Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help...i Guess


  • This topic is locked This topic is locked
2 replies to this topic

#1 slicer4ever

slicer4ever

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 May 2008 - 03:12 AM

well i think this is the right place anywho, i was pointed here by the guide: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

anyways it said to post my hijackthis log and combofix log, but first the problem

latly i've goten ALOT!! of pop-ups, and i do mean alot, i've ran avg virus scan, norton anti-virus 2005(yea i know...), and spy sweeper continusly, spy sweeper keeps finding cookies and deleting them, however the next time i open up firefox, or IE, on the very next scan their all back and they just keep popping up and up and UP!! anyways any help is appreciated=-)

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:58 AM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?p...mp;mo=&sid=
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MySite Toolbar - {4E7BD74F-2B8D-469E-D7EA-F67FAD98FA7D} - C:\PROGRA~1\mysite\mysite1.dll
O2 - BHO: {ccd5e5ee-d92a-dbe8-d194-866ebcc23e5e} - {e5e32ccb-e668-491d-8ebd-a29dee5e5dcc} - C:\WINDOWS\system32\xwycyxjq.dll
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\efcDVmNF.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MySite Toolbar - {4E7BD74F-2B8D-469E-D7EA-F67FAD98FA7D} - C:\PROGRA~1\mysite\mysite1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MySite Search - file://C:\Program Files\MYSITE\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O20 - Winlogon Notify: efcDVmNF - efcDVmNF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6838 bytes


and combofix log:

