Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repost -i Think I Have Malware On My Computer - Deckard And Hijackthis Results


  • This topic is locked This topic is locked
16 replies to this topic

#1 pianoman36

pianoman36

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 15 July 2008 - 02:43 PM

When I go to IE, then try to go to a web page - It will sit there then go to another web page and not the one I wanted. I can never go to the web page I want. I tried to go to microsoft.com web page to download and it will never pull up. My avg 8.0 will not update, my spybot will not run, and I keep getting PCprivacy, xp antivirus 2008, other web pages I cant mention on here. I don't know where this is coming from. Here is what I have done:
1. I have downloaded several Virus scans and burned them to a disc on my laptop then ran them. I ran exterminate it, avg 8, Decker system scan - will post later.

2. I have gone to Safe mode and ran everything too. and still nothing.

Any suggestions.
Thanks Gary

Here are the Hijackthis results:


Logfile of HijackThis v1.99.1
Scan saved at 11:10:36 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Adobe\Photoshop Album Starter
Edition\3.2\Apps\apdproxy.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {88BD6C7F-49B8-4873-AF65-38706E659377} - (no
file)
O3 - Toolbar: AVG Security Toolbar -
{A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [RegPowerClean] "C:\Program
Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program
Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program
Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel
FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [47525846701499502661902029172512] C:\Program
Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
(no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser
Plugin\npnwcw32.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation
Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner
Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject
Object) -
http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) -
http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
http://www.update.microsoft.com/microsoftu...b?1197842298137
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} -
http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C3C5E.dat,avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program
Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies
CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ,
s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental)
(rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f
"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe




Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-14 22:11:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
100: 2008-07-15 03:11:41 UTC - RP318 - Deckard's System Scanner Restore Point
99: 2008-07-14 20:52:26 UTC - RP317 - Removed iTunes
98: 2008-07-13 20:47:13 UTC - RP316 - Installed AVG Free 8.0
97: 2008-07-13 19:47:34 UTC - RP315 - Advanced Registry Optimizer Sun, Jul 13, 08 14:47
96: 2008-07-13 19:44:29 UTC - RP314 - ADVANCED REGISTRY OPTIMIZER - FIRST RUN


-- First Restore Point --
1: 2008-07-12 18:46:32 UTC - RP219 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-14 22:14:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {4BE0156A-5B2F-4269-B1E9-A60036E3FB10} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55DD6327-38B5-4B6E-9700-C28017AFE41A} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {F0C5A977-B06E-4BBD-B7C8-B28A3616AEFF} - C:\WINDOWS\system32\mlJBQIBQ.dll
O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O2 - BHO: (no name) - {F9E4F99D-D4A8-4535-973A-D8316CD6E1F6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: (no name) - {88BD6C7F-49B8-4873-AF65-38706E659377} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [47525846701499502661902029172512] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197842298137
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} () - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} () - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C3C5E.dat,avgrsstx.dll
O20 - Winlogon Notify: qoMeFyVm - C:\WINDOWS\system32\qoMeFyVm.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


