Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spyware That Keeps Installing Darksma When I Remove It


  • This topic is locked This topic is locked
9 replies to this topic

#1 Gremkor

Gremkor

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 27 July 2008 - 09:24 PM

Hi there everyone. Thanks for your help.

The problem I have is I seem to be infected with a spyware/popup program that keeps making popups on my computer when I use IE7. I also get a windows window that opens asking me to install Antivirus 2009.

I have Telus Freedom internet security with antispyware/antivirus that came from my ISP. It detects Darksma (type: Registry) in key "hkey_local_machine \software\ms juan" and allows me to delete it. It detects two copies of Darksma and lets me delete it but it just keeps reappearing every 20 mins or so. Telus freedom has also detected and deleted SillyDI DJM (type: Registry) but this one doesn't seem to keep returning.

Things I have done so far:

Tried to use the Kasperky online scanner but it gets an error and doesn't scan. The error I get is: SysFader: iexplorer.exe "The instruction at "0x029d395a" referenced memoryat "0x02a112fc". The memory could not be "read". Click OK to terminate the program. Internet explorer then closes when I press OK.

Tried to use DSS amd HJT but those had errors too.

Closed some stuff in my startup msconfig and that seemed to help me run DSS and HJT without errors so I was able to get a "main.txt" and "extra.txt" file last night but this morning when I tried to run the DSS again, it only gave me a "main.txt" file so I'll post the newest main.txt file now and the extra.txt file from last night. I'll also post the newest HJT file.

I also noticed when I would remove stuff from the start up that one type of item would keep coming back. In the "Files created between 2008-06-27 and 2008-07-27" from the main.txt file, it shows a bunch of files with some "randomtext.dll" and these files would show up in my start up as well and everytime I uncheck it, a new one would show up in the start up and be checked.

=====================================

Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-07-27 16:55:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:01 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
O2 - BHO: (no name) - {5DCB8B98-B3DA-484B-A872-8C752C3A683B} - C:\WINDOWS\system32\avica.dll
O2 - BHO: (no name) - {62D6DDA7-8FE9-47F1-B8E9-D1D0D3D9FF3A} - C:\WINDOWS\system32\yaywwWMg.dll
O2 - BHO: (no name) - {64FB344C-DBBC-4ACD-A8F9-3BD3491E3AA6} - C:\WINDOWS\system32\avica.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {d696b9bf-2dd1-501a-fdb4-5ea952535c87} - {78c53525-9ae5-4bdf-a105-1dd2fb9b696d} - C:\WINDOWS\system32\kuxmbf.dll
O2 - BHO: (no name) - {797AB8D3-8ABE-4CB4-8A2B-3565D192D7F9} - C:\WINDOWS\system32\avica.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\CIA\AFE.dll
O2 - BHO: (no name) - {A4614DAD-9298-4672-AA62-5EB39F5EBADD} - C:\WINDOWS\system32\hgGwVNhI.dll
O2 - BHO: (no name) - {B1371F3C-F8C8-4E80-A333-1EE6AB475D94} - C:\WINDOWS\system32\avica.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMabdf19b6] Rundll32.exe "C:\WINDOWS\system32\gjbxtpnl.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
O20 - Winlogon Notify: yaywwWMg - C:\WINDOWS\SYSTEM32\yaywwWMg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7209 bytes

