Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp 2008 I Think?


  • Please log in to reply
9 replies to this topic

#1 Bill Barr

Bill Barr

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 21 August 2008 - 08:10 PM

Attached is my Hijack tis log. It tyook me a while because whatever I am infected with would not let it load or open. I ran malwarebytes and nores the xp2008 had reappeared. I deleted it and it allowed hijack this to load


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:59 PM, on 8/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\irersxax.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/29464...localundeclared
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.weather.com/weather/local/29464...localundeclared
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/29464...LocalUndeclared
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ShAplApi] C:\WINDOWS\system32\irersxax.exe
O4 - HKCU\..\Run: [WebCfgStr] C:\WINDOWS\system32\mhohmluh.exe
O4 - HKCU\..\Run: [AdmStr] C:\WINDOWS\system32\rozwhodw.exe
O4 - HKCU\..\Run: [DbMsgEn] C:\WINDOWS\system32\szspwbej.exe
O4 - HKCU\..\Run: [sysenui] C:\WINDOWS\system32\uponiryv.exe
O4 - HKCU\..\Run: [ProcHlp] C:\WINDOWS\system32\lmnwleti.exe
O4 - Startup: MessengerBlocker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O21 - SSODL: uiwincmd - {0756C43C-8E7B-795B-CE98-057697B5FD0F} - C:\Program Files\bxhyaff\uiwincmd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 6418 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 24 August 2008 - 02:08 PM

Hello. My name is Extremeboy, and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be foundhere.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and run Hijackthis again

Click here to download HijackThis if you lost your copy.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
After the final dialogue box it will launch HijackThis.

Click on the Do A System scan and Save a Log File button. It will scan and then notepad will open with the log.
Please Copy and paste everything here on your next reply. To do that Press Ctrl + A to highlight everything, then press Ctrl+C To copy everything.
Finally press Ctrl+P To paste everything.

Thanks :thumbsup:

Edited by extremeboy, 24 August 2008 - 02:08 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Bill Barr

Bill Barr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 24 August 2008 - 03:24 PM

Extremeboy,

Here it is:

Bill barr

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:53 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\irersxax.exe
C:\Documents and Settings\Bill Barr\Start Menu\Programs\Startup\MessengerBlocker.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/29464...LocalUndeclared
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/29464...LocalUndeclared
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ShAplApi] C:\WINDOWS\system32\irersxax.exe
O4 - HKCU\..\Run: [WebCfgStr] C:\WINDOWS\system32\mhohmluh.exe
O4 - HKCU\..\Run: [AdmStr] C:\WINDOWS\system32\rozwhodw.exe
O4 - HKCU\..\Run: [DbMsgEn] C:\WINDOWS\system32\szspwbej.exe
O4 - HKCU\..\Run: [sysenui] C:\WINDOWS\system32\uponiryv.exe
O4 - HKCU\..\Run: [ProcHlp] C:\WINDOWS\system32\lmnwleti.exe
O4 - Startup: MessengerBlocker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O21 - SSODL: uiwincmd - {0756C43C-8E7B-795B-CE98-057697B5FD0F} - C:\Program Files\bxhyaff\uiwincmd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 6168 bytes

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 26 August 2008 - 09:18 AM

Hi Bill Barr and welcome to Bleepingcomputer!

Peer-to-Peer Programs Warning

Your log(s) show that you were using so called peer-to-peer or file-sharing programmes (in your case RoxLiveShare9.exe ). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

I see that it is "file missing" therefore I suspect that you have already removed it from Add/Remove. If NOT please remove it now.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

Thanks :thumbsup:

Removing Programs using Add/Remove

We need to remove AVG anti-spyware 7.5 and ewido security suite control from Add/Remove because these programs are outdated and they are no longer updated, therefore they will not be a great help when removing spywares.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
uninstall the following by clicking on the following entries and selecting "remove":

AVG anti-spyware 7.5
ewido security suite control

Additional instructions can be found here if needed.

Disable Realtime Protection
Realtime security programs are important for keeping out malware. However, they can interfere with the tools we need to run. Please
Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

Refer to this page, if you are unsure how.

Download and Run Combofix

Before we start please disabe any anti-virus programs or any real-time protection that is enabled.
Please refer to this page if your unsure how.
  • Please follow the instructions for running Combofix from here
  • Please read the guide carefully and follow every instructions percisly and remeber to install the Recovery Console first.

    Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
    should your computer have a problem after an attempted removal of malware. It
    is a simple procedure that will only take a few moments of your time.


