Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware And Pop Ups/ Computer 2


  • This topic is locked This topic is locked
14 replies to this topic

#1 mwagner17

mwagner17

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 03 June 2008 - 12:58 PM

Hello,

I have a computer that is getting pop ups to remove spyware/malware and google is redirecting to other sites.

Here is a hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:41 AM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\smartagent\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smartagent\bin\tgsrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\t8938zl1h5w.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Pixwares\WinClock\winclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7BAB4452-5FB7-4A4D-89DA-BB9A64926AEA} - c:\windows\system32\xahuipe.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [t8938zl1h5w] C:\WINDOWS\system32\t8938zl1h5w.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [WinClock] C:\Program Files\Pixwares\WinClock\winclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [t8938zl1h5w] C:\WINDOWS\system32\t8938zl1h5w.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: *.jdpower.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file:///D:/autorun/atSdaCfg.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rraasec/c...tingActiveX.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://powerkatalyst.jdpower.com/download/CfxIEAx.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CAB
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab46783.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file:///D:/autorun/PC-CONFIG-CHECK.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133294282890
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab51411.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://games.myway.com/games/gamehouse/Fee...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda.com/wi/ActiveX/RptViewerEN.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.honda.com/rraaauto/programs/...EB/reaap02a.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/Check...PA.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F08A1B3-0BEC-49BD-814A-302AC2CAF1A8}: NameServer = 208.186.47.5,208.186.46.5
O20 - Winlogon Notify: inhyhvkw - C:\WINDOWS\SYSTEM32\xahuipe.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (smartagent) (sprtsvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (smartagent) (tgsrvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\tgsrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10521 bytes


Thank you!!!
Matt

BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 29 June 2008 - 02:39 AM

Hello mwaqner17,

I apologise for the delay. The forum is too busy.

If you still need help, post a new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 30 June 2008 - 07:16 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:21 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\smartagent\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smartagent\bin\tgsrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\t8938zl1h5w.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adp\ws2000\ws2000.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7BAB4452-5FB7-4A4D-89DA-BB9A64926AEA} - c:\windows\system32\xahuipe.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [t8938zl1h5w] C:\WINDOWS\system32\t8938zl1h5w.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [WinClock] C:\Program Files\Pixwares\WinClock\winclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [t8938zl1h5w] C:\WINDOWS\system32\t8938zl1h5w.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: *.jdpower.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file:///D:/autorun/atSdaCfg.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rraasec/c...tingActiveX.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://powerkatalyst.jdpower.com/download/CfxIEAx.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CAB
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab46783.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file:///D:/autorun/PC-CONFIG-CHECK.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133294282890
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab51411.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://games.myway.com/games/gamehouse/Fee...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda.com/wi/ActiveX/RptViewerEN.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.honda.com/rraaauto/programs/...EB/reaap02a.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/Check...PA.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F08A1B3-0BEC-49BD-814A-302AC2CAF1A8}: NameServer = 208.186.47.5,208.186.46.5
O20 - Winlogon Notify: inhyhvkw - C:\WINDOWS\SYSTEM32\xahuipe.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (smartagent) (sprtsvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (smartagent) (tgsrvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\tgsrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9928 bytes

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 01 July 2008 - 06:22 AM

Hello mwaqner17,

You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\Program Files\Pixwares\WinClock\winclock.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
VIEWPOINT-OPTIONAL