--
End of file - 9330 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
S3 LNE100 (Linksys LNE100TX(v5) Fast Ethernet Adapter) - c:\windows\system32\drivers\lne100v5.sys <Not Verified; LinkSys Group Inc.; Linksys LNE100TX(v5) Fast Ethernet Adapter>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 sati1rax - c:\docume~1\owner\locals~1\temp\sati1rax.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-08 08:25:38 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-14 22:07:35 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-07-14 22:07:33 0 d-------- C:\Program Files\SpywareBlaster
2008-07-14 02:15:58 0 d-------- C:\Program Files\Exterminate It!
2008-07-14 01:10:01 0 d-------- C:\VundoFix Backups
2008-07-13 19:56:18 116864 --a------ C:\WINDOWS\system32\kdyyhf.dll
2008-07-13 19:56:17 116864 --a------ C:\WINDOWS\system32\rhdelbsp.dll
2008-07-13 16:16:37 0 d--h----- C:\$AVG8.VAULT$
2008-07-13 15:48:19 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-13 15:48:17 0 d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-13 15:47:47 0 d-------- C:\Program Files\AVG
2008-07-13 15:47:47 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-12 23:06:17 0 d-------- C:\Program Files\VirusRemover2008
2008-07-12 19:52:20 116864 --a------ C:\WINDOWS\system32\aqnywx.dll
2008-07-12 19:52:19 116864 --a------ C:\WINDOWS\system32\dxfohyvj.dll
2008-07-12 13:49:20 116864 --a------ C:\WINDOWS\system32\nqycqz.dll
2008-07-12 13:49:19 116864 --a------ C:\WINDOWS\system32\riihkvrt.dll
2008-07-12 13:46:18 268788 --ahs---- C:\WINDOWS\system32\QBIQBJlm.ini2
2008-07-12 13:46:10 322816 --a------ C:\WINDOWS\system32\mlJBQIBQ.dll
2008-07-12 13:42:10 33152 --a------ C:\WINDOWS\system32\ddcDuVom.dll
2008-07-12 13:42:07 33152 --a------ C:\WINDOWS\system32\awtqnkHA.dll
2008-07-12 13:40:50 33152 --a------ C:\WINDOWS\system32\nnnkKdax.dll
2008-07-12 13:39:15 401408 --a------ C:\WINDOWS\fdxbameg.dll
2008-07-12 13:39:15 163840 --a------ C:\WINDOWS\espk.exe
2008-07-12 13:39:14 192512 --a------ C:\WINDOWS\sqvgnrpx.dll
2008-07-12 13:39:14 348160 --a------ C:\WINDOWS\fsrpknov.dll
2008-07-12 13:38:27 0 d-------- C:\Program Files\VAV
2008-07-12 13:38:23 30208 --a------ C:\WINDOWS\Sys6F.exe
2008-07-12 13:38:20 0 d-------- C:\Program Files\PCHealthCenter
2008-07-10 20:23:00 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-18 01:20:09 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2008-07-13 12:22:12 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-07-12 23:59:26 0 d-------- C:\Program Files\OpenOffice.org1.1.1b
2008-07-12 21:15:47 0 d-------- C:\Program Files\Common Files
2008-07-12 21:12:39 0 d-------- C:\Program Files\Java
2008-06-06 16:48:09 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-06 16:46:30 0 d-------- C:\Program Files\iTunes
2008-06-06 16:46:08 0 d-------- C:\Program Files\iPod
2008-06-06 16:43:51 0 d-------- C:\Program Files\QuickTime
2008-06-06 16:35:56 0 d-------- C:\Program Files\Common Files\Apple
2008-06-06 16:27:56 0 d-------- C:\Program Files\Apple Software Update
2008-06-05 03:02:19 0 d-------- C:\Program Files\MSXML 4.0
2008-06-04 08:08:00 0 d-------- C:\Program Files\HP
2008-06-04 08:07:58 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-26 21:04:16 0 d-------- C:\Program Files\GRETECH
2008-05-26 21:04:14 0 d-------- C:\Program Files\CoreAAC
2008-05-25 11:54:44 0 d-------- C:\Program Files\Yahoo!
2008-05-25 09:38:30 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-17 00:22:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-05-17 00:20:28 0 d-------- C:\Program Files\InterActual


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BE0156A-5B2F-4269-B1E9-A60036E3FB10}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55DD6327-38B5-4B6E-9700-C28017AFE41A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/13/2008 03:48 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0C5A977-B06E-4BBD-B7C8-B28A3616AEFF}]
07/12/2008 01:46 PM 322816 --a------ C:\WINDOWS\system32\mlJBQIBQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4F99D-D4A8-4535-973A-D8316CD6E1F6}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/13/2008 03:48 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 03:51 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 11:42 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 03:55 PM]
"RegPowerClean"="C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" []
"KBD"="C:\HP\KBD\KBD.EXE" []
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 06:04 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 11:24 AM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [10/23/2003 07:51 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [01/13/2006 01:58 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/13/2008 03:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" []
"ares"="C:\Program Files\Ares\Ares.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"47525846701499502661902029172512"="C:\Program Files\XP Antivirus\xpa.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/09/2008 01:22 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMeFyVm]
qoMeFyVm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\__c00C3C5E.dat,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJBQIBQ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee49d5f5-8462-11dc-9dd7-000c6e8e964a}]
AutoRun\command- G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4d4b136-00a8-11d6-9d14-806d6172696f}]
AutoRun\command- Info.exe folder.htt 480 480