  • Download the appropriate Windows XP setup boot disk and drag it on Combofix like the image below:
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After you succusfully install the recovery console, will see this window.
    Posted Image
    Please select Yes.
  • Combofix will then run, when combofix it finished, it will create a log for you. Please copy and paste that log in your next reply.
Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

For your next reply I would like to see the following please:
  • Fresh Hijackthis Log
  • Combofix log
  • How is your computer running now?
Thanks :)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Bill Barr

Bill Barr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 27 August 2008 - 06:13 AM

OK, I'll do it tonight.

Bill Barr

#6 Bill Barr

Bill Barr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 27 August 2008 - 09:09 PM

Extemeboy,

Logs are below,

Bill Barr

Combofix log:

ComboFix 08-08-27.03 - Bill Barr 2008-08-27 21:57:49.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.214 [GMT -4:00]
Running from: C:\Documents and Settings\Bill Barr\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\actskn43.ocx

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-27 21:55 . 2008-08-27 21:55 2,833,377 --a------ C:\Temp\ComboFix.exe
2008-08-21 20:57 . 2008-08-21 20:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 18:25 . 2008-08-19 18:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-19 18:21 . 2008-08-19 18:40 <DIR> d-------- C:\SDFix
2008-08-19 18:21 . 2008-08-19 18:21 1,463,521 --a------ C:\Temp\SDFix.exe
2008-08-18 18:04 . 2008-08-24 08:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-17 17:24 . 2008-08-17 17:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 17:24 . 2008-08-17 17:24 <DIR> d-------- C:\Documents and Settings\Bill Barr\Application Data\Malwarebytes
2008-08-17 17:24 . 2008-08-17 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 17:24 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-17 17:24 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-17 17:20 . 2008-08-17 17:20 2,085,280 --a------ C:\Temp\mbam-setup.exe
2008-08-17 14:29 . 2008-08-17 14:29 7,862,448 --a------ C:\Temp\spyhunterFULL.exe
2008-08-17 14:12 . 2008-08-17 14:12 <DIR> d-------- C:\Program Files\bxhyaff
2008-08-17 13:53 . 2008-08-17 13:53 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-08-17 13:45 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-08-17 13:45 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-17 12:58 . 2008-08-17 12:32 44,848 --a------ C:\Temp\trsetup.exe
2008-08-17 12:19 . 2008-08-22 08:01 <DIR> d-------- C:\Program Files\Malware suspicious Folders and files
2008-08-17 12:06 . 2008-08-21 20:57 812,344 --a------ C:\Temp\HJTInstall.exe
2008-08-16 15:20 . 2008-08-16 15:20 42,988 --a------ C:\Temp\spybotsd_includes.exe
2008-08-16 09:43 . 2008-08-16 09:43 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-15 19:46 . 2008-08-15 19:46 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-14 21:45 . 2008-08-14 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\shktcfif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 01:43 --------- d-----w C:\Program Files\ewido anti-malware
2008-08-25 22:14 --------- d-----w C:\Program Files\Microsoft Office 2007
2008-08-25 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-17 20:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-15 01:08 --------- d-----w C:\Program Files\XoftSpySE
2008-07-20 18:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-20 18:31 --------- d-----w C:\Program Files\Magellan
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
.

