\awtrQGxY.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe service
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


--
End of file - 9196 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 szkg5 (szkg) - c:\windows\system32\drivers\szkg.sys <Not Verified; iS3 Inc.; Stopzilla>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\winself.exe service (file missing)
S2 ScanWscS (Quick Heal Helper Service WSC) - c:\progra~1\quickh~1\scanwscs.exe (file missing)
S2 szserver (STOPzilla Service) - "c:\program files\common files\is3\anti-spyware\szserver.exe" <Not Verified; iS3, Inc.; STOPzilla>
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Trident Video Accelerator Blade 3D/ProMedia
Device ID: PCI\VEN_1023&DEV_8500&SUBSYS_85001023&REV_00\4&110A7DBF&0&0008
Manufacturer: Trident MicroSystems
Name: Trident Video Accelerator Blade 3D/ProMedia
PNP Device ID: PCI\VEN_1023&DEV_8500&SUBSYS_85001023&REV_00\4&110A7DBF&0&0008
Service: trid3d

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: ADMtek AN983 10/100 PCI Adapter
Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_12161113&REV_11\3&61AAA01&0&78
Manufacturer: ADMtek Incorporated
Name: ADMtek AN983 10/100 PCI Adapter
PNP Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_12161113&REV_11\3&61AAA01&0&78
Service: AN983


-- Scheduled Tasks -------------------------------------------------------------

2008-04-20 17:28:00 264 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2008-04-18 20:42:12 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-10 18:26:37 338 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job