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8547 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-14 22:17:09 ------------







Mod Edit: Topic moved from HijackThis Logs to more appropriate forum~ TMacK

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 15 July 2008 - 03:30 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please visit this page for instructions to download and use Combofix.

How to use Combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.
Please post the log from Combofix here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 pianoman36

pianoman36
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 15 July 2008 - 09:56 PM

I have tried to download and unable to go to the webpage to do the download. When I try it re-routes me to another webpage. I have ran spyblaster and exterimnate it and they have cleaned it - and still unable to download comboFix. I got on the lap top and downloaded it - then tried to burn it to a disc. It worked - and when I put the disc in my computer to run - it would not open. I looked at properities and it said "read only" I tried to change it and it still would not open. Not sure what to do. Any suggestions?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 16 July 2008 - 08:23 AM

Right click on combofix.exe and rename it to cf.exe
Then you should be able to run it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 pianoman36

pianoman36
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 16 July 2008 - 11:18 AM

Thank You I got it to run. When it is finished - I will post the results here.

#6 pianoman36

pianoman36
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 16 July 2008 - 11:32 AM

Here is my combofix report. Thanks

ComboFix 08-07-14.2 - Owner 2008-07-16 11:01:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\cf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\Thumbs.db
C:\Program Files\VAV
C:\Program Files\VAV\vav.cpl
C:\Program Files\VAV\vav.ooo
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\Program Files\VirusRemover2008
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\espk.exe
C:\WINDOWS\fdxbameg.dll
C:\WINDOWS\fsrpknov.dll
C:\WINDOWS\sqvgnrpx.dll
C:\WINDOWS\Sys6F.exe
C:\WINDOWS\system32\aqnywx.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dhjqjqvx.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\dxfohyvj.dll
C:\WINDOWS\system32\fauhdmrw.ini
C:\WINDOWS\system32\game5.exe
C:\WINDOWS\system32\hfpmfjql.ini
C:\WINDOWS\system32\jjrwmvek.ini
C:\WINDOWS\system32\kdyyhf.dll
C:\WINDOWS\system32\nqycqz.dll
C:\WINDOWS\system32\oeimub.dll
C:\WINDOWS\system32\QBIQBJlm.ini
C:\WINDOWS\system32\QBIQBJlm.ini2
C:\WINDOWS\system32\qklwlwnh.ini
C:\WINDOWS\system32\rhdelbsp.dll
C:\WINDOWS\system32\riihkvrt.dll
C:\WINDOWS\system32\yedecruj.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_NPF
-------\Legacy_WINCOM32