((((((((((((((((((((((((((((( snapshot_2008-08-17_13.38.07.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-08-07 20:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-19 22:26:15 5,341,184 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-08-19 22:26:15 16,384 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-19 22:25:59 5,341,184 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-08-19 22:25:59 16,384 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-09-16 15:45:09 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-08-25 23:05:52 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-09-16 15:45:09 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-08-25 23:05:52 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-09-16 15:45:09 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-08-25 23:05:52 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-09-16 15:45:09 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-08-25 23:05:52 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-09-16 15:45:09 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-08-25 23:05:52 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-09-16 15:45:09 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-08-25 23:05:52 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-09-16 15:45:10 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-08-25 23:05:52 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-09-16 15:45:09 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-08-25 23:05:52 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-09-16 15:45:09 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-08-25 23:05:52 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-09-16 15:45:10 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-08-25 23:05:52 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-09-16 15:45:08 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-08-25 23:05:52 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-09-16 15:45:08 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-08-25 23:05:52 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-08-22 13:12:15 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
+ 2008-06-23 15:38:28 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
- 2007-08-22 13:12:15 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
+ 2008-06-23 15:38:29 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
- 2007-08-22 13:12:16 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
+ 2008-06-23 15:38:30 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
- 2004-08-04 12:00:00 138,496 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
+ 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
- 2007-08-22 13:12:15 1,022,976 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
+ 2008-06-23 15:38:28 1,023,488 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
- 2007-08-22 13:12:15 151,040 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
+ 2008-06-23 15:38:29 151,040 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
- 2007-07-30 23:19:20 92,504 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
+ 2008-07-19 02:10:48 94,920 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
- 2007-08-22 13:12:16 1,054,208 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
+ 2008-06-23 15:38:30 1,054,208 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
- 2004-08-04 12:00:00 561,179 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dao360.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
- 2007-08-22 13:12:16 357,888 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-06-23 15:38:30 357,888 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2007-08-22 13:12:16 205,312 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-06-23 15:38:30 205,312 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2005-07-26 04:39:45 243,200 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
+ 2008-07-07 20:32:22 253,952 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
- 2007-08-22 13:12:16 55,808 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-06-23 15:38:30 55,808 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2007-08-21 10:30:45 18,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
+ 2008-06-23 09:49:29 18,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
- 2007-08-22 13:12:16 251,392 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
+ 2008-06-23 15:38:31 251,392 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
- 2007-08-21 06:15:44 683,520 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
- 2007-08-22 13:12:16 96,256 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
+ 2008-06-23 15:38:31 96,256 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
- 2006-05-18 05:24:25 450,560 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
- 2007-08-22 13:12:16 16,384 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-06-23 15:38:31 16,384 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2004-08-04 12:00:00 331,776 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
+ 2008-05-01 14:30:33 331,776 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
- 2005-06-29 01:46:00 74,240 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
+ 2008-06-24 16:23:05 74,240 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
- 2004-08-04 12:00:00 512,029 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msexch40.dll
- 2004-08-04 12:00:00 319,517 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msexcl40.dll
- 2007-08-22 13:12:17 3,058,176 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
+ 2008-06-23 15:38:33 3,059,712 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
- 2007-08-22 13:12:17 449,024 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-06-23 15:38:33 449,024 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2004-08-04 12:00:00 1,507,356 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjet40.dll
- 2004-08-04 12:00:00 358,976 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjetol1.dll
- 2004-08-04 12:00:00 151,583 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
- 2004-08-04 12:00:00 53,279 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjter40.dll
- 2004-08-04 12:00:00 241,693 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjtes40.dll
- 2004-08-04 12:00:00 213,023 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msltus40.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mspbde40.dll
- 2007-08-22 13:12:17 146,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-06-23 15:38:33 146,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2004-08-04 12:00:00 421,919 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrepl40.dll
- 2004-08-04 12:00:00 258,077 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstext40.dll
- 2007-08-22 13:12:17 532,480 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-06-23 15:38:33 532,480 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2004-08-04 12:00:00 831,519 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswdat10.dll
- 2004-08-04 12:00:00 245,248 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
- 2004-08-04 12:00:00 614,429 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswstr10.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msxbde40.dll
- 2007-08-22 13:12:17 39,424 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-06-23 15:38:33 39,424 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
- 2005-08-30 03:54:26 1,287,168 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
- 2007-08-22 13:12:18 1,494,528 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
+ 2008-06-23 15:38:34 1,494,528 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
- 2007-08-22 13:12:18 474,112 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
+ 2008-06-23 15:38:34 474,112 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
- 2006-04-20 11:51:50 359,808 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