-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-17 11:51:00 0 d-------- C:\WINDOWS\LastGood
2008-05-12 21:37:39 0 d-------- C:\Program Files\Windows Sidebar
2008-05-12 20:21:33 0 d-------- C:\WINDOWS\Prefetch
2008-05-12 19:58:44 0 d-------- C:\WINDOWS\provisioning
2008-05-04 13:35:50 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-04 13:32:58 0 d-------- C:\Program Files\STOPzilla!
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files\iS3
2008-05-04 13:32:49 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-04 13:31:35 9728 --a------ C:\WINDOWS\cdsm32.dll
2008-05-04 13:31:35 32000 --a------ C:\WINDOWS\bokja.exe
2008-05-03 17:11:10 15616 --a------ C:\WINDOWS\voiceip.dll
2008-05-03 17:11:10 25344 --a------ C:\WINDOWS\swin32.dll
2008-05-03 17:11:06 8192 --a------ C:\WINDOWS\mssvr.exe
2008-05-03 17:11:06 12288 --a------ C:\WINDOWS\mspphe.dll
2008-05-03 17:10:54 22016 --a------ C:\WINDOWS\saiemod.dll
2008-05-03 17:10:53 27392 --a------ C:\WINDOWS\msapasrc.dll
2008-05-03 17:10:52 17152 --a------ C:\WINDOWS\msa64chk.dll
2008-05-03 17:10:50 19968 --a------ C:\WINDOWS\shdocpl.dll
2008-05-03 17:10:49 16896 --a------ C:\WINDOWS\shdocpe.dll
2008-05-03 17:10:49 22016 --a------ C:\WINDOWS\ntnut.exe
2008-05-03 17:10:48 29184 --a------ C:\WINDOWS\winsb.dll
2008-05-03 17:10:48 22784 --a------ C:\WINDOWS\browserad.dll
2008-05-03 17:10:47 32768 --a------ C:\WINDOWS\aviwrap32.dll
2008-05-03 17:10:46 15616 --a------ C:\WINDOWS\avisynthex32.dll
2008-05-03 17:10:46 27904 --a------ C:\WINDOWS\avifile32.dll
2008-05-03 17:10:46 17664 --a------ C:\WINDOWS\autodisc32.dll
2008-05-03 17:10:46 28160 --a------ C:\WINDOWS\audiosrv32.dll
2008-05-03 17:10:45 27648 --a------ C:\WINDOWS\ati2dvag32.dll
2008-05-03 17:10:44 28416 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-05-03 17:10:43 14592 --a------ C:\WINDOWS\athprxy32.dll
2008-05-03 17:10:43 19712 --a------ C:\WINDOWS\asycfilt32.dll
2008-05-03 17:10:43 28416 --a------ C:\WINDOWS\asferror32.dll
2008-05-03 17:10:42 21760 --a------ C:\WINDOWS\changeurl_30.dll
2008-05-03 17:10:42 21248 --a------ C:\WINDOWS\apphelp32.dll
2008-05-03 16:58:40 15725 --ahs---- C:\WINDOWS\system32\iiQBJRqr.ini2
2008-05-03 16:52:48 43520 --a------ C:\WINDOWS\system32\awtrQGxY.dll
2008-05-03 16:35:34 0 d-------- C:\Program Files\QdrPack
2008-05-03 16:35:10 0 d-------- C:\Program Files\QdrModule
2008-05-03 16:35:08 0 d-------- C:\Program Files\QdrDrive
2008-05-03 16:35:05 0 d-------- C:\Program Files\ISM
2008-05-03 15:20:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-03 15:19:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-03 15:18:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-03 15:18:38 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-03 15:17:59 35328 --a------ C:\WINDOWS\system32\clbdll.dll
2008-05-03 15:17:57 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-05-03 15:17:42 87979 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-05-03 11:48:00 270709 --a------ C:\WINDOWS\system32\000060.exe
2008-04-27 22:33:52 0 d-------- C:\Program Files\NSVtools
2008-04-26 17:35:51 0 d-------- C:\Documents and Settings\Jesus\Application Data\ImgBurn
2008-04-26 17:34:50 0 d-------- C:\Program Files\ImgBurn
2008-04-25 18:36:47 0 d-------- C:\Documents and Settings\Jesus\Application Data\DVD Flick
2008-04-25 18:36:31 0 d-------- C:\Program Files\DVD Flick
2008-04-21 20:48:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 10:03:37 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-18 20:42:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-05-12 21:56:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-12 19:59:37 0 d-------- C:\Program Files\Messenger
2008-05-12 19:58:46 0 d-------- C:\Program Files\Movie Maker
2008-05-12 19:50:46 0 d-------- C:\Program Files\Windows NT
2008-05-12 17:51:46 0 d-------- C:\Documents and Settings\Jesus\Application Data\AVG7
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files
2008-05-03 17:04:57 0 d-------- C:\Documents and Settings\Jesus\Application Data\Azureus
2008-05-03 13:23:16 0 d-------- C:\Program Files\LimeWire
2008-04-25 06:32:35 0 d-------- C:\Program Files\Azureus
2008-04-19 10:04:22 0 d-------- C:\Documents and Settings\Jesus\Application Data\Adobe
2008-04-19 10:04:14 0 d-------- C:\Program Files\Google
2008-04-18 20:42:09 0 d-------- C:\Program Files\Apple Software Update
2008-04-13 13:27:40 0 d-------- C:\Program Files\Common Files\NSV
2008-04-13 13:26:39 0 d-------- C:\Documents and Settings\Jesus\Application Data\Winamp
2008-04-13 13:26:37 0 d-------- C:\Program Files\Winamp
2008-04-11 23:00:00 0 d-------- C:\Program Files\Cedelia
2008-04-10 18:08:59 0 d-------- C:\Documents and Settings\Jesus\Application Data\Uniblue
2008-03-29 18:39:26 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2008-03-24 13:53:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-24 09:24:57 0 d-------- C:\Program Files\SBC Self Support Tool
2008-03-20 14:54:40 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-20 14:52:55 0 d-------- C:\Documents and Settings\Jesus\Application Data\Mozilla
2008-03-19 00:46:47 0 d-------- C:\Documents and Settings\Jesus\Application Data\uTorrent
2008-03-18 17:35:38 0 d-------- C:\Program Files\uTorrent
2008-03-18 15:42:02 0 d-------- C:\Documents and Settings\Jesus\Application Data\Goodsol
2008-03-18 13:00:06 0 d-------- C:\Program Files\GameHouse
2008-03-17 14:08:35 0 d-------- C:\Documents and Settings\Jesus\Application Data\Motive
2008-03-17 00:20:13 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-17 00:14:04 0 d-------- C:\Program Files\ahead
2008-03-07 10:04:34 229376 -ra------ C:\WINDOWS\system32\SZBase5.dll <Not Verified; iS3, Inc.; STOPzilla>
2008-02-22 14:52:04 126976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:51:56 364544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:51:12 372736 -ra------ C:\WINDOWS\system32\IS3UI5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:50:54 61440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:50:32 23040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:50:12 192512 -ra------ C:\WINDOWS\system32\IS3Win325.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:49:34 94208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:49:18 90112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:45:46 708608 -ra------ C:\WINDOWS\system32\IS3Base5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B7170F8-6300-4E47-8F5D-16CA329D6632}]
C:\WINDOWS\System32\rqRJBQii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90CB3768-065A-4A65-90BA-067A86D37A50}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]
05/03/2008 04:52 PM 43520 --a------ C:\WINDOWS\System32\awtrQGxY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 04:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/2006 06:23 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 02:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 01:54 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 08:05 PM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [07/21/2006 05:19 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/2005 08:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Email Protection"="C:\PROGRA~1\QUICKH~1\EmlProxy.exe" []
"Update Scheduler"="C:\PROGRA~1\QUICKH~1\UPSCHD.exe" []
"On-Line Protection"="C:\PROGRA~1\QUICKH~1\CATEYE.EXE" []
"Messenger"="C:\PROGRA~1\QUICKH~1\SCANMSG.EXE" []
"Startup Scan"="C:\PROGRA~1\QUICKH~1\Sensor.exe" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/01/2008 01:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="1" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/22/2008 08:42 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 2:23:26 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [3/15/2008 12:10:35 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"= C:\WINDOWS\System32\awtrQGxY.dll [05/03/2008 04:52 PM 43520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrQGxY]
awtrQGxY.dll 05/03/2008 04:52 PM 43520 C:\WINDOWS\system32\awtrQGxY.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\rqRJBQii

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]
C:\WINDOWS\System32\msnvl.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8120 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-17 13:22:27 ------------

Attached Files


Edited by ferrari51592, 18 May 2008 - 09:33 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:26 AM

Posted 19 May 2008 - 02:18 PM

Hello ferrari51592,

Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world! :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

After you run the antivirus program and remove the viruses, run the Deckards System Scanner (DSS) again and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ferrari51592

ferrari51592
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 21 May 2008 - 09:46 PM

Hi guys i did what you said and here is the log thanks:

Deckard's System Scanner v20071014.68
Run by Jesus on 2008-05-21 21:31:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Jesus.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:51 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jesus\Desktop\dss.exe
C:\DOCUME~1\Jesus\Desktop\Jesus.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7B7170F8-6300-4E47-8F5D-16CA329D6632} - C:\WINDOWS\System32\rqRJBQii.dll (file missing)
O2 - BHO: (no name) - {90CB3768-065A-4A65-90BA-067A86D37A50} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\EmlProxy.exe
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206835374366
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)