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-26 21:54:05 101888 --a------ C:\WINDOWS\system32\kuxmbf.dll
2008-07-26 21:53:46 101888 --a------ C:\WINDOWS\system32\qcwimoww.dll
2008-07-26 21:50:52 83968 --a------ C:\WINDOWS\system32\nwfgvhlm.dll
2008-07-26 21:49:12 93184 --a------ C:\WINDOWS\system32\gjbxtpnl.dll
2008-07-26 14:54:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-07-26 14:54:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-26 14:54:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Start Menu
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\SendTo
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\PrintHood
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\NetHood
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-26 14:54:44 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-26 14:54:44 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-07-26 14:54:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-26 14:54:42 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-26 14:38:00 0 d-------- C:\Program Files\Trend Micro
2008-07-26 00:15:30 0 d-------- C:\VundoFix Backups
2008-07-25 18:54:50 102400 --a------ C:\WINDOWS\system32\kbglnf.dll
2008-07-25 18:54:41 102400 --a------ C:\WINDOWS\system32\ynefdfqo.dll
2008-07-25 18:53:06 93184 --a------ C:\WINDOWS\system32\qovfevag.dll
2008-07-24 17:55:37 4194304 --a------ C:\Documents and Settings\Compaq_Owner\ntuser.dat
2008-07-24 16:23:40 102912 --a------ C:\WINDOWS\system32\gpilxt.dll
2008-07-24 16:23:28 102912 --a------ C:\WINDOWS\system32\ifofecmi.dll
2008-07-24 16:20:24 93696 --a------ C:\WINDOWS\system32\ibhwjxyt.dll
2008-07-24 10:44:52 0 d-------- C:\TempDVD
2008-07-24 10:44:39 0 d-------- C:\Program Files\dvdSanta
2008-07-23 16:18:34 101888 --a------ C:\WINDOWS\system32\hmydvb.dll
2008-07-23 16:18:22 101888 --a------ C:\WINDOWS\system32\oxicodis.dll
2008-07-23 16:18:03 93696 --a------ C:\WINDOWS\system32\tbncmkva.dll
2008-07-23 16:16:40 93696 --a------ C:\WINDOWS\system32\udavfgdn.dll
2008-07-19 12:21:46 0 d-------- C:\Program Files\Radialpoint
2008-07-19 01:15:49 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\TELUS
2008-07-19 01:11:01 48640 -ra------ C:\WINDOWS\system32\drivers\FreeTdi.sys <Not Verified; Zero-Knowledge Systems Inc.; Freedom>
2008-07-19 01:10:14 0 d-------- C:\Program Files\Common Files\Command Software
2008-07-19 01:10:13 0 d-------- C:\Program Files\TELUS
2008-07-19 01:10:13 0 d-------- C:\Program Files\Common Files\PestPatrol
2008-07-19 01:09:15 0 d-------- C:\Documents and Settings\All Users\Application Data\TELUS
2008-07-18 23:31:28 102912 --a------ C:\WINDOWS\system32\zkbzzb.dll
2008-07-18 23:31:27 102912 --a------ C:\WINDOWS\system32\ubdbwbcu.dll
2008-07-18 23:28:26 93696 --a------ C:\WINDOWS\system32\nuitfvmr.dll
2008-07-18 23:26:16 93696 --a------ C:\WINDOWS\system32\estmbimq.dll
2008-07-15 22:07:04 101376 --a------ C:\WINDOWS\system32\nuhpuv.dll
2008-07-15 22:07:03 101376 --a------ C:\WINDOWS\system32\lgmcxcny.dll
2008-07-15 22:01:03 92672 --a------ C:\WINDOWS\system32\vvxxevbr.dll
2008-07-15 21:58:50 92672 --a------ C:\WINDOWS\system32\qwujebwn.dll
2008-07-14 19:09:29 102400 --a------ C:\WINDOWS\system32\qksuvb.dll
2008-07-14 19:09:28 102400 --a------ C:\WINDOWS\system32\jmqskcuu.dll
2008-07-14 19:03:58 101632 --a------ C:\WINDOWS\system32\avica.dll
2008-07-13 18:16:26 12800 --a------ C:\WINDOWS\system\WING32.DLL <Not Verified; Microsoft Corporation; WinG>
2008-07-13 18:16:26 92208 --a------ C:\WINDOWS\system\WING.DLL <Not Verified; Microsoft Corporation; WinG>
2008-07-13 16:55:10 0 d-------- C:\Program Files\EA Games
2008-07-13 13:58:14 574007 --ahs---- C:\WINDOWS\system32\IhNVwGgh.ini2
2008-07-13 13:58:06 282112 --a------ C:\WINDOWS\system32\hgGwVNhI.dll
2008-07-13 13:49:05 32256 --a------ C:\WINDOWS\system32\rqRKecby.dll
2008-07-13 13:49:05 32256 --a------ C:\WINDOWS\system32\hgGyXolM.dll
2008-07-13 13:48:13 32256 --a------ C:\WINDOWS\system32\wvUkHxVO.dll
2008-07-13 13:48:13 32256 --a------ C:\WINDOWS\system32\vtUlMcYS.dll
2008-07-13 13:47:45 32256 --a------ C:\WINDOWS\system32\rqRKBSIx.dll
2008-07-13 13:47:45 32256 --a------ C:\WINDOWS\system32\geBuVPFv.dll
2008-07-13 13:47:18 32256 --a------ C:\WINDOWS\system32\yaywwWMg.dll
2008-07-13 13:47:18 32256 --a------ C:\WINDOWS\system32\rqRKdDVO.dll
2008-07-13 12:21:30 0 d-------- C:\Program Files\Common Files\EasyInfo
2008-07-08 20:28:09 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\InterVideo