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
----------------------------------------------
Post back:
Jotti results.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 01 July 2008 - 01:24 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:59 AM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\smartagent\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smartagent\bin\tgsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Reflection\r2win.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Adp\ws2000\ws2000.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Pixwares\WinClock\winclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7BAB4452-5FB7-4A4D-89DA-BB9A64926AEA} - c:\windows\system32\xahuipe.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [t8938zl1h5w] C:\WINDOWS\system32\t8938zl1h5w.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [WinClock] C:\Program Files\Pixwares\WinClock\winclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [t8938zl1h5w] C:\WINDOWS\system32\t8938zl1h5w.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: *.jdpower.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file:///D:/autorun/atSdaCfg.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rraasec/c...tingActiveX.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://powerkatalyst.jdpower.com/download/CfxIEAx.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CAB
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab46783.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file:///D:/autorun/PC-CONFIG-CHECK.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133294282890
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab51411.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://games.myway.com/games/gamehouse/Fee...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda.com/wi/ActiveX/RptViewerEN.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.honda.com/rraaauto/programs/...EB/reaap02a.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/Check...PA.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F08A1B3-0BEC-49BD-814A-302AC2CAF1A8}: NameServer = 208.186.47.5,208.186.46.5
O20 - Winlogon Notify: inhyhvkw - C:\WINDOWS\SYSTEM32\xahuipe.dll
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (smartagent) (sprtsvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (smartagent) (tgsrvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\tgsrvc.exe

--
End of file - 10304 bytes


Scan taken on 01 Jul 2008 17:33:17 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



Thanks!!!!

#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 01 July 2008 - 02:28 PM

Hello mwaqner17,

FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - - (no file)
All 015 lines
All 016 lines


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 02 July 2008 - 01:19 PM

Thank you. I actaully have to keep all of the Honda links in the trusted sites, required to run their software needed.
Here are my new logs:

ComboFix 08-07-01.5 - Administrator 2008-07-02 10:57:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.422 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\xahuipe.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WFZXHAEZ
-------\Service_wfzxhaez


((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 09:23 . 2008-07-01 09:23 <DIR> d-------- C:\Program Files\Avira
2008-07-01 09:23 . 2008-07-01 09:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-10 19:07 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-03 10:54 . 2008-06-03 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 09:19 . 2008-06-03 09:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 09:19 . 2008-06-03 09:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-02 12:02 . 2008-06-02 12:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\qjkvqhii