--
End of file - 8206 bytes

-- Files created between 2008-04-21 and 2008-05-21 -----------------------------

2008-05-21 20:33:40 0 d-------- C:\Program Files\Alwil Software
2008-05-12 21:37:39 0 d-------- C:\Program Files\Windows Sidebar
2008-05-12 20:21:33 0 d-------- C:\WINDOWS\Prefetch
2008-05-12 19:58:44 0 d-------- C:\WINDOWS\provisioning
2008-05-04 13:35:50 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files\iS3
2008-05-04 13:32:49 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-04 13:31:35 9728 --a------ C:\WINDOWS\cdsm32.dll
2008-05-04 13:31:35 32000 --a------ C:\WINDOWS\bokja.exe
2008-05-03 17:11:10 15616 --a------ C:\WINDOWS\voiceip.dll
2008-05-03 17:11:10 25344 --a------ C:\WINDOWS\swin32.dll
2008-05-03 17:11:06 8192 --a------ C:\WINDOWS\mssvr.exe
2008-05-03 17:11:06 12288 --a------ C:\WINDOWS\mspphe.dll
2008-05-03 17:10:54 22016 --a------ C:\WINDOWS\saiemod.dll
2008-05-03 17:10:53 27392 --a------ C:\WINDOWS\msapasrc.dll
2008-05-03 17:10:52 17152 --a------ C:\WINDOWS\msa64chk.dll
2008-05-03 17:10:50 19968 --a------ C:\WINDOWS\shdocpl.dll
2008-05-03 17:10:49 16896 --a------ C:\WINDOWS\shdocpe.dll
2008-05-03 17:10:49 22016 --a------ C:\WINDOWS\ntnut.exe
2008-05-03 17:10:48 29184 --a------ C:\WINDOWS\winsb.dll
2008-05-03 17:10:48 22784 --a------ C:\WINDOWS\browserad.dll
2008-05-03 17:10:47 32768 --a------ C:\WINDOWS\aviwrap32.dll
2008-05-03 17:10:46 15616 --a------ C:\WINDOWS\avisynthex32.dll
2008-05-03 17:10:46 27904 --a------ C:\WINDOWS\avifile32.dll
2008-05-03 17:10:46 17664 --a------ C:\WINDOWS\autodisc32.dll
2008-05-03 17:10:46 28160 --a------ C:\WINDOWS\audiosrv32.dll
2008-05-03 17:10:45 27648 --a------ C:\WINDOWS\ati2dvag32.dll
2008-05-03 17:10:44 28416 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-05-03 17:10:43 14592 --a------ C:\WINDOWS\athprxy32.dll
2008-05-03 17:10:43 19712 --a------ C:\WINDOWS\asycfilt32.dll
2008-05-03 17:10:43 28416 --a------ C:\WINDOWS\asferror32.dll
2008-05-03 17:10:42 21760 --a------ C:\WINDOWS\changeurl_30.dll
2008-05-03 17:10:42 21248 --a------ C:\WINDOWS\apphelp32.dll
2008-05-03 16:58:40 15725 --ahs---- C:\WINDOWS\system32\iiQBJRqr.ini2
2008-05-03 16:35:34 0 d-------- C:\Program Files\QdrPack
2008-05-03 16:35:10 0 d-------- C:\Program Files\QdrModule
2008-05-03 16:35:08 0 d-------- C:\Program Files\QdrDrive
2008-05-03 16:35:05 0 d-------- C:\Program Files\ISM
2008-05-03 15:20:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-03 15:19:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-03 15:18:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-03 15:18:38 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-03 15:17:57 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-05-03 15:17:42 87979 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-27 22:33:52 0 d-------- C:\Program Files\NSVtools
2008-04-26 17:35:51 0 d-------- C:\Documents and Settings\Jesus\Application Data\ImgBurn
2008-04-26 17:34:50 0 d-------- C:\Program Files\ImgBurn
2008-04-25 18:36:47 0 d-------- C:\Documents and Settings\Jesus\Application Data\DVD Flick
2008-04-25 18:36:31 0 d-------- C:\Program Files\DVD Flick
2008-04-21 20:48:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2008-05-21 20:09:55 0 d-------- C:\Documents and Settings\Jesus\Application Data\AVG7
2008-05-12 21:56:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-12 19:59:37 0 d-------- C:\Program Files\Messenger
2008-05-12 19:58:46 0 d-------- C:\Program Files\Movie Maker
2008-05-12 19:50:46 0 d-------- C:\Program Files\Windows NT
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files
2008-05-03 17:04:57 0 d-------- C:\Documents and Settings\Jesus\Application Data\Azureus
2008-05-03 13:23:16 0 d-------- C:\Program Files\LimeWire
2008-04-25 06:32:35 0 d-------- C:\Program Files\Azureus
2008-04-19 10:04:22 0 d-------- C:\Documents and Settings\Jesus\Application Data\Adobe
2008-04-19 10:04:14 0 d-------- C:\Program Files\Google
2008-04-18 20:42:09 0 d-------- C:\Program Files\Apple Software Update
2008-04-13 13:27:40 0 d-------- C:\Program Files\Common Files\NSV
2008-04-13 13:26:39 0 d-------- C:\Documents and Settings\Jesus\Application Data\Winamp
2008-04-13 13:26:37 0 d-------- C:\Program Files\Winamp
2008-04-11 23:00:00 0 d-------- C:\Program Files\Cedelia
2008-04-10 18:08:59 0 d-------- C:\Documents and Settings\Jesus\Application Data\Uniblue
2008-03-29 18:39:26 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2008-03-24 13:53:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-24 09:24:57 0 d-------- C:\Program Files\SBC Self Support Tool
2008-03-20 14:54:40 1158 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B7170F8-6300-4E47-8F5D-16CA329D6632}]
C:\WINDOWS\System32\rqRJBQii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90CB3768-065A-4A65-90BA-067A86D37A50}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 04:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/2006 06:23 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 02:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 01:54 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 08:05 PM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [07/21/2006 05:19 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/2005 08:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Email Protection"="C:\PROGRA~1\QUICKH~1\EmlProxy.exe" []
"Update Scheduler"="C:\PROGRA~1\QUICKH~1\UPSCHD.exe" []
"On-Line Protection"="C:\PROGRA~1\QUICKH~1\CATEYE.EXE" []
"Messenger"="C:\PROGRA~1\QUICKH~1\SCANMSG.EXE" []
"Startup Scan"="C:\PROGRA~1\QUICKH~1\Sensor.exe" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/01/2008 01:49 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 06:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="1" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/22/2008 08:42 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 2:23:26 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [3/15/2008 12:10:35 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,userinit.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\rqRJBQii