-- Find3M Report ---------------------------------------------------------------

2008-07-19 09:14:24 0 d-------- C:\Program Files\Symantec
2008-07-19 09:13:06 0 d-------- C:\Program Files\Common Files
2008-07-13 17:00:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-13 15:28:40 0 d-------- C:\Program Files\Java
2008-07-13 13:56:32 0 d-------- C:\Program Files\Games
2008-07-08 18:17:43 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Adobe
2008-06-03 12:48:08 0 d-------- C:\Program Files\Download Manager


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DCB8B98-B3DA-484B-A872-8C752C3A683B}]
07/18/2008 11:40 PM 101632 --a------ C:\WINDOWS\system32\avica.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62D6DDA7-8FE9-47F1-B8E9-D1D0D3D9FF3A}]
07/13/2008 01:47 PM 32256 --a------ C:\WINDOWS\system32\yaywwWMg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64FB344C-DBBC-4ACD-A8F9-3BD3491E3AA6}]
07/18/2008 11:40 PM 101632 --a------ C:\WINDOWS\system32\avica.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78c53525-9ae5-4bdf-a105-1dd2fb9b696d}]
07/26/2008 09:53 PM 101888 --a------ C:\WINDOWS\system32\kuxmbf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{797AB8D3-8ABE-4CB4-8A2B-3565D192D7F9}]
07/18/2008 11:40 PM 101632 --a------ C:\WINDOWS\system32\avica.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4614DAD-9298-4672-AA62-5EB39F5EBADD}]
07/13/2008 01:58 PM 282112 --a------ C:\WINDOWS\system32\hgGwVNhI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1371F3C-F8C8-4E80-A333-1EE6AB475D94}]
07/18/2008 11:40 PM 101632 --a------ C:\WINDOWS\system32\avica.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [05/19/2005 03:56 PM]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [03/20/2007 05:48 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/14/2005 04:43 PM]
"BMabdf19b6"="C:\WINDOWS\system32\gjbxtpnl.dll" [07/26/2008 09:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [03/05/2007 01:57 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/25/2006 9:21:44 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{62D6DDA7-8FE9-47F1-B8E9-D1D0D3D9FF3A}"= C:\WINDOWS\system32\yaywwWMg.dll [07/13/2008 01:47 PM 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywwWMg]
yaywwWMg.dll 07/13/2008 01:47 PM 32256 C:\WINDOWS\system32\yaywwWMg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGwVNhI

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a8ec2a2a]
rundll32.exe "C:\WINDOWS\system32\nwfgvhlm.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMabdf19b6]
Rundll32.exe "C:\WINDOWS\system32\gjbxtpnl.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenBillminder]
C:\Program Files\Quicken\Billmind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- End of Deckard's System Scanner: finished at 2008-07-27 16:58:14 ------------


===========================================================

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 20%
Physical Memory (total/avail): 1982.48 MiB / 1585 MiB
Pagefile Memory (total/avail): 3268.84 MiB / 3038.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.64 MiB

C: is Fixed (NTFS) - 180.88 GiB total, 96.96 GiB free.
D: is Fixed (FAT32) - 5.41 GiB total, 0.37 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP2004C - 186.31 GiB - 2 partitions
\PARTITION0 - Unknown - 5.42 GiB - D:
\PARTITION1 (bootable) - Installable File System - 180.88 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
UpdatesDisableNotify is set.