((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-16 02:27 . 2008-07-16 02:31 <DIR> d-------- C:\Program Files\Trojan Killer
2008-07-16 02:15 . 2008-07-16 02:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-16 02:15 . 2008-07-16 02:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-07-16 02:15 . 2008-07-16 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-16 02:14 . 2008-07-16 02:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 23:06 . 2008-07-15 23:06 <DIR> d-------- C:\VundoFix Backups
2008-07-14 22:10 . 2008-07-14 22:10 <DIR> d-------- C:\Deckard
2008-07-14 22:07 . 2008-07-16 00:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-14 22:07 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-14 02:15 . 2008-07-16 01:15 <DIR> d-------- C:\Program Files\Exterminate It!
2008-07-13 16:16 . 2008-07-14 00:58 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-13 15:47 . 2008-07-13 15:47 <DIR> d-------- C:\Program Files\AVG
2008-07-13 15:47 . 2008-07-15 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-12 13:46 . 2008-07-12 13:46 322,816 --a------ C:\WINDOWS\system32\mlJBQIBQ.dll
2008-07-12 13:42 . 2008-07-12 13:42 33,152 --a------ C:\WINDOWS\system32\ddcDuVom.dll
2008-07-12 13:42 . 2008-07-12 13:42 33,152 --a------ C:\WINDOWS\system32\awtqnkHA.dll
2008-07-12 13:40 . 2008-07-12 13:40 33,152 --a------ C:\WINDOWS\system32\qoMeFyVm.dll.vir
2008-07-12 13:40 . 2008-07-12 13:40 33,152 --a------ C:\WINDOWS\system32\nnnkKdax.dll
2008-07-12 13:40 . 2002-08-29 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-22 09:22 . 2008-07-16 11:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-22 09:22 . 2008-06-22 09:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 05:44 . 2008-06-20 05:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-18 01:20 . 2008-06-18 01:20 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 15:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-07-16 06:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 05:49 --------- d-----w C:\Program Files\OpenOffice.org1.1.1b
2008-07-13 02:12 --------- d-----w C:\Program Files\Java
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 21:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-06 21:46 --------- d-----w C:\Program Files\iTunes
2008-06-06 21:46 --------- d-----w C:\Program Files\iPod
2008-06-06 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-06 21:43 --------- d-----w C:\Program Files\QuickTime
2008-06-06 21:35 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-06 21:27 --------- d-----w C:\Program Files\Apple Software Update
2008-06-06 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-05 08:02 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-04 13:08 --------- d-----w C:\Program Files\HP
2008-06-04 13:07 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-27 02:04 --------- d-----w C:\Program Files\GRETECH
2008-05-27 02:04 --------- d-----w C:\Program Files\CoreAAC
2008-05-25 16:54 --------- d-----w C:\Program Files\Yahoo!
2008-05-25 14:38 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-05-24 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 19:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 05:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-05-17 05:20 --------- d-----w C:\Program Files\InterActual
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D1FC92-9DF6-4307-A128-105EE1D7D49A}]
2008-07-12 13:46 322816 --a------ C:\WINDOWS\system32\mlJBQIBQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 01:22 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 01:58 188416]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 01:22 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 23:59]
S3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys [2001-10-24 19:16]
S3 sati1rax;sati1rax;C:\DOCUME~1\Owner\LOCALS~1\Temp\sati1rax.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de31d996-67bc-11dc-9dc6-000c6e8e964a}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee49d5f5-8462-11dc-9dd7-000c6e8e964a}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 13:25:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{88BD6C7F-49B8-4873-AF65-38706E659377} - (no file)
HKCU-Run-MoneyAgent - C:\Program Files\Microsoft Money\System\mnyexpr.exe
HKCU-Run-DW4 - C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
HKCU-Run-ares - C:\Program Files\Ares\Ares.exe
HKLM-Run-Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM-Run-StorageGuard - C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
HKLM-Run-PS2 - C:\WINDOWS\system32\ps2.exe
HKLM-Run-mmtask - C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
HKLM-Run-KBD - C:\HP\KBD\KBD.EXE
ShellExecuteHooks-{F8AC36D7-F602-4B69-99B5-2A812E05779F} - (no file)
Notify-qoMeFyVm - qoMeFyVm.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 11:14:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-16 11:27:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-16 16:27:17

Pre-Run: 58,415,738,880 bytes free
Post-Run: 58,336,862,208 bytes free

194 --- E O F --- 2008-07-10 03:48:00

#7 pianoman36

pianoman36
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 16 July 2008 - 12:14 PM

I just ran my virus scan here are the results.

Vundo - Downloader,popups,trojan - hkey local machbines software\
Vundo - Downloader popus torjan - c/windows / system 32
bifrost - trojan -
data.doremetrics - tracking cookie
optimost.com traking cookie

My virus scan (exteriminate it) said that the vundo was being blocked and could not remove it.

I ran this after I ran combofix.