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]
C:\WINDOWS\System32\msnvl.exe



-- End of Deckard's System Scanner: finished at 2008-05-21 21:33:11 ------------




thanks

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:26 AM

Posted 21 May 2008 - 11:07 PM

Hello ferrari51592,

You are very infected so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Avast Antivirus before running ComboFix, as it will prevent it from running.

To disable avast antivirus:
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)



Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 21 May 2008 - 11:08 PM.
Hilight text

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ferrari51592

ferrari51592
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 23 May 2008 - 09:33 PM

Again i did what you said and here is the combofix log you asked for, thanks again for all your help:

ComboFix 08-05-21.3 - Jesus 2008-05-23 21:16:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.85 [GMT -5:00]
Running from: C:\Documents and Settings\Jesus\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jesus\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Jesus\Application Data\inst.exe
C:\Documents and Settings\Jesus\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Jesus\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Jesus\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\Google\googletoolbar1.dll
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\WINDOWS\123messenger.per
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\iiQBJRqr.ini
C:\WINDOWS\system32\iiQBJRqr.ini2
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_MSSECURITY1.209.4
-------\Service_Iprip
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-21 20:33 . 2008-05-21 20:33 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-17 13:17 . 2008-05-17 13:17 <DIR> d-------- C:\Deckard
2008-05-12 21:37 . 2008-05-12 21:37 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-12 21:36 . 2008-05-12 21:39 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-12 21:36 . 2008-05-12 21:39 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-12 20:16 . 2008-05-12 20:51 <DIR> d-------- C:\SDFix
2008-05-12 20:06 . 2008-05-12 20:06 2,694 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-12 20:02 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-12 19:58 . 2008-05-12 19:58 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-12 19:43 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002940_.tmp
2008-05-04 13:35 . 2008-05-04 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-04 13:32 . 2008-05-04 13:32 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-05-04 13:32 . 2008-05-18 08:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-03 17:09 . 2008-05-09 20:37 1,916 --a------ C:\WINDOWS\system32\default.htm
2008-05-03 15:18 . 2001-08-18 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-27 22:33 . 2008-04-27 22:33 <DIR> d-------- C:\Program Files\NSVtools
2008-04-26 17:35 . 2008-04-26 17:35 <DIR> d-------- C:\Documents and Settings\Jesus\Application Data\ImgBurn
2008-04-26 17:34 . 2008-04-26 17:34 <DIR> d-------- C:\Program Files\ImgBurn
2008-04-25 18:36 . 2008-04-25 18:36 <DIR> d-------- C:\Program Files\DVD Flick
2008-04-25 18:36 . 2008-04-26 23:59 <DIR> d-------- C:\Documents and Settings\Jesus\Application Data\DVD Flick
2008-04-25 18:36 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\system32\richtx32.ocx
2008-04-25 18:36 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\system32\mbmouse.ocx
2008-04-25 18:36 . 2000-11-05 15:27 36,864 --a------ C:\WINDOWS\system32\trayicon.ocx
2008-04-25 18:32 . 2008-05-03 17:37 107 --a------ C:\WINDOWS\IfoEdit.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 02:16 --------- d-----w C:\Program Files\Google
2008-05-22 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-22 01:09 --------- d-----w C:\Documents and Settings\Jesus\Application Data\AVG7
2008-05-13 02:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-13 02:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-13 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 22:04 --------- d-----w C:\Documents and Settings\Jesus\Application Data\Azureus
2008-05-03 18:23 --------- d-----w C:\Program Files\LimeWire
2008-04-25 23:47 9,618 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2008-04-25 11:32 --------- d-----w C:\Program Files\Azureus
2008-04-19 01:42 --------- d-----w C:\Program Files\Apple Software Update
2008-04-19 01:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-13 18:27 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-13 18:26 --------- d-----w C:\Program Files\Winamp
2008-04-13 18:26 --------- d-----w C:\Documents and Settings\Jesus\Application Data\Winamp
2008-04-12 04:00 --------- d-----w C:\Program Files\Cedelia
2008-04-11 03:40 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-10 23:08 --------- d-----w C:\Documents and Settings\Jesus\Application Data\Uniblue
2008-03-24 18:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-24 14:24 --------- d-----w C:\Program Files\SBC Self Support Tool
2008-02-25 16:44 603,176 ----a-w C:\autoruns.exe
2008-02-25 16:44 513,064 ----a-w C:\autorunsc.exe
2008-02-13 03:54 81,920 ----a-w C:\Documents and Settings\Jesus\Application Data\ezpinst.exe
2008-02-13 03:54 47,360 ----a-w C:\Documents and Settings\Jesus\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B7170F8-6300-4E47-8F5D-16CA329D6632}]
C:\WINDOWS\System32\rqRJBQii.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"Yahoo! Pager"="1" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 20:42 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 04:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 06:23 75520]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 02:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 13:54 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05 257088]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 08:51 442455]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Email Protection"="C:\PROGRA~1\QUICKH~1\EmlProxy.exe" [ ]
"Update Scheduler"="C:\PROGRA~1\QUICKH~1\UPSCHD.exe" [ ]
"On-Line Protection"="C:\PROGRA~1\QUICKH~1\CATEYE.EXE" [ ]
"Startup Scan"="C:\PROGRA~1\QUICKH~1\Sensor.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 13:49 36352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-03-15 00:10:35 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:@xpsp2res.dll,-22010
"3540:UDP"= 3540:UDP:@xpsp2res.dll,-22011