FW: TELUS Security service Firewall v?????????3???????????????S??????3ฐ††††††††?? -?ด?ด???????????????†††????†††††††††††††(????????????††††††????ฐ† (TELUS)
AV: TELUS Security service Anti-Virus v??????????? (TELUS)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Games\\Age of Empires\\Empires.exe"="C:\\Program Files\\Games\\Age of Empires\\Empires.exe:*:Enabled:Age of Empires"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VICTORSCOMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Owner
LOGONSERVER=\\VICTORSCOMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=VICTORSCOMPUTER
USERNAME=Compaq_Owner
USERPROFILE=C:\Documents and Settings\Compaq_Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Compaq_Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements 2.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Photoshop Elements 2\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Advanced Combat Tracker (remove only) --> "C:\Program Files\Advanced Combat Tracker\Uninstall.exe"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoCAD 2005 - English --> MsiExec.exe /I{5783F2D7-0301-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Battle.net --> C:\WINDOWS\bnetunin.exe
Caesar 3 --> C:\WINDOWS\IsUninst.exe -f"c:\program files\SIERRA\Caesar3\Uninst.isu"
Cannon Fodder --> "C:\Program Files\games\Cannon Fodder\unins000.exe"
CIA --> C:\Program Files\CIA\CIA.exe /uninstall
Command & Conquer 3 --> MsiExec.exe /I{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}
Command & Conquer The First Decade --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}\setup.exe" -l0x9 -removeonly
Compaq Connections (remove only) --> C:\WINDOWS\HPCPCUninstall-5577497\HPBWSetup.exe -appid 5577497 -uninstall
Compaq Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
Core FTP LE 1.3c --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
Deadlock --> C:\WINDOWS\uninst.exe -f"c:\program files\games\Deadlock\DeIsL1.isu"
Diablo --> C:\WINDOWS\diabunin.exe
Doom 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}
Download Manager 2.3.5 --> C:\Program Files\Download Manager\uninst.exe
dvdSanta 4.00 --> "C:\Program Files\dvdSanta\unins000.exe"
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
EQ2MAP Updater 1.0.6 --> C:\Program Files\EQ2MAP Updater\uninst.exe
EverQuest II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EE39B32-BA05-433C-BC0D-35797518A3A5}\ISInst.exe" -l0x9
EverQuest II: Kingdom of Sky --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE0DE25D-4905-4609-B2A0-6393E108FC76}\setup.exe" -l0x9 -removeonly
Forms On CD - Residential Real Estate Purchase and Sale --> C:\WINDOWS\iun6002.exe "C:\Program Files\Forms On CD\Residential Real Estate Purchase and Sale\irunin.ini"
Future Cop --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Games\Future Cop\DeIsL1.isu" -c"C:\Program Files\Games\Future Cop\eauninst.dll
Heroes of Might and Magic II --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Heroes2\DeIsL1.isu"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Homeworld --> C:\PROGRA~1\Games\HOMEWO~1\UNINST~1\UNWISE.EXE C:\PROGRA~1\Games\HOMEWO~1\UNINST~1\INSTALL.LOG
HP Boot Optimizer --> MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HTML-Kit --> "C:\Program Files\HTML-Kit\unins000.exe"
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
Logitechฎ Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Majesty - Gold Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{212125C1-E5A3-4810-A057-C20FB2A79327}\setup.exe"
Master of Orion II --> C:\WINDOWS\uninst.exe -f"c:\program files\games\Orion2\DeIsL1.isu"
Microsoft Age of Empires --> C:\Program Files\Games\Age of Empires\Uninstal.exe /uninstall
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{91170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Motorola SM56 Speakerphone Modem --> C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe
Office 2003 Tour --> MsiExec.exe /I{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}
Patch-Resource-5.X-Msi --> MsiExec.exe /I{E0A23112-653F-4F1D-BBFD-5CF0149D15F9}
PC-Doctor 5 for Windows --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{AB61A692-5543-4C48-979B-8CEA1C52FE9C} /l1033
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remove WeatherBug Installer --> c:\hp\bin\cloaker.exe c:\hp\bin\commands.exe /c c:\hp\bin\wbug\clean.bat
SCRABBLE --> C:\PROGRA~1\AOLGAM~1\SCRABBLE\UNWISE.EXE C:\PROGRA~1\AOLGAM~1\SCRABBLE\INSTALL.LOG
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sierra On-Line Games (Remove only) --> C:\PROGRA~1\GAMES\SIERRA\SETUP.EXE /U
Sierra Utilities --> C:\Program Files\Sierra On-Line\sutil32.exe uninstall
SimCity 3000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\games\SimCity 3000\Uninst.isu"
Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe"
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TELUS eProtect Advisor 1.5.11 --> "C:\Program Files\TELUS\eProtect Advisor\unins000.exe"
TELUS Security & Privacy --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{B544F669-B04B-45B7-B449-30E273712FCC}
Thief:The Dark Project --> C:\WINDOWS\IsUninst.exe -f"c:\program files\games\thief\thiefalphaIIu.log"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type14574 / Error
Event Submitted/Written: 07/26/2008 03:12:12 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module hggwvnhi.dll, version 0.0.0.0, fault address 0x00063293.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type14573 / Error
Event Submitted/Written: 07/26/2008 03:11:46 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 860284785.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type14572 / Error
Event Submitted/Written: 07/26/2008 03:11:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module hggwvnhi.dll, version 0.0.0.0, fault address 0x00063293.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type14571 / Error
Event Submitted/Written: 07/26/2008 03:09:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f83.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type14560 / Error
Event Submitted/Written: 07/26/2008 02:42:30 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 593875832.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type33631 / Error
Event Submitted/Written: 07/26/2008 11:25:26 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type33607 / Error
Event Submitted/Written: 07/26/2008 10:45:52 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type33585 / Error
Event Submitted/Written: 07/26/2008 03:01:58 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer CHARLENE
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8DBC9F4E-9EE6-40BF-.
The master browser is stopping or an election is being forced.