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 17:43 --------- d-----w C:\Program Files\Virtools Web Player 3.5
2008-07-01 16:23 --------- d-----w C:\Program Files\Viewpoint
2008-07-01 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-22 22:46 --------- d-----w C:\Program Files\Google
2008-06-22 22:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-22 22:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 23:05 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-06-01 23:05 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\qjkvqhii
2008-05-12 18:17 --------- d-----w C:\Program Files\sda
2008-05-12 18:16 --------- d-----w C:\Program Files\smartagent
2008-05-12 18:16 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-05-12 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2005-11-30 23:39 774,144 ----a-w C:\Program Files\RngInterstitial.dll
1996-11-29 06:35 185,643 ----a-w C:\Documents and Settings\Administrator\LATIN.EXE
1994-02-23 17:58 55,264 ----a-w C:\Documents and Settings\Administrator\QPRO200.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-06-03_10.03.03.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-07 04:55:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll
- 2008-06-03 16:51:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 18:03:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-02 01:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-05-14 10:02:54 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-06-11 10:02:29 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-05-14 10:02:54 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-11 10:02:29 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-05-14 10:02:54 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-11 10:02:28 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-05-14 10:02:54 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-11 10:02:29 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-05-14 10:02:54 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-11 10:02:29 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-05-14 10:02:54 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-11 10:02:29 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-05-14 10:02:54 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-11 10:02:29 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-05-14 10:02:54 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-11 10:02:29 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-05-14 10:02:54 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-06-11 10:02:28 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-05-14 10:02:54 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-11 10:02:29 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-05-14 10:02:54 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-11 10:02:28 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-05-14 10:02:54 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-11 10:02:28 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 15:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2003-07-16 16:33:55 103,424 ----a-w C:\WINDOWS\system32\cnrpbvj.dll
- 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-03-02 01:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-24 05:16:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-01-22 01:12:56 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-22 01:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-03-04 20:28:53 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
- 2003-07-16 16:33:55 22,016 ----a-w C:\WINDOWS\system32\drivers\ixvvakfx.sys
+ 2003-07-16 16:33:55 23,424 ----a-w C:\WINDOWS\system32\drivers\ixvvakfx.sys
+ 2007-03-01 17:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
- 2003-07-16 16:33:55 22,016 ----a-w C:\WINDOWS\system32\drivers\visnvldr.sys
+ 2003-07-16 16:33:55 23,424 ----a-w C:\WINDOWS\system32\drivers\visnvldr.sys
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-03-02 01:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-24 05:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2003-07-16 16:33:55 45,824 ----a-w C:\WINDOWS\system32\qbfpqcrz.dat
+ 2003-07-16 16:33:55 46,848 ----a-w C:\WINDOWS\system32\qbfpqcrz.dat
- 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2006-10-16 23:10:58 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2003-07-16 16:33:55 211,200 ----a-w C:\WINDOWS\system32\sykokigy.dat
+ 2003-07-16 16:33:55 209,664 ----a-w C:\WINDOWS\system32\sykokigy.dat
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
- 2003-07-16 16:33:55 81,408 ----a-w C:\WINDOWS\system32\xahuipe.dll
+ 2003-07-16 16:33:55 103,424 ----a-w C:\WINDOWS\system32\xahuipe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BAB4452-5FB7-4A4D-89DA-BB9A64926AEA}]
2003-07-16 09:33 103424 --a------ c:\windows\system32\xahuipe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinClock"="C:\Program Files\Pixwares\WinClock\winclock.exe" [2005-11-02 23:50 430080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"PrintServer Diagnostic"="C:\Program Files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 17:09 266240]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 14:39 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-09 17:31 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 11:51 24638 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-09 17:31 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IOGEAR\\IOGEAR MFP Utility\\RMVUSB.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\smartagent\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\smartagent\\agent\\bin\\bcont_nm.exe"=
"C:\\Program Files\\smartagent\\bin\\sprtcmd.exe"=
"C:\\Program Files\\smartagent\\bin\\sprtsvc.exe"=
"C:\\Program Files\\smartagent\\bin\\tgshell.exe"=
"C:\\Program Files\\smartagent\\bin\\tgsrvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"25202:TCP"= 25202:TCP:@xpsp2res.dll,-22009

R0 visnvldr;visnvldr;C:\WINDOWS\system32\drivers\visnvldr.sys [2003-07-16 09:33]
R2 sprtsvc_smartagent;SupportSoft Sprocket Service (smartagent);C:\Program Files\smartagent\bin\sprtsvc.exe [2007-10-03 09:04]
R2 tgsrvc_smartagent;SupportSoft Repair Service (smartagent);C:\Program Files\smartagent\bin\tgsrvc.exe [2007-10-03 09:04]
R3 ROOTUSB;MFP Server USB Root Driver;C:\WINDOWS\system32\Drivers\ROOTUSB.sys [2005-12-20 14:31]
R3 vusbbus;ZOT BUS DRIVER;C:\WINDOWS\system32\DRIVERS\vusbbus.sys [2005-09-12 14:35]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [2007-11-05 10:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 18:06:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-02 15:22:07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{8AB5D231-8543-4BF2-92BE-897657DF54AC}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll
BHO-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll
Toolbar-ID - (no file)
HKCU-Run-t8938zl1h5w - C:\WINDOWS\system32\t8938zl1h5w.exe
HKLM-Run-t8938zl1h5w - C:\WINDOWS\system32\t8938zl1h5w.exe
HKLM-Run-1A:Stardock TrayMonitor - (no file)
HKLM-RunServices-1A:Stardock TrayMonitor - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 11:08:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
.
**************************************************************************
.
Completion time: 2008-07-02 11:15:27 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-07-02 18:14:30
ComboFix2.txt 2008-06-10 22:27:57
ComboFix3.txt 2008-06-03 17:04:26

Pre-Run: 30,997,000,192 bytes free
Post-Run: 31,065,014,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