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-29 00:59]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2001-08-17 07:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]
C:\WINDOWS\System32\msnvl.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 01:42:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-20 22:28:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-04-10 23:26:37 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 21:21:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-05-23 21:26:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 02:26:10

Pre-Run: 16,645,050,368 bytes free
Post-Run: 16,600,145,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

233 --- E O F --- 2008-05-17 17:53:31



Thanks

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:26 AM

Posted 23 May 2008 - 10:16 PM

Hi ferrari51592,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\002940_.tmp
C:\WINDOWS\System32\msnvl.exe

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B7170F8-6300-4E47-8F5D-16CA329D6632}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ferrari51592

ferrari51592
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 23 May 2008 - 11:17 PM

Here are both logs, combofix log first and then hijack this log, thanks:


ComboFix 08-05-21.3 - Jesus 2008-05-23 22:58:16.2 - NTFSx86
Running from: C:\Documents and Settings\Jesus\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jesus\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\002940_.tmp
C:\WINDOWS\System32\msnvl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\002940_.tmp

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-21 20:33 . 2008-05-21 20:33 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-17 13:17 . 2008-05-17 13:17 <DIR> d-------- C:\Deckard
2008-05-12 21:37 . 2008-05-12 21:37 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-12 21:36 . 2008-05-12 21:39 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-12 21:36 . 2008-05-12 21:39 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-12 20:16 . 2008-05-12 20:51 <DIR> d-------- C:\SDFix
2008-05-12 20:06 . 2008-05-12 20:06 2,694 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-12 20:02 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-12 19:58 . 2008-05-12 19:58 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-04 13:35 . 2008-05-04 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-04 13:32 . 2008-05-04 13:32 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-05-04 13:32 . 2008-05-18 08:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-03 17:09 . 2008-05-09 20:37 1,916 --a------ C:\WINDOWS\system32\default.htm
2008-05-03 15:18 . 2001-08-18 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-27 22:33 . 2008-04-27 22:33 <DIR> d-------- C:\Program Files\NSVtools
2008-04-26 17:35 . 2008-04-26 17:35 <DIR> d-------- C:\Documents and Settings\Jesus\Application Data\ImgBurn
2008-04-26 17:34 . 2008-04-26 17:34 <DIR> d-------- C:\Program Files\ImgBurn
2008-04-25 18:36 . 2008-04-25 18:36 <DIR> d-------- C:\Program Files\DVD Flick
2008-04-25 18:36 . 2008-04-26 23:59 <DIR> d-------- C:\Documents and Settings\Jesus\Application Data\DVD Flick
2008-04-25 18:36 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\system32\richtx32.ocx
2008-04-25 18:36 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\system32\mbmouse.ocx
2008-04-25 18:36 . 2000-11-05 15:27 36,864 --a------ C:\WINDOWS\system32\trayicon.ocx
2008-04-25 18:32 . 2008-05-03 17:37 107 --a------ C:\WINDOWS\IfoEdit.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 02:16 --------- d-----w C:\Program Files\Google
2008-05-22 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-22 01:09 --------- d-----w C:\Documents and Settings\Jesus\Application Data\AVG7
2008-05-13 02:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-13 02:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-13 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 22:04 --------- d-----w C:\Documents and Settings\Jesus\Application Data\Azureus
2008-05-03 18:23 --------- d-----w C:\Program Files\LimeWire
2008-04-25 23:47 9,618 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2008-04-25 11:32 --------- d-----w C:\Program Files\Azureus
2008-04-19 01:42 --------- d-----w C:\Program Files\Apple Software Update
2008-04-19 01:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-13 18:27 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-13 18:26 --------- d-----w C:\Program Files\Winamp
2008-04-13 18:26 --------- d-----w C:\Documents and Settings\Jesus\Application Data\Winamp
2008-04-12 04:00 --------- d-----w C:\Program Files\Cedelia
2008-04-11 03:40 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-10 23:08 --------- d-----w C:\Documents and Settings\Jesus\Application Data\Uniblue
2008-03-24 18:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-24 14:24 --------- d-----w C:\Program Files\SBC Self Support Tool
2008-03-12 21:55 155,995 ----a-w C:\WINDOWS\java\Packages\0VDBJFZD.ZIP
2008-02-25 16:44 603,176 ----a-w C:\autoruns.exe
2008-02-25 16:44 513,064 ----a-w C:\autorunsc.exe
2008-02-13 03:54 81,920 ----a-w C:\Documents and Settings\Jesus\Application Data\ezpinst.exe
2008-02-13 03:54 47,360 ----a-w C:\Documents and Settings\Jesus\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-23_21.25.47.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 02:20:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 04:01:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 04:02:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_394.dat
+ 2008-05-24 04:02:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_608.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"Yahoo! Pager"="1" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 20:42 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 04:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 06:23 75520]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 02:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 13:54 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05 257088]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 08:51 442455]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Email Protection"="C:\PROGRA~1\QUICKH~1\EmlProxy.exe" [ ]
"Update Scheduler"="C:\PROGRA~1\QUICKH~1\UPSCHD.exe" [ ]
"On-Line Protection"="C:\PROGRA~1\QUICKH~1\CATEYE.EXE" [ ]
"Startup Scan"="C:\PROGRA~1\QUICKH~1\Sensor.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 13:49 36352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-03-15 00:10:35 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:@xpsp2res.dll,-22010
"3540:UDP"= 3540:UDP:@xpsp2res.dll,-22011