I just ran my free superantispyware and here are the results:
adware vundo variant./resident = 2 detected
trojan vundo variant /small GEN = 6 detected
trojan vundo variant / small - 5 detected
adware tracking cookie - 9 detected
adware vundo variant/rel - 4 detected
rogue virus remover 2008 - 7 detected
rogue dropper/gen - 1 detected
rogue pcprivacy cleaner - 1 detected
trojan new msv/vps varian - 1 detectged
trojan unclassified packed/suspicious - 1 detected
trojan unknown origin - 1 detected
adware vundo variant - 4 detected
rogue vista antivirus 2008 - 1 detected
adware vudo variant/j - 2 detected
trojan unclassified/gts - 1 detected

I removed all these.

Edited by pianoman36, 16 July 2008 - 01:12 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 17 July 2008 - 09:45 AM

I'll need to see another combofix log that's current again.
Please do not make any changes to your computer once you post the log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 pianoman36

pianoman36
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 18 July 2008 - 12:37 PM

Dear Buckeye Sam. Here is another run of the combofix that you requested. Thank You for your help. This was run on july 18,2008
I wont do anything to my computer until you get back with me. Thanks Gary

omboFix 08-07-14.2 - Owner 2008-07-18 12:04:56.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\My Documents\cf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\afivrnxx.dll
C:\WINDOWS\system32\pcjyauhh.ini
C:\WINDOWS\system32\QBIQBJlm.ini
C:\WINDOWS\system32\QBIQBJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-17 12:12 . 2008-07-17 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-16 16:53 . 2008-07-18 12:17 1,231,136 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-16 16:53 . 2008-07-18 12:12 25,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-16 16:53 . 2008-07-18 12:12 17,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-16 16:53 . 2008-07-18 12:12 3,452 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-16 12:45 . 2008-07-16 13:47 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-16 12:45 . 2008-07-16 13:47 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-16 12:38 . 2008-07-16 12:38 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-16 12:38 . 2008-07-18 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-16 12:34 . 2008-07-16 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-16 02:27 . 2008-07-16 11:42 <DIR> d-------- C:\Program Files\Trojan Killer
2008-07-16 02:15 . 2008-07-16 11:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-16 02:15 . 2008-07-16 02:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-07-16 02:15 . 2008-07-16 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-16 02:14 . 2008-07-16 02:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 23:06 . 2008-07-15 23:06 <DIR> d-------- C:\VundoFix Backups
2008-07-14 22:10 . 2008-07-14 22:10 <DIR> d-------- C:\Deckard
2008-07-14 22:07 . 2008-07-17 20:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-14 22:07 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-14 02:15 . 2008-07-18 01:11 <DIR> d-------- C:\Program Files\Exterminate It!
2008-07-13 16:16 . 2008-07-14 00:58 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-13 15:47 . 2008-07-13 15:47 <DIR> d-------- C:\Program Files\AVG
2008-07-13 15:47 . 2008-07-16 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-12 13:40 . 2008-07-17 04:29 33,152 --a------ C:\WINDOWS\system32\qoMeFyVm.dll.vir
2008-07-12 13:40 . 2002-08-29 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-22 09:22 . 2008-07-18 12:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-22 09:22 . 2008-06-22 09:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 05:44 . 2008-06-20 05:44 138,368 --a------ C:\WINDOWS\system32\dllcache\afd.sys
2008-06-18 01:20 . 2008-06-18 01:20 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 01:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 17:09 --------- d-----w C:\Program Files\Yahoo!