353 --- E O F --- 2008-07-02 07:05:25


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:45 AM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\smartagent\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smartagent\bin\tgsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Pixwares\WinClock\winclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7BAB4452-5FB7-4A4D-89DA-BB9A64926AEA} - c:\windows\system32\xahuipe.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WinClock] C:\Program Files\Pixwares\WinClock\winclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rraasec/c...tingActiveX.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CAB
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda.com/wi/ActiveX/RptViewerEN.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.honda.com/rraaauto/programs/...EB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F08A1B3-0BEC-49BD-814A-302AC2CAF1A8}: NameServer = 208.186.47.5,208.186.46.5
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (smartagent) (sprtsvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (smartagent) (tgsrvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\tgsrvc.exe

--
End of file - 6533 bytes

#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 02 July 2008 - 03:33 PM

Hello mwaqner17,

I see Combofix run on this machine more than once. Did you run it yourself?
Part from A guide and tutorial on using ComboFix

Due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer. Instead you should use this guide to download and run ComboFix and then post the resulting log in a forum that contains helpers who understand how to diagnose them. These helpers will then help you clean your computer of infections so that it is running properly again

.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll (file missing)
O15 - Trusted Zone: http://www.msn.com << no need for this to be in your Trusted Zone, except if you have problems visiting the site.


Are all these sites are related to honda and you intentionally added them in your Trusted Zone? Fix the ones you do not recognise.

O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.xmradio.com


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/150397/malware-and-pop-ups-computer-2/
    
    KillAll::
    
    Collect::
    c:\windows\system32\xahuipe.dll
    C:\WINDOWS\system32\cnrpbvj.dll
    C:\WINDOWS\system32\drivers\ixvvakfx.sys
    C:\WINDOWS\system32\drivers\visnvldr.sys
    C:\WINDOWS\system32\qbfpqcrz.dat
    C:\WINDOWS\system32\sykokigy.dat
    
    Folder::
    C:\Program Files\Viewpoint
    C:\Documents and Settings\Administrator\Application Data\qjkvqhii
    C:\Documents and Settings\NetworkService\Application Data\qjkvqhii
    C:\Program Files\Symantec
    
    Driver::
    ixvvakfx
    visnvldr
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BAB4452-5FB7-4A4D-89DA-BB9A64926AEA}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Combofix report.
Malwarebytes' Anti-Malware report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 02 July 2008 - 07:58 PM

Yes, I added all of the Honda/Acura/XM sites. Required for work :thumbsup:

Here are the new logs:

Malwarebytes' Anti-Malware 1.19
Database version: 916
Windows 5.1.2600 Service Pack 2