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-29 00:59]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2001-08-17 07:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 01:42:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-20 22:28:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-04-10 23:26:37 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 23:02:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-05-23 23:07:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 04:07:39
ComboFix2.txt 2008-05-24 02:26:24

Pre-Run: 16,613,474,304 bytes free
Post-Run: 16,600,981,504 bytes free

167 --- E O F --- 2008-05-17 17:53:31



hijack this log:


Deckard's System Scanner v20071014.68
Run by Jesus on 2008-05-23 23:10:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Jesus.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:09 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jesus\Desktop\dss.exe
C:\DOCUME~1\Jesus\Desktop\Jesus.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\EmlProxy.exe
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206835374366
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)

--
End of file - 7959 bytes

-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 21:16:15 0 d-------- C:\cmdcons
2008-05-23 21:15:00 68096 --a------ C:\WINDOWS\zip.exe
2008-05-23 21:15:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-23 21:15:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-23 21:15:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-23 21:15:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-23 21:15:00 98816 --a------ C:\WINDOWS\sed.exe
2008-05-23 21:15:00 80412 --a------ C:\WINDOWS\grep.exe
2008-05-23 21:15:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-21 20:33:40 0 d-------- C:\Program Files\Alwil Software
2008-05-12 21:37:39 0 d-------- C:\Program Files\Windows Sidebar
2008-05-12 20:21:33 0 d-------- C:\WINDOWS\Prefetch
2008-05-12 19:58:44 0 d-------- C:\WINDOWS\provisioning
2008-05-04 13:35:50 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files\iS3
2008-05-04 13:32:49 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-03 15:20:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-03 15:19:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-03 15:18:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-03 15:18:38 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-27 22:33:52 0 d-------- C:\Program Files\NSVtools
2008-04-26 17:35:51 0 d-------- C:\Documents and Settings\Jesus\Application Data\ImgBurn
2008-04-26 17:34:50 0 d-------- C:\Program Files\ImgBurn
2008-04-25 18:36:47 0 d-------- C:\Documents and Settings\Jesus\Application Data\DVD Flick
2008-04-25 18:36:31 0 d-------- C:\Program Files\DVD Flick


-- Find3M Report ---------------------------------------------------------------

2008-05-23 21:16:54 0 d-------- C:\Program Files\Google
2008-05-21 20:09:55 0 d-------- C:\Documents and Settings\Jesus\Application Data\AVG7
2008-05-12 21:56:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-12 19:59:37 0 d-------- C:\Program Files\Messenger
2008-05-12 19:58:46 0 d-------- C:\Program Files\Movie Maker
2008-05-12 19:50:46 0 d-------- C:\Program Files\Windows NT
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files
2008-05-03 17:04:57 0 d-------- C:\Documents and Settings\Jesus\Application Data\Azureus
2008-05-03 13:23:16 0 d-------- C:\Program Files\LimeWire
2008-04-25 06:32:35 0 d-------- C:\Program Files\Azureus
2008-04-19 10:04:22 0 d-------- C:\Documents and Settings\Jesus\Application Data\Adobe
2008-04-18 20:42:09 0 d-------- C:\Program Files\Apple Software Update
2008-04-13 13:27:40 0 d-------- C:\Program Files\Common Files\NSV
2008-04-13 13:26:39 0 d-------- C:\Documents and Settings\Jesus\Application Data\Winamp
2008-04-13 13:26:37 0 d-------- C:\Program Files\Winamp
2008-04-11 23:00:00 0 d-------- C:\Program Files\Cedelia
2008-04-10 18:08:59 0 d-------- C:\Documents and Settings\Jesus\Application Data\Uniblue
2008-03-29 18:39:26 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2008-03-24 13:53:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-24 09:24:57 0 d-------- C:\Program Files\SBC Self Support Tool
2008-03-20 14:54:40 1158 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 04:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/2006 06:23 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 02:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 01:54 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 08:05 PM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [07/21/2006 05:19 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/2005 08:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Email Protection"="C:\PROGRA~1\QUICKH~1\EmlProxy.exe" []
"Update Scheduler"="C:\PROGRA~1\QUICKH~1\UPSCHD.exe" []
"On-Line Protection"="C:\PROGRA~1\QUICKH~1\CATEYE.EXE" []
"Startup Scan"="C:\PROGRA~1\QUICKH~1\Sensor.exe" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/01/2008 01:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="1" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/22/2008 08:42 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 2:23:26 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [3/15/2008 12:10:35 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-05-23 23:12:21 ------------

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:26 AM

Posted 24 May 2008 - 12:06 AM

Hi ferrari51592,

Total Physical Memory: 248 MiB (512 MiB recommended).


DSS says you only have 238 MB RAM on this computer. :thumbsup: You need at least 512 MB for a speedy computer. Adding more RAM is an inexpensive way to speed your computer. :)


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)



Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixService.bat


@echo off
sc stop ScanWscS
sc delete ScanWscS
exit

Double click FixService.bat.
It should now look like this icon now.