ComboFix 08-05-21.2 - HP_Administrator 2008-05-22 3:41:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.522 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator\Application Data\FNTS~1
C:\Documents and Settings\HP_Administrator\Application Data\FNTS~1\chkdsk.exe
C:\Documents and Settings\HP_Administrator\Application Data\FNTS~1\F?nts\
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Outerinfo
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\web buying
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\BM49c8ba33.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ansayniw.dll
C:\WINDOWS\system32\atnoxjca.dll
C:\WINDOWS\system32\atsgkung.dll
C:\WINDOWS\system32\awtutTjJ.dll
C:\WINDOWS\system32\bbvwyvys.dll
C:\WINDOWS\system32\BcISAyxx.ini
C:\WINDOWS\system32\BcISAyxx.ini2
C:\WINDOWS\system32\catwbhth.dll
C:\WINDOWS\system32\cntbubit.ini
C:\WINDOWS\system32\cynkmjwe.dll
C:\WINDOWS\system32\diadpndn.ini
C:\WINDOWS\system32\dndwtpjj.exe
C:\WINDOWS\system32\easvspuc.dll
C:\WINDOWS\system32\ebtautkg.exe
C:\WINDOWS\system32\ecifgenq.dll
C:\WINDOWS\system32\eebettgs.exe
C:\WINDOWS\system32\ewjmknyc.ini
C:\WINDOWS\system32\ficurjax.dll
C:\WINDOWS\system32\fpicwqqb.exe
C:\WINDOWS\system32\fqtilrdr.ini
C:\WINDOWS\system32\fqyhwepd.exe
C:\WINDOWS\system32\fyesxurt.exe
C:\WINDOWS\system32\giagsjxh.ini
C:\WINDOWS\system32\gnukgsta.ini
C:\WINDOWS\system32\hjwkshbv.dll
C:\WINDOWS\system32\hthbwtac.ini
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\iglypcfm.exe
C:\WINDOWS\system32\iojhajcs.dll
C:\WINDOWS\system32\ixmegsnn.exe
C:\WINDOWS\system32\kldlojyc.dll
C:\WINDOWS\system32\mbujqtkx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oxeyvphp.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\phpvyexo.dll
C:\WINDOWS\system32\pjwrarul.exe
C:\WINDOWS\system32\plhvclte.dll
C:\WINDOWS\system32\pmvloqun.ini
C:\WINDOWS\system32\pqgbbrsq.dll
C:\WINDOWS\system32\psxthsrk.dll
C:\WINDOWS\system32\pxhyywwr.exe
C:\WINDOWS\system32\qelqvvpd.exe
C:\WINDOWS\system32\qolwosaw.exe
C:\WINDOWS\system32\qputjjka.exe
C:\WINDOWS\system32\qsrbbgqp.ini
C:\WINDOWS\system32\qtokctkv.dll
C:\WINDOWS\system32\rcisihqc.dll
C:\WINDOWS\system32\rdrlitqf.dll
C:\WINDOWS\system32\rkiylciu.dll
C:\WINDOWS\system32\ruombutg.dll
C:\WINDOWS\system32\rvrwpafh.dll
C:\WINDOWS\system32\scgpfkkk.exe
C:\WINDOWS\system32\scjahjoi.ini
C:\WINDOWS\system32\soonmejy.dll
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\stem32~1\w?nword.exe
C:\WINDOWS\system32\tglxiqvo.dll
C:\WINDOWS\system32\ubhuvirl.ini
C:\WINDOWS\system32\ukfeorwm.dll
C:\WINDOWS\system32\uscafsnl.dll
C:\WINDOWS\system32\vqhxqney.ini
C:\WINDOWS\system32\vwmexhus.dll
C:\WINDOWS\system32\wdqucnom.dll
C:\WINDOWS\system32\wwcyisnv.dll
C:\WINDOWS\system32\wwpghfpa.dll
C:\WINDOWS\system32\xxyASIcB.dll
C:\WINDOWS\system32\yenqxhqv.dll
C:\WINDOWS\system32\yiukegty.dll
C:\WINDOWS\system32\ytlpirgb.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-22 03:48 . 2008-05-22 03:48 <DIR> d-------- C:\Temp\tn3
2008-05-22 00:35 . 2008-05-22 00:35 115,200 --a------ C:\WINDOWS\system32\hxjsgaig.dll
2008-05-22 00:32 . 2008-05-22 00:32 134,656 --a------ C:\WINDOWS\system32\xwycyxjq.dll
2008-05-22 00:29 . 2008-05-22 00:29 125,440 --a------ C:\WINDOWS\system32\jbccmmku.dll
2008-05-21 23:47 . 2004-12-01 06:54 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-20 21:21 . 2008-05-20 21:21 134,656 --a------ C:\WINDOWS\system32\kxoeuejh.dll
2008-05-20 21:18 . 2008-05-20 21:18 117,248 --a------ C:\WINDOWS\system32\lrivuhbu.dll
2008-05-20 21:16 . 2008-05-20 21:16 125,952 --a------ C:\WINDOWS\system32\cruasney.dll
2008-05-20 12:44 . 2008-05-20 12:44 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2008-05-20 12:43 . 2008-05-20 12:43 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Webroot
2008-05-20 12:42 . 2005-03-15 14:53 <DIR> d-------- C:\Documents and Settings\Guest\WINDOWS
2008-05-20 12:42 . 2005-03-15 14:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Symantec
2008-05-20 12:42 . 2005-03-15 14:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\SampleView
2008-05-20 12:42 . 2005-03-15 14:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\InterMute
2008-05-20 12:42 . 2005-03-15 14:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer
2008-05-20 12:42 . 2008-05-22 03:49 <DIR> d-------- C:\Documents and Settings\Guest
2008-05-18 03:02 . 2008-05-18 03:02 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 19:23 . 2008-05-17 19:23 <DIR> d-------- C:\WINDOWS\Mozilla
2008-05-17 12:57 . 2008-05-17 12:57 <DIR> d-------- C:\New Folder
2008-05-16 20:27 . 2008-05-17 20:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 20:27 . 2008-05-16 20:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 20:33 . 2008-05-12 20:33 <DIR> d-------- C:\depression
2008-05-12 20:08 . 2008-05-12 20:08 <DIR> d-------- C:\selfAssessment
2008-05-11 13:04 . 2008-05-11 13:04 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-10 11:18 . 2008-05-10 11:18 294 ---hs---- C:\WINDOWS\system32\oeljqgjb.ini
2008-05-08 23:01 . 2008-05-11 15:21 <DIR> d-------- C:\WINDOWS\system32\bkEur01
2008-05-08 23:01 . 2008-05-08 23:01 <DIR> d-------- C:\Temp\maxsv15