5:54:37 PM 7/2/2008
mbam-log-7-2-2008 (17-54-37).txt

Scan type: Quick Scan
Objects scanned: 40585
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 08-07-01.5 - Administrator 2008-07-02 17:03:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.518 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\qjkvqhii
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\profiles.ini
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\cert8.db
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\compatibility.ini
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\compreg.dat
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\cookies.sqlite
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\formhistory.sqlite
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\key3.db
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\localstore.rdf
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\permissions.sqlite
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\places.sqlite-journal
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\places.sqlite
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\pluginreg.dat
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\prefs.js
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\secmod.db
C:\Documents and Settings\Administrator\Application Data\qjkvqhii\Profiles\q7p2sins.default\xpti.dat
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\profiles.ini
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\cert8.db
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\compatibility.ini
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\compreg.dat
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\cookies.sqlite
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\formhistory.sqlite
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\key3.db
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\localstore.rdf
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\permissions.sqlite
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\places.sqlite-journal
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\places.sqlite
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\pluginreg.dat
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\prefs.js
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\secmod.db
C:\Documents and Settings\NetworkService\Application Data\qjkvqhii\Profiles\t2upnjpd.default\xpti.dat
C:\Program Files\Symantec
C:\Program Files\Symantec\LiveUpdate\1.Settings.Default.LiveUpdate
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\Program Files\Symantec\LiveUpdate\LUALL.HLP
C:\Program Files\Symantec\LiveUpdate\LuComServer.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServerPS.DLL
C:\Program Files\Symantec\LiveUpdate\LUINFO.INF
C:\Program Files\Symantec\LiveUpdate\LUInit.exe
C:\Program Files\Symantec\LiveUpdate\LUInit.ini
C:\Program Files\Symantec\LiveUpdate\LUINSDLL.DLL
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Program Files\Symantec\LiveUpdate\NetDetectController.DLL
C:\Program Files\Symantec\LiveUpdate\ProductRegCom.DLL
C:\Program Files\Symantec\LiveUpdate\README.TXT
C:\Program Files\Symantec\LiveUpdate\S32LIVE1.DLL
C:\Program Files\Symantec\LiveUpdate\S32LUCP1.CPL
C:\Program Files\Symantec\LiveUpdate\S32LUIS1.DLL
C:\Program Files\Symantec\LiveUpdate\S32LUWI1.DLL
C:\Program Files\Symantec\pcAnywhere\50comupd.exe
C:\Program Files\Symantec\pcAnywhere\ABOUTEXT.DLL
C:\Program Files\Symantec\pcAnywhere\AboutExtRes.dll
C:\Program Files\Symantec\pcAnywhere\ANYWHERE.BIN
C:\Program Files\Symantec\pcAnywhere\aw32prn.dll
C:\Program Files\Symantec\pcAnywhere\aw32ser.dll
C:\Program Files\Symantec\pcAnywhere\aw32tcp.dll
C:\Program Files\Symantec\pcAnywhere\awcfgmgr.dll
C:\Program Files\Symantec\pcAnywhere\awchat.dll
C:\Program Files\Symantec\pcAnywhere\awcm32.dll
C:\Program Files\Symantec\pcAnywhere\awconn32.dll
C:\Program Files\Symantec\pcAnywhere\AWCP.DLL
C:\Program Files\Symantec\pcAnywhere\awds32.dll
C:\Program Files\Symantec\pcAnywhere\awdsp32.dll
C:\Program Files\Symantec\pcAnywhere\awgui32.dll
C:\Program Files\Symantec\pcAnywhere\awhk32.dll
C:\Program Files\Symantec\pcAnywhere\awhlogon.dll
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe.manifest
C:\Program Files\Symantec\pcAnywhere\awhost32.TXT