2008-07-17 00:42 --------- d-----w C:\Program Files\OpenOffice.org1.1.1b
2008-07-16 18:52 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-16 15:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-07-13 02:12 --------- d-----w C:\Program Files\Java
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 21:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-06 21:46 --------- d-----w C:\Program Files\iTunes
2008-06-06 21:46 --------- d-----w C:\Program Files\iPod
2008-06-06 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-06 21:43 --------- d-----w C:\Program Files\QuickTime
2008-06-06 21:35 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-06 21:27 --------- d-----w C:\Program Files\Apple Software Update
2008-06-06 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-05 08:02 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-04 13:08 --------- d-----w C:\Program Files\HP
2008-06-04 13:07 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-27 02:04 --------- d-----w C:\Program Files\GRETECH
2008-05-27 02:04 --------- d-----w C:\Program Files\CoreAAC
2008-05-25 14:38 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-05-24 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 19:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-16_11.26.53.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-20 10:17:52 33,280 ----a-w C:\WINDOWS\$hf_mig$\KB926247\SP2QFE\snmp.exe
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB926247\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB926247\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB926247\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB926247\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB926247\update\updspapi.dll
- 2004-08-04 06:14:14 138,496 -c----w C:\WINDOWS\$NtUninstallKB951748$\afd.sys
- 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\$NtUninstallKB951748$\dnsapi.dll
- 2004-08-04 07:56:44 245,248 -c----w C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\$NtUninstallKB951748$\tcpip6.sys
- 2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
- 2006-08-16 11:58:05 100,352 ------w C:\WINDOWS\system32\dllcache\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
- 2004-08-04 07:56:56 32,768 ----a-w C:\WINDOWS\system32\dllcache\snmp.exe
+ 2006-11-20 08:42:45 33,280 ----a-w C:\WINDOWS\system32\dllcache\snmp.exe
- 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2007-12-29 00:51:04 195,344 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-12-13 18:28:40 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2008-02-08 23:35:42 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
+ 2008-02-08 23:37:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
- 2004-08-04 07:56:56 32,768 ----a-w C:\WINDOWS\system32\snmp.exe
+ 2006-11-20 08:42:45 33,280 ----a-w C:\WINDOWS\system32\snmp.exe
+ 2008-07-18 17:14:12 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_344.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 01:22 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-07-16 11:35 1506544]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 01:58 188416]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 01:22 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-16 11:35 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-16 11:35 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 23:59]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys [2001-10-24 19:16]
S3 sati1rax;sati1rax;C:\DOCUME~1\Owner\LOCALS~1\Temp\sati1rax.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de31d996-67bc-11dc-9dc6-000c6e8e964a}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee49d5f5-8462-11dc-9dd7-000c6e8e964a}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 13:25:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 12:14:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 19 July 2008 - 08:11 AM