Event Record #/Type33565 / Error
Event Submitted/Written: 07/26/2008 02:58:13 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type33564 / Error
Event Submitted/Written: 07/26/2008 02:56:16 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-07-27 00:15:56 ------------

======================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:05 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMabdf19b6] Rundll32.exe "C:\WINDOWS\system32\gjbxtpnl.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6199 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 AM

Posted 28 July 2008 - 03:09 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Gremkor

Gremkor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 28 July 2008 - 08:47 PM

Hi miekiemoes, thanks for your help. Here are the two logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:17 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\CIA\AFE.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5019 bytes

============================================================

ComboFix 08-07-28.4 - Compaq_Owner 2008-07-28 18:23:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1554 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\L65JFNDF\interclick.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\L65JFNDF\interclick.com\ud.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\auhabtip.ini
C:\WINDOWS\system32\avica.dll
C:\WINDOWS\system32\blfeqgnp.ini
C:\WINDOWS\system32\bqgeqdfq.ini
C:\WINDOWS\system32\cfvjqowl.ini
C:\WINDOWS\system32\estmbimq.dll
C:\WINDOWS\system32\geBuVPFv.dll
C:\WINDOWS\system32\gjbxtpnl.dll
C:\WINDOWS\system32\goybvnhq.ini
C:\WINDOWS\system32\gpilxt.dll
C:\WINDOWS\system32\hgGwVNhI.dll
C:\WINDOWS\system32\hgGyXolM.dll
C:\WINDOWS\system32\hmydvb.dll
C:\WINDOWS\system32\ibhwjxyt.dll
C:\WINDOWS\system32\ifofecmi.dll
C:\WINDOWS\system32\IhNVwGgh.ini
C:\WINDOWS\system32\IhNVwGgh.ini2
C:\WINDOWS\system32\jewoenej.dll
C:\WINDOWS\system32\jfsvxsas.ini
C:\WINDOWS\system32\jmqskcuu.dll
C:\WINDOWS\system32\kbglnf.dll
C:\WINDOWS\system32\kuxmbf.dll
C:\WINDOWS\system32\lgmcxcny.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlhvgfwn.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nbqwqt.dll
C:\WINDOWS\system32\nuhpuv.dll
C:\WINDOWS\system32\nuitfvmr.dll
C:\WINDOWS\system32\nwfgvhlm.dll
C:\WINDOWS\system32\oqnkckvn.ini
C:\WINDOWS\system32\oxicodis.dll
C:\WINDOWS\system32\qcwimoww.dll
C:\WINDOWS\system32\qksuvb.dll
C:\WINDOWS\system32\qovfevag.dll
C:\WINDOWS\system32\qwujebwn.dll
C:\WINDOWS\system32\rqRKBSIx.dll
C:\WINDOWS\system32\rqRKdDVO.dll
C:\WINDOWS\system32\rqRKecby.dll
C:\WINDOWS\system32\sasxvsfj.dll
C:\WINDOWS\system32\stpgslpk.ini
C:\WINDOWS\system32\tbncmkva.dll
C:\WINDOWS\system32\ubdbwbcu.dll
C:\WINDOWS\system32\udavfgdn.dll
C:\WINDOWS\system32\vodpbbfu.dll
C:\WINDOWS\system32\vtUlMcYS.dll
C:\WINDOWS\system32\vvxxevbr.dll
C:\WINDOWS\system32\wvUkHxVO.dll
C:\WINDOWS\system32\yaywwWMg.dll
C:\WINDOWS\system32\ynefdfqo.dll
C:\WINDOWS\system32\zkbzzb.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-26 21:50 . 2008-07-26 21:50 0 --a------ C:\WINDOWS\system32\goybvnhq.tmp
2008-07-26 14:54 . 2005-09-14 16:55 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-26 14:54 . 2005-09-14 17:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-26 14:54 . 2005-09-14 16:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-26 14:54 . 2005-09-14 16:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-07-26 14:54 . 2005-09-14 16:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-26 14:54 . 2008-07-26 14:54 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 14:38 . 2008-07-26 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-26 14:34 . 2008-07-26 14:34 <DIR> d-------- C:\Deckard
2008-07-26 00:15 . 2008-07-26 00:15 <DIR> d-------- C:\VundoFix Backups
2008-07-24 13:08 . 2008-07-24 13:45 26 --a------ C:\WINDOWS\dvdSanta.INI
2008-07-24 10:44 . 2008-07-24 10:44 <DIR> d-------- C:\TempDVD
2008-07-24 10:44 . 2008-07-24 13:16 <DIR> d-------- C:\Program Files\dvdSanta