C:\Program Files\Symantec\pcAnywhere\awhpilot.dll
C:\Program Files\Symantec\pcAnywhere\AWHPROBE.EXE
C:\Program Files\Symantec\pcAnywhere\AWHPROBEDLL.DLL
C:\Program Files\Symantec\pcAnywhere\awhseq.dll
C:\Program Files\Symantec\pcAnywhere\awhutil.dll
C:\Program Files\Symantec\pcAnywhere\AWHXPRB.DLL
C:\Program Files\Symantec\pcAnywhere\awio.dll
C:\Program Files\Symantec\pcAnywhere\AwioResources.dll
C:\Program Files\Symantec\pcAnywhere\awofrwrk.dll
C:\Program Files\Symantec\pcAnywhere\awplay32.dll
C:\Program Files\Symantec\pcAnywhere\awPlay32Resources.dll
C:\Program Files\Symantec\pcAnywhere\awras32.exe
C:\Program Files\Symantec\pcAnywhere\awrasapi.dll
C:\Program Files\Symantec\pcAnywhere\awres-all.dll
C:\Program Files\Symantec\pcAnywhere\awres-host.dll
C:\Program Files\Symantec\pcAnywhere\awses32.dll
C:\Program Files\Symantec\pcAnywhere\awtime32.dll
C:\Program Files\Symantec\pcAnywhere\AWWIZ32.DLL
C:\Program Files\Symantec\pcAnywhere\awxfer.dll
C:\Program Files\Symantec\pcAnywhere\awxferui.cnt
C:\Program Files\Symantec\pcAnywhere\awxferui.dll
C:\Program Files\Symantec\pcAnywhere\awxferui.hlp
C:\Program Files\Symantec\pcAnywhere\AWXferUIResources.dll
C:\Program Files\Symantec\pcAnywhere\bhTempl.BHF
C:\Program Files\Symantec\pcAnywhere\CERTCONS.EXE
C:\Program Files\Symantec\pcAnywhere\ciTempl.CIF
C:\Program Files\Symantec\pcAnywhere\crypshim.dll
C:\Program Files\Symantec\pcAnywhere\crypto.dll
C:\Program Files\Symantec\pcAnywhere\CryptoAddressBook.reg
C:\Program Files\Symantec\pcAnywhere\CryptoFile.reg
C:\Program Files\Symantec\pcAnywhere\CryptoIE.reg
C:\Program Files\Symantec\pcAnywhere\DefaultConfig.dll
C:\Program Files\Symantec\pcAnywhere\DSBrowserResources.dll
C:\Program Files\Symantec\pcAnywhere\dundata.dll
C:\Program Files\Symantec\pcAnywhere\ehandres.dll
C:\Program Files\Symantec\pcAnywhere\emptypca.hlp
C:\Program Files\Symantec\pcAnywhere\END-USER.RTF
C:\Program Files\Symantec\pcAnywhere\FTStatus.dll
C:\Program Files\Symantec\pcAnywhere\FTStatusResources.dll
C:\Program Files\Symantec\pcAnywhere\host.cnt
C:\Program Files\Symantec\pcAnywhere\Host.hlp
C:\Program Files\Symantec\pcAnywhere\IMPLODE.DLL
C:\Program Files\Symantec\pcAnywhere\InstData.dll
C:\Program Files\Symantec\pcAnywhere\intgstat.exe
C:\Program Files\Symantec\pcAnywhere\iscustom.dll
C:\Program Files\Symantec\pcAnywhere\LOADTAPI.DLL
C:\Program Files\Symantec\pcAnywhere\LocalEng.dll
C:\Program Files\Symantec\pcAnywhere\MachKey.exe
C:\Program Files\Symantec\pcAnywhere\machkeyResources.dll
C:\Program Files\Symantec\pcAnywhere\OPTIONS.REG
C:\Program Files\Symantec\pcAnywhere\PACKSUM.TXT
C:\Program Files\Symantec\pcAnywhere\pca.product
C:\Program Files\Symantec\pcAnywhere\pca_HAT.chm
C:\Program Files\Symantec\pcAnywhere\pca_run.exe
C:\Program Files\Symantec\pcAnywhere\pcaauth.dll
C:\Program Files\Symantec\pcAnywhere\PCACMNDG.dll
C:\Program Files\Symantec\pcAnywhere\pcahome.product
C:\Program Files\Symantec\pcAnywhere\PCAIME.DLL
C:\Program Files\Symantec\pcAnywhere\PowerMgr.dll
C:\Program Files\Symantec\pcAnywhere\README.TXT
C:\Program Files\Symantec\pcAnywhere\S32PCAG.DLL
C:\Program Files\Symantec\pcAnywhere\SAEng.dll
C:\Program Files\Symantec\pcAnywhere\slaunch.exe
C:\Program Files\Symantec\pcAnywhere\STOPHOST.EXE
C:\Program Files\Symantec\pcAnywhere\tapildrResources.dll
C:\Program Files\Symantec\pcAnywhere\TRAYICON.DLL
C:\Program Files\Symantec\pcAnywhere\Util.dll
C:\Program Files\Symantec\pcAnywhere\winaw32.cnt
C:\Program Files\Symantec\pcAnywhere\winaw32.exe
C:\Program Files\Symantec\pcAnywhere\winaw32.exe.manifest
C:\Program Files\Symantec\pcAnywhere\winaw32.hlp
C:\Program Files\Symantec\S32EVNT1.DLL
C:\Program Files\Symantec\SYMEVENT.CAT
C:\Program Files\Symantec\SYMEVENT.INF
C:\Program Files\Symantec\SYMEVENT.SYS
C:\Program Files\Symantec\SYMEVNT.386
C:\Program Files\Symantec\SYMEVNT1.DLL
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\atmosphere.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ExtremeShot.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VETsdk.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\WINDOWS\system32\cnrpbvj.dll
C:\WINDOWS\system32\drivers\ixvvakfx.sys
C:\WINDOWS\system32\drivers\visnvldr.sys
C:\WINDOWS\system32\qbfpqcrz.dat
C:\WINDOWS\system32\sykokigy.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VISNVLDR
-------\Service_visnvldr