Posted Image

Now double click this file, won't see much happen.
A window will open and close. This is normal.
A quick flash is about all.
Then you may delete the FixService.bat file we just made.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ferrari51592

ferrari51592
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 May 2008 - 09:20 AM

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"


Hi i was just wondering what do you mean by select the following with hijack this

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:26 AM

Posted 24 May 2008 - 12:25 PM

"select the following with hijack this" means put a check mark in the boxes for these three items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)

Edited by SifuMike, 24 May 2008 - 12:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ferrari51592

ferrari51592
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 May 2008 - 01:05 PM

Hi, Where exactly do i go or do to check those three items?
thanks

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:26 AM

Posted 24 May 2008 - 04:34 PM

Please run HijackThis and click "Scan." Place checks next to the following entries,


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)


Close all browsers and other windows except for HijackThis, and click "Fix checked"

then follow the rest of my fix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ferrari51592

ferrari51592
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 May 2008 - 06:55 PM

Hi thanks for everything it seems to be back to normal, except the blue screen on my desktop came on. Do i just change the desktop? is there any precautions i should take or should i install anything that might prevent this from happening again? Also i am going to install the new version of java. Thanks, heres the log, again thanks:

Deckard's System Scanner v20071014.68
Run by Jesus on 2008-05-24 18:21:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 87% (more than 75%).
Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Jesus.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:00 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Jesus\Desktop\dss.exe
C:\DOCUME~1\Jesus\Desktop\Jesus.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\EmlProxy.exe
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206835374366
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7044 bytes

-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 18:11:18 0 dr-h----- C:\Documents and Settings\Jesus\Recent
2008-05-24 18:07:40 0 d-------- C:\Program Files\CCleaner
2008-05-23 21:16:15 0 d-------- C:\cmdcons
2008-05-23 21:15:00 68096 --a------ C:\WINDOWS\zip.exe
2008-05-23 21:15:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-23 21:15:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-23 21:15:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-23 21:15:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-23 21:15:00 98816 --a------ C:\WINDOWS\sed.exe
2008-05-23 21:15:00 80412 --a------ C:\WINDOWS\grep.exe
2008-05-23 21:15:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-21 20:33:40 0 d-------- C:\Program Files\Alwil Software
2008-05-12 21:37:39 0 d-------- C:\Program Files\Windows Sidebar
2008-05-12 20:21:33 0 d-------- C:\WINDOWS\Prefetch
2008-05-12 19:58:44 0 d-------- C:\WINDOWS\provisioning
2008-05-04 13:35:50 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files\iS3
2008-05-04 13:32:49 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-03 15:20:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-03 15:19:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-03 15:18:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-03 15:18:38 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-27 22:33:52 0 d-------- C:\Program Files\NSVtools
2008-04-26 17:35:51 0 d-------- C:\Documents and Settings\Jesus\Application Data\ImgBurn
2008-04-26 17:34:50 0 d-------- C:\Program Files\ImgBurn
2008-04-25 18:36:47 0 d-------- C:\Documents and Settings\Jesus\Application Data\DVD Flick
2008-04-25 18:36:31 0 d-------- C:\Program Files\DVD Flick


-- Find3M Report ---------------------------------------------------------------

2008-05-24 09:27:06 0 d-------- C:\Program Files\Java
2008-05-23 21:16:54 0 d-------- C:\Program Files\Google
2008-05-21 20:09:55 0 d-------- C:\Documents and Settings\Jesus\Application Data\AVG7
2008-05-12 21:56:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-12 19:59:37 0 d-------- C:\Program Files\Messenger
2008-05-12 19:58:46 0 d-------- C:\Program Files\Movie Maker
2008-05-12 19:50:46 0 d-------- C:\Program Files\Windows NT
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files
2008-05-03 17:04:57 0 d-------- C:\Documents and Settings\Jesus\Application Data\Azureus
2008-05-03 13:23:16 0 d-------- C:\Program Files\LimeWire
2008-04-25 06:32:35 0 d-------- C:\Program Files\Azureus
2008-04-19 10:04:22 0 d-------- C:\Documents and Settings\Jesus\Application Data\Adobe
2008-04-18 20:42:09 0 d-------- C:\Program Files\Apple Software Update
2008-04-13 13:27:40 0 d-------- C:\Program Files\Common Files\NSV
2008-04-13 13:26:39 0 d-------- C:\Documents and Settings\Jesus\Application Data\Winamp
2008-04-13 13:26:37 0 d-------- C:\Program Files\Winamp
2008-04-11 23:00:00 0 d-------- C:\Program Files\Cedelia
2008-04-10 18:08:59 0 d-------- C:\Documents and Settings\Jesus\Application Data\Uniblue
2008-03-29 18:39:26 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2008-03-24 13:53:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-24 09:24:57 0 d-------- C:\Program Files\SBC Self Support Tool
2008-03-20 14:54:40 1158 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 04:50 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 02:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 01:54 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 08:05 PM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [07/21/2006 05:19 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/2005 08:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Email Protection"="C:\PROGRA~1\QUICKH~1\EmlProxy.exe" []
"Update Scheduler"="C:\PROGRA~1\QUICKH~1\UPSCHD.exe" []
"On-Line Protection"="C:\PROGRA~1\QUICKH~1\CATEYE.EXE" []
"Startup Scan"="C:\PROGRA~1\QUICKH~1\Sensor.exe" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/01/2008 01:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="1" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/22/2008 08:42 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 2:23:26 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [3/15/2008 12:10:35 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-05-24 18:23:16 ------------

Edited by ferrari51592, 24 May 2008 - 06:58 PM.