2008-07-19 12:21 . 2008-07-19 12:21 <DIR> d-------- C:\Program Files\Radialpoint
2008-07-19 09:13 . 2008-07-28 18:33 225 --a------ C:\WINDOWS\freedom.backup.dat
2008-07-19 01:15 . 2008-07-19 09:28 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\TELUS
2008-07-19 01:15 . 2008-07-19 01:15 70 --a------ C:\WINDOWS\D048BB7D.ini
2008-07-19 01:11 . 2005-03-14 19:18 48,640 -ra------ C:\WINDOWS\system32\drivers\FreeTdi.sys
2008-07-19 01:10 . 2008-07-19 09:28 <DIR> d-------- C:\Program Files\TELUS
2008-07-19 01:10 . 2008-07-26 00:15 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2008-07-19 01:10 . 2008-07-28 17:51 <DIR> d-------- C:\Program Files\Common Files\Command Software
2008-07-19 01:10 . 2003-09-24 10:23 33,408 --a------ C:\WINDOWS\system32\drivers\freedom.sys
2008-07-19 01:09 . 2008-07-19 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TELUS
2008-07-15 21:58 . 2008-07-28 17:53 111,510 --a------ C:\WINDOWS\BMabdf19b6.xml
2008-07-13 18:16 . 1994-09-21 01:00 92,208 --a------ C:\WINDOWS\system\WING.DLL
2008-07-13 18:16 . 1994-09-20 18:00 12,800 --a------ C:\WINDOWS\system\WING32.DLL
2008-07-13 16:55 . 2008-07-13 16:55 <DIR> d-------- C:\Program Files\EA Games
2008-07-13 14:10 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-07-13 12:21 . 2008-07-13 12:21 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2008-07-08 20:28 . 2008-07-08 20:28 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\InterVideo
2008-07-08 17:48 . 2004-08-03 23:10 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2008-07-08 17:48 . 2004-08-03 23:10 51,328 --a------ C:\WINDOWS\system32\dllcache\msdv.sys
2008-07-08 17:48 . 2004-08-03 23:10 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2008-07-08 17:48 . 2004-08-03 23:10 38,912 --a------ C:\WINDOWS\system32\dllcache\avc.sys
2008-07-08 17:47 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2008-07-08 17:47 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\dllcache\61883.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 16:14 --------- d-----w C:\Program Files\Symantec
2008-07-19 08:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-14 00:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 22:28 --------- d-----w C:\Program Files\Java
2008-07-13 20:56 --------- d-----w C:\Program Files\Games
2008-06-03 19:48 --------- d-----w C:\Program Files\Download Manager
2007-12-05 21:22 1,190 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-30 02:57 66,936 --sha-w C:\WINDOWS\dlinfo_0.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 15:56 180278]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 17:48 2061816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-25 21:21:44 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 06:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-02-25 22:34 245760 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 13:57 1103480 C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 14:44 196608 C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 15:24 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 15:14 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2005-05-10 17:50 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenBillminder]
--a------ 2006-10-26 19:21 17408 C:\Program Files\Quicken\billmind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-14 16:55 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-09-14 16:43 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2005-01-24 02:56 544768 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Games\\Age of Empires\\Empires.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-a8ec2a2a - C:\WINDOWS\system32\sasxvsfj.dll
HKLM-Run-BMabdf19b6 - C:\WINDOWS\system32\vodpbbfu.dll
MSConfigStartUp-a8ec2a2a - C:\WINDOWS\system32\nwfgvhlm.dll
MSConfigStartUp-BMabdf19b6 - C:\WINDOWS\system32\gjbxtpnl.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.msn.ca/
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 18:32:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-28 18:34:51 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-07-29 01:34:48