((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-07-01 09:23 . 2008-07-01 09:23 <DIR> d-------- C:\Program Files\Avira
2008-07-01 09:23 . 2008-07-01 09:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-10 19:07 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-03 10:54 . 2008-06-03 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 09:19 . 2008-06-03 09:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 09:19 . 2008-06-03 09:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 17:43 --------- d-----w C:\Program Files\Virtools Web Player 3.5
2008-07-01 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-22 22:46 --------- d-----w C:\Program Files\Google
2008-06-22 22:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-22 22:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 23:05 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-05-12 18:17 --------- d-----w C:\Program Files\sda
2008-05-12 18:16 --------- d-----w C:\Program Files\smartagent
2008-05-12 18:16 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-05-12 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2005-11-30 23:39 774,144 ----a-w C:\Program Files\RngInterstitial.dll
1996-11-29 06:35 185,643 ----a-w C:\Documents and Settings\Administrator\LATIN.EXE
1994-02-23 17:58 55,264 ----a-w C:\Documents and Settings\Administrator\QPRO200.DLL
.

((((((((((((((((((((((((((((( snapshot_2008-07-02_11.14.08.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 18:03:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-03 00:07:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C366450-B62A-44AD-9E7B-A7F4B16283A5}]
C:\WINDOWS\system32\atmpvcnor.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinClock"="C:\Program Files\Pixwares\WinClock\winclock.exe" [2005-11-02 23:50 430080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"PrintServer Diagnostic"="C:\Program Files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 17:09 266240]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 14:39 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-09 17:31 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 11:51 24638 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-09 17:31 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IOGEAR\\IOGEAR MFP Utility\\RMVUSB.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\smartagent\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\smartagent\\agent\\bin\\bcont_nm.exe"=
"C:\\Program Files\\smartagent\\bin\\sprtcmd.exe"=
"C:\\Program Files\\smartagent\\bin\\sprtsvc.exe"=
"C:\\Program Files\\smartagent\\bin\\tgshell.exe"=
"C:\\Program Files\\smartagent\\bin\\tgsrvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"25202:TCP"= 25202:TCP:@xpsp2res.dll,-22009

R2 sprtsvc_smartagent;SupportSoft Sprocket Service (smartagent);C:\Program Files\smartagent\bin\sprtsvc.exe [2007-10-03 09:04]
R2 tgsrvc_smartagent;SupportSoft Repair Service (smartagent);C:\Program Files\smartagent\bin\tgsrvc.exe [2007-10-03 09:04]
R3 ROOTUSB;MFP Server USB Root Driver;C:\WINDOWS\system32\Drivers\ROOTUSB.sys [2005-12-20 14:31]
R3 vusbbus;ZOT BUS DRIVER;C:\WINDOWS\system32\DRIVERS\vusbbus.sys [2005-09-12 14:35]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [2007-11-05 10:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

*Newly Created Service* - VISNVLDR
.
Contents of the 'Scheduled Tasks' folder
"2008-07-03 00:10:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-02 15:22:07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{8AB5D231-8543-4BF2-92BE-897657DF54AC}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 17:08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
.
**************************************************************************
.
Completion time: 2008-07-02 17:15:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-03 00:14:10
ComboFix2.txt 2008-07-02 18:15:29
ComboFix3.txt 2008-06-10 22:27:57
ComboFix4.txt 2008-06-03 17:04:26