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 07:05 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\.purple
2008-05-22 05:49 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2008-05-14 22:28 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\gtk-2.0
2008-05-11 02:48 --------- d-----w C:\Program Files\ConTEXT
2008-05-09 03:01 41,723 --sh--w C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-05-08 23:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-16 01:34 --------- d-----w C:\Program Files\Alcohol Soft
2008-04-16 01:30 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-25 18:06 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Microsoft Games
2008-03-25 17:59 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-25 17:56 --------- d-----w C:\Program Files\Microsoft Games
2005-05-29 15:16 251 ----a-w C:\Program Files\wt3d.ini
2002-03-06 01:41 679,936 ----a-w C:\Program Files\NPSWF32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-D7EA-F67FAD98FA7D}]
2005-09-30 10:32 1281536 --a------ C:\PROGRA~1\mysite\mysite1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e5e32ccb-e668-491d-8ebd-a29dee5e5dcc}]
2008-05-22 00:32 134656 --a------ C:\WINDOWS\system32\xwycyxjq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}]
C:\WINDOWS\system32\efcDVmNF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-D7EA-F67FAD98FA7D}"= "C:\PROGRA~1\mysite\mysite1.dll" [2005-09-30 10:32 1281536]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-d7ea-f67fad98fa7d}]
[HKEY_CLASSES_ROOT\mysite1.MYSITE]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-D7EA-F67FAD98FA7D}"= C:\PROGRA~1\mysite\mysite1.dll [2005-09-30 10:32 1281536]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-d7ea-f67fad98fa7d}]
[HKEY_CLASSES_ROOT\mysite1.MYSITE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-12-14 20:32 3404800]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 15:34 58992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 21:46 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}"= C:\WINDOWS\system32\efcDVmNF.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcDVmNF]
efcDVmNF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4afb89af]
C:\WINDOWS\system32\rdrlitqf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aGPwg]
C:\WINDOWS\plhwsfm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-04-12 01:10 65536 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-12-22 03:09 221056 C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2005-04-06 18:53 2805248 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apgbip]
c:\windows\apgbip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-19 08:10 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM49c8ba33]
C:\WINDOWS\system32\easvspuc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-03-23 15:34 58992 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 00:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 07:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 20:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-12-01 06:55 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 07:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 07:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 05:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-12-01 07:00 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 08:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 10:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-02-01 16:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nprnv]
C:\WINDOWS\system32\??stem32\w?nword.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2004-10-25 10:17 90112 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 09:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scbu]
C:\DOCUME~1\HP_ADM~1\APPLIC~1\FNTS~1\chkdsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-04-06 18:57 90112 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2005-12-14 20:32 3404800 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-05-28 17:21 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-03-15 15:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMP54GSSVC"=2 (0x2)
"SymWSC"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NPFMntor"=2 (0x2)
"Netlogon"=3 (0x3)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"KodakCCS"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"AOL ACS"=2 (0x2)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"C:\\Program Files\\3DO\\Heroes 3 Complete\\HEROES3.ICD"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Lionhead Studios\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\MicroProse\\Worms Armageddon\\wa.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-12-14 20:06]
R1 tosdvdd;tosdvdd;C:\WINDOWS\system32\drivers\tosdvdd.sys [2008-03-08 18:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 05:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-05-22 07:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-05-21 18:42:00 C:\WINDOWS\Tasks\{38931675-3B34-44E6-AD2A-9F8D3A94DC92}_YOUR-55E5F9E3D2_HP_Administrator.job"
- C:\WINDOWS\system32\mobsync.exeU /Schedule=
"2008-05-21 14:00:00 C:\WINDOWS\Tasks\{82BD75C0-AD55-445C-8490-CCD90913D015}_YOUR-55E5F9E3D2_HP_Administrator.job"
- C:\WINDOWS\system32\mobsync.exeU /Schedule=
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 03:48:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-05-22 3:56:20 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2008-05-22 07:56:17

Pre-Run: 9,824,112,640 bytes free
Post-Run: 11,318,915,072 bytes free

352 --- E O F --- 2008-05-18 07:02:18

ummm....yea can't wait for a reply

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 PM

Posted 31 May 2008 - 03:42 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait, if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

Looks like combofix already removed a load of junk, if you are still having problems, start with a new HijackThis log using Add Reply, describe any symptoms, and we will work from there.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 PM

Posted 08 June 2008 - 07:42 AM

There has been no response to this topic in a week
This topic is closed
Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users