Pre-Run: 104,008,990,720 bytes free
Post-Run: 104,183,914,496 bytes free

224 --- E O F --- 2008-06-13 05:04:28

#4 Gremkor

Gremkor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 28 July 2008 - 11:03 PM

It looks like I still have some probs on the computer.

My antispyware listed KaZaA and Bifrost in my registry. There is some improvement though. I wasn't able to go to any websites before the combofix but now I am able to go(albeit much slower than usual). It also disabled my windows update before but now it's working but still a bit slow.

Here is a new HTJ log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:28 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\CIA\AFE.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5012 bytes

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 AM

Posted 29 July 2008 - 02:46 AM

Hi,

My antispyware listed KaZaA and Bifrost in my registry

What Antispyware and where exactly does it find in the registry?

It also disabled my windows update before but now it's working but still a bit slow

Checking for the updates/the green bar you see may indeed be slow. This is normal :thumbsup:

Also, please navigate to and delete the following files:

C:\WINDOWS\BMabdf19b6.xml
C:\WINDOWS\system32\goybvnhq.tmp

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Gremkor

Gremkor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 29 July 2008 - 08:54 PM

Hi,

The antispyware I have is from my ISP but it looks like the KaZaA and Bifrost hasn't returned after I removed it with the antispyware.

I have also deleted the two files you had asked me to and also uninstalled the ComboFix.

My wife also installed Ad-Aware to my computer and it said it found win32.trojandownloader.agent and Virtumonde and removed those two from my computer.

Here is a new HJT log. I hope it's clean.

Thanks again for all your help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:32 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\CIA\AFE.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5231 bytes

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 AM

Posted 30 July 2008 - 12:30 AM

This looks OK again. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Gremkor

Gremkor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 30 July 2008 - 11:22 PM

After trying things out for a couple of days, everything seems to work fine. Thanks again for your help :thumbsup: That combofix is pretty useful.

Also, have these programs/malware somehow disabled the autorun for my cd/dvd drive? It doesn't seem to be working now.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 AM

Posted 31 July 2008 - 12:23 AM

Also, have these programs/malware somehow disabled the autorun for my cd/dvd drive? It doesn't seem to be working now.

No, Combofix disabled autoruns as a security measure. Everyone should disable autoruns btw, so less malware would be spread. I do NOT recommend to enable it again.
http://www.cert.org/blogs/vuls/2008/04/the...ws_autorun.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 AM

Posted 05 August 2008 - 11:53 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users