Pre-Run: 31,053,402,112 bytes free
Post-Run: 31,028,293,632 bytes free

335 --- E O F --- 2008-07-02 07:05:25

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:25 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\smartagent\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smartagent\bin\tgsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Pixwares\WinClock\winclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WinClock] C:\Program Files\Pixwares\WinClock\winclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rraasec/c...tingActiveX.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CAB
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://199.194.181.129/apps/common/include...ONFIG-CHECK.CAB
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda.com/wi/ActiveX/RptViewerEN.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.honda.com/rraaauto/programs/...EB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F08A1B3-0BEC-49BD-814A-302AC2CAF1A8}: NameServer = 208.186.47.5,208.186.46.5
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (smartagent) (sprtsvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (smartagent) (tgsrvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\tgsrvc.exe

--
End of file - 6457 bytes

#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 03 July 2008 - 06:12 AM

Hello mwaqner17,

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following file:

C:\WINDOWS\system32\drivers\visnvldr.sys

Right click and remove it.
Let me know if you find and removed it.
------------------------------------------------
RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.

Edited by chryssi2001, 03 July 2008 - 06:36 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 03 July 2008 - 02:00 PM

The file, C:\WINDOWS\system32\drivers\visnvldr.sys was not there. Looked and searched, but was not there.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:15 AM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\smartagent\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smartagent\bin\tgsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Pixwares\WinClock\winclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adp\ws2000\ws2000.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WinClock] C:\Program Files\Pixwares\WinClock\winclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rraasec/c...tingActiveX.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CAB
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://199.194.181.129/apps/common/include...ONFIG-CHECK.CAB
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda.com/wi/ActiveX/RptViewerEN.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.honda.com/rraaauto/programs/...EB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F08A1B3-0BEC-49BD-814A-302AC2CAF1A8}: NameServer = 208.186.47.5,208.186.46.5
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (smartagent) (sprtsvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (smartagent) (tgsrvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\tgsrvc.exe

--
End of file - 6611 bytes

#12 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 03 July 2008 - 02:28 PM

Hello mwaqner17,

The file, C:\WINDOWS\system32\drivers\visnvldr.sys was not there. Looked and searched, but was not there.

I am glad it's gone. :thumbsup:
--------------------------------------------
There is a stubborn bad line. Please try to remove it once again.

FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {3C366450-B62A-44AD-9E7B-A7F4B16283A5} - C:\WINDOWS\system32\atmpvcnor.dll (file missing)


Then close all windows except Hijackthis and click Fix Checked

Then scan again and see if the line is still there. If yes, try to remove it in Safe mode.
You might save all these instructions in Notepad, as you won't have Internet access in Safe mode.

Here is how you can go in Safe mode:
Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Now try to remove the above stubborn file.

Let me know how it went, or post a new HijackThis log from Normal mode.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#13 mwagner17

mwagner17
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 03 July 2008 - 04:38 PM

It removed it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:27 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\smartagent\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smartagent\bin\tgsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Pixwares\WinClock\winclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WinClock] C:\Program Files\Pixwares\WinClock\winclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rraasec/c...tingActiveX.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CAB
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://199.194.181.129/apps/common/include...ONFIG-CHECK.CAB
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda.com/wi/ActiveX/RptViewerEN.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.honda.com/rraaauto/programs/...EB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F08A1B3-0BEC-49BD-814A-302AC2CAF1A8}: NameServer = 208.186.47.5,208.186.46.5
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (smartagent) (sprtsvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (smartagent) (tgsrvc_smartagent) - SupportSoft, Inc. - C:\Program Files\smartagent\bin\tgsrvc.exe

--
End of file - 6345 bytes

#14 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 04 July 2008 - 12:02 AM

Hello waqner17,

It removed it.

Very Good. :thumbsup:
----------------------------------------------
Do you use this program or is it a remainant?

Symantec pcAnywhere
----------------------------------------------
Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply and a description of how your PC is behaving now.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#15 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 10 July 2008 - 12:06 PM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users