Just a few things still there that we can clean up.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\VundoFix Backups

File::
C:\WINDOWS\system32\qoMeFyVm.dll.vir

Driver::
sati1rax
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



How is your computer running now?
Any problems or popups?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 pianoman36

pianoman36
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 July 2008 - 11:02 AM

New combofix - ran like Buckeye Sam requested.

ComboFix 08-07-14.2 - Owner 2008-07-19 10:11:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\cf.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\qoMeFyVm.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\qoMeFyVm.dll.vir

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_sati1rax


((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-17 12:12 . 2008-07-17 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-16 16:53 . 2008-07-19 10:36 1,560,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-16 16:53 . 2008-07-19 10:31 33,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-16 16:53 . 2008-07-19 10:29 21,956 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-16 16:53 . 2008-07-19 10:29 4,196 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-16 12:45 . 2008-07-16 13:47 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-16 12:45 . 2008-07-16 13:47 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-16 12:38 . 2008-07-16 12:38 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-16 12:38 . 2008-07-18 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-16 12:34 . 2008-07-16 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-16 02:27 . 2008-07-16 11:42 <DIR> d-------- C:\Program Files\Trojan Killer
2008-07-16 02:15 . 2008-07-16 11:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-16 02:15 . 2008-07-16 02:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-07-16 02:15 . 2008-07-16 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-16 02:14 . 2008-07-16 02:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 22:10 . 2008-07-14 22:10 <DIR> d-------- C:\Deckard
2008-07-14 22:07 . 2008-07-17 20:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-14 22:07 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-14 02:15 . 2008-07-18 01:11 <DIR> d-------- C:\Program Files\Exterminate It!
2008-07-13 16:16 . 2008-07-14 00:58 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-13 15:47 . 2008-07-13 15:47 <DIR> d-------- C:\Program Files\AVG
2008-07-13 15:47 . 2008-07-16 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-12 13:40 . 2002-08-29 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-22 09:22 . 2008-07-19 10:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-22 09:22 . 2008-06-22 09:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 05:44 . 2008-06-20 05:44 138,368 --a------ C:\WINDOWS\system32\dllcache\afd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 01:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 17:09 --------- d-----w C:\Program Files\Yahoo!
2008-07-17 00:42 --------- d-----w C:\Program Files\OpenOffice.org1.1.1b
2008-07-16 18:52 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-16 15:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-07-13 02:12 --------- d-----w C:\Program Files\Java
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 06:20 --------- d-----w C:\Program Files\Google
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 21:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-06 21:46 --------- d-----w C:\Program Files\iTunes
2008-06-06 21:46 --------- d-----w C:\Program Files\iPod
2008-06-06 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-06 21:43 --------- d-----w C:\Program Files\QuickTime
2008-06-06 21:35 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-06 21:27 --------- d-----w C:\Program Files\Apple Software Update
2008-06-06 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-05 08:02 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-04 13:08 --------- d-----w C:\Program Files\HP
2008-06-04 13:07 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-27 02:04 --------- d-----w C:\Program Files\GRETECH
2008-05-27 02:04 --------- d-----w C:\Program Files\CoreAAC
2008-05-25 14:38 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-05-24 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 19:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-16_11.26.53.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-20 10:17:52 33,280 ----a-w C:\WINDOWS\$hf_mig$\KB926247\SP2QFE\snmp.exe
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB926247\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB926247\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB926247\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB926247\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB926247\update\updspapi.dll
- 2004-08-04 06:14:14 138,496 -c----w C:\WINDOWS\$NtUninstallKB951748$\afd.sys
- 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\$NtUninstallKB951748$\dnsapi.dll
- 2004-08-04 07:56:44 245,248 -c----w C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\$NtUninstallKB951748$\tcpip6.sys
- 2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
- 2006-08-16 11:58:05 100,352 ------w C:\WINDOWS\system32\dllcache\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
- 2004-08-04 07:56:56 32,768 ----a-w C:\WINDOWS\system32\dllcache\snmp.exe
+ 2006-11-20 08:42:45 33,280 ----a-w C:\WINDOWS\system32\dllcache\snmp.exe
- 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2007-12-29 00:51:04 195,344 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-12-13 18:28:40 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2008-02-08 23:35:42 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
+ 2008-02-08 23:37:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
- 2004-08-04 07:56:56 32,768 ----a-w C:\WINDOWS\system32\snmp.exe
+ 2006-11-20 08:42:45 33,280 ----a-w C:\WINDOWS\system32\snmp.exe
+ 2008-07-19 15:30:44 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_774.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 01:22 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-07-16 11:35 1506544]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 01:58 188416]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 01:22 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-16 11:35 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-16 11:35 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de31d996-67bc-11dc-9dc6-000c6e8e964a}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee49d5f5-8462-11dc-9dd7-000c6e8e964a}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 13:25:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 10:31:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-19 10:49:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-19 15:49:24
ComboFix2.txt 2008-07-18 17:31:13
ComboFix3.txt 2008-07-16 16:27:27

Pre-Run: 58,086,838,272 bytes free
Post-Run: 58,127,282,176 bytes free

192 --- E O F --- 2008-07-17 15:02:58

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 20 July 2008 - 08:31 AM

How is your computer running now?
Any problems or popups?

Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 pianoman36

pianoman36
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 20 July 2008 - 02:10 PM

Here is the new Hijack log that I just ran. Sunday 2 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:20 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org1.1.1b\program\soffice.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197842298137
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 7266 bytes

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 21 July 2008 - 07:25 AM

How is your computer running now?
Any problems or popups?

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 pianoman36

pianoman36
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 July 2008 - 10:09 AM

It is running well, no pop ups or any of the other stuff that was happening. How did the logs look? Thanks for your help. Sorry I was such a pain and not understanding everything fully. Is it ok to run the anti-virus scans and the super anti spy ware now>? Gary




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users