#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:26 AM

Posted 24 May 2008 - 07:56 PM

Hi,

except the blue screen on my desktop came on. Do i just change the desktop?


Yes,
Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit

is there any precautions i should take or should i install anything that might prevent this from happening again?

After I see you are up to date and clean, then I will give you recommendation to prevent malware infection.


Also i am going to install the new version of java


I told you to do that the first thing in my fix. :thumbsup:
Install the new Java then post a fresh Hijackthis log.

Edited by SifuMike, 24 May 2008 - 07:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ferrari51592

ferrari51592
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 25 May 2008 - 12:33 AM

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.

Apply.
Apply and Exit


I told you to do that the first thing in my fix. :thumbsup:
Install the new Java then post a fresh Hijackthis log.


first i couldn't get the blue screen off because there was nothing there except "My current home page" and "Lock desktop items" was unchecked and
2nd i'm sorry that i didn't install java first , but i couldn't download a 15MB file up w/dial-up :) Anyways i installed it now and here is the new log Thanks:

Deckard's System Scanner v20071014.68
Run by Jesus on 2008-05-25 00:16:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Jesus.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:05 AM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Jesus\Desktop\dss.exe
C:\DOCUME~1\Jesus\Desktop\Jesus.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\EmlProxy.exe
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206835374366
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7205 bytes

-- Files created between 2008-04-25 and 2008-05-25 -----------------------------

2008-05-25 00:12:32 0 d-------- C:\Program Files\Common Files\Java
2008-05-24 18:47:41 0 d-------- C:\WINDOWS\LastGood
2008-05-24 18:11:18 0 dr-h----- C:\Documents and Settings\Jesus\Recent
2008-05-24 18:07:40 0 d-------- C:\Program Files\CCleaner
2008-05-23 21:16:15 0 d-------- C:\cmdcons
2008-05-23 21:15:00 68096 --a------ C:\WINDOWS\zip.exe
2008-05-23 21:15:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-23 21:15:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-23 21:15:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-23 21:15:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-23 21:15:00 98816 --a------ C:\WINDOWS\sed.exe
2008-05-23 21:15:00 80412 --a------ C:\WINDOWS\grep.exe
2008-05-23 21:15:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-21 20:33:40 0 d-------- C:\Program Files\Alwil Software
2008-05-12 21:37:39 0 d-------- C:\Program Files\Windows Sidebar
2008-05-12 20:21:33 0 d-------- C:\WINDOWS\Prefetch
2008-05-12 19:58:44 0 d-------- C:\WINDOWS\provisioning
2008-05-04 13:35:50 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-04 13:32:51 0 d-------- C:\Program Files\Common Files\iS3
2008-05-04 13:32:49 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-03 15:20:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-03 15:19:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-03 15:18:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-03 15:18:38 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-27 22:33:52 0 d-------- C:\Program Files\NSVtools
2008-04-26 17:35:51 0 d-------- C:\Documents and Settings\Jesus\Application Data\ImgBurn
2008-04-26 17:34:50 0 d-------- C:\Program Files\ImgBurn
2008-04-25 18:36:47 0 d-------- C:\Documents and Settings\Jesus\Application Data\DVD Flick
2008-04-25 18:36:31 0 d-------- C:\Program Files\DVD Flick


-- Find3M Report ---------------------------------------------------------------

2008-05-25 00:13:31 0 d-------- C:\Program Files\Java
2008-05-25 00:12:32 0 d-------- C:\Program Files\Common Files
2008-05-23 21:16:54 0 d-------- C:\Program Files\Google
2008-05-21 20:09:55 0 d-------- C:\Documents and Settings\Jesus\Application Data\AVG7
2008-05-12 21:56:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-12 19:59:37 0 d-------- C:\Program Files\Messenger
2008-05-12 19:58:46 0 d-------- C:\Program Files\Movie Maker
2008-05-12 19:50:46 0 d-------- C:\Program Files\Windows NT
2008-05-03 17:04:57 0 d-------- C:\Documents and Settings\Jesus\Application Data\Azureus
2008-05-03 13:23:16 0 d-------- C:\Program Files\LimeWire
2008-04-25 06:32:35 0 d-------- C:\Program Files\Azureus
2008-04-19 10:04:22 0 d-------- C:\Documents and Settings\Jesus\Application Data\Adobe
2008-04-18 20:42:09 0 d-------- C:\Program Files\Apple Software Update
2008-04-13 13:27:40 0 d-------- C:\Program Files\Common Files\NSV
2008-04-13 13:26:39 0 d-------- C:\Documents and Settings\Jesus\Application Data\Winamp
2008-04-13 13:26:37 0 d-------- C:\Program Files\Winamp
2008-04-11 23:00:00 0 d-------- C:\Program Files\Cedelia
2008-04-10 18:08:59 0 d-------- C:\Documents and Settings\Jesus\Application Data\Uniblue
2008-03-29 18:39:26 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2008-03-20 14:54:40 1158 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 04:50 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 02:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 01:54 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 08:05 PM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [07/21/2006 05:19 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/2005 08:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Email Protection"="C:\PROGRA~1\QUICKH~1\EmlProxy.exe" []
"Update Scheduler"="C:\PROGRA~1\QUICKH~1\UPSCHD.exe" []
"On-Line Protection"="C:\PROGRA~1\QUICKH~1\CATEYE.EXE" []
"Startup Scan"="C:\PROGRA~1\QUICKH~1\Sensor.exe" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/01/2008 01:49 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Yahoo! Pager"="1" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/22/2008 08:42 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 2:23:26 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [3/15/2008 12:10:35 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-05-25 00:18:01 ------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users