- 2007-08-22 13:12:18 615,424 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-06-23 15:38:34 615,936 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2004-08-04 12:00:00 417,792 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
- 2006-06-19 20:20:42 702,768 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\WgaLogon.dll
+ 2007-04-10 18:00:46 236,928 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\WgaLogon.dll
- 2006-06-19 20:19:26 304,944 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\WgaTray.exe
+ 2007-04-10 18:01:18 336,768 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\WgaTray.exe
- 2007-08-22 13:12:18 658,944 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-06-23 15:38:34 659,456 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2005-01-28 18:44:28 224,768 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
+ 2007-10-27 21:40:06 227,328 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
- 2007-07-30 23:19:36 549,720 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
+ 2008-07-19 02:09:44 563,912 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
- 2007-07-30 23:19:16 53,080 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
+ 2008-07-19 02:10:42 53,448 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
- 2007-07-30 23:19:42 1,712,984 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
+ 2008-07-19 02:09:42 1,811,656 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
- 2007-07-30 23:19:32 325,976 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
+ 2008-07-19 02:09:46 325,832 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
- 2007-07-30 23:18:40 33,624 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
+ 2008-07-19 02:10:20 36,552 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
- 2007-07-30 23:19:28 203,096 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
+ 2008-07-19 02:09:44 205,000 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
- 2004-08-04 12:00:00 138,496 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\afd.sys
+ 2008-06-20 10:44:38 138,368 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\afd.sys
- 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rmcast.sys
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
+ 2008-06-20 10:45:13 360,320 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
- 2006-08-16 09:37:30 225,664 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tcpip6.sys
- 2007-08-22 13:12:16 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-06-23 15:38:30 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2007-08-22 13:12:16 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-06-23 15:38:30 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2007-08-22 13:12:16 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-06-23 15:38:30 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2008-04-06 22:18:37 345,016 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-08-27 22:03:39 344,216 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
- 2007-08-22 13:12:16 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
+ 2008-06-23 15:38:31 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
- 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
- 2007-08-22 13:12:16 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
+ 2008-06-23 15:38:31 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
- 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\SYSTEM32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\SYSTEM32\jscript.dll
- 2007-08-22 13:12:16 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-06-23 15:38:31 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2006-06-19 20:19:42 571,184 ----a-w C:\WINDOWS\SYSTEM32\legitcheckcontrol.dll
+ 2007-04-10 18:02:50 1,476,992 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
- 2007-09-28 03:19:40 18,089,592 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-08-05 15:11:02 15,888,504 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2004-08-04 12:00:00 512,029 ----a-w C:\WINDOWS\SYSTEM32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\SYSTEM32\msexch40.dll
- 2004-08-04 12:00:00 319,517 ----a-w C:\WINDOWS\SYSTEM32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\SYSTEM32\msexcl40.dll
- 2007-08-22 13:12:17 3,058,176 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-06-23 15:38:33 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2007-08-22 13:12:17 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-06-23 15:38:33 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2004-08-04 12:00:00 1,507,356 ----a-w C:\WINDOWS\SYSTEM32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\SYSTEM32\msjet40.dll
- 2004-08-04 12:00:00 358,976 ----a-w C:\WINDOWS\SYSTEM32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\SYSTEM32\msjetoledb40.dll
- 2004-08-04 12:00:00 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
- 2004-08-04 12:00:00 53,279 ----a-w C:\WINDOWS\SYSTEM32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\SYSTEM32\msjter40.dll
- 2004-08-04 12:00:00 241,693 ----a-w C:\WINDOWS\SYSTEM32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\SYSTEM32\msjtes40.dll
- 2004-08-04 12:00:00 213,023 ----a-w C:\WINDOWS\SYSTEM32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\SYSTEM32\msltus40.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\SYSTEM32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\SYSTEM32\mspbde40.dll
- 2007-08-22 13:12:17 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-06-23 15:38:33 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2004-08-04 12:00:00 421,919 ----a-w C:\WINDOWS\SYSTEM32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\SYSTEM32\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 ----a-w C:\WINDOWS\SYSTEM32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\SYSTEM32\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 ----a-w C:\WINDOWS\SYSTEM32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\SYSTEM32\msrepl40.dll
- 2004-08-04 12:00:00 258,077 ----a-w C:\WINDOWS\SYSTEM32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\SYSTEM32\mstext40.dll
- 2007-08-22 13:12:17 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-06-23 15:38:33 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2004-08-04 12:00:00 831,519 ----a-w C:\WINDOWS\SYSTEM32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\SYSTEM32\mswdat10.dll
- 2004-08-04 12:00:00 614,429 ----a-w C:\WINDOWS\SYSTEM32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\SYSTEM32\mswstr10.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\SYSTEM32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\SYSTEM32\msxbde40.dll
- 2008-06-28 01:49:39 42,348 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-08-25 23:05:29 42,348 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-06-28 01:49:39 317,284 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-08-25 23:05:29 317,284 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2007-08-22 13:12:17 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-06-23 15:38:33 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
- 2007-08-22 13:12:18 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
+ 2008-06-23 15:38:34 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
- 2007-08-22 13:12:18 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
+ 2008-06-23 15:38:34 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
+ 2008-07-19 02:10:20 36,552 ----a-w C:\WINDOWS\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-19 02:10:40 45,768 ----a-w C:\WINDOWS\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
- 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
- 2007-07-18 12:42:22 60,416 ----a-w C:\WINDOWS\SYSTEM32\tzchange.exe
+ 2008-07-14 11:09:18 62,976 ----a-w C:\WINDOWS\SYSTEM32\tzchange.exe
- 2007-08-22 13:12:18 615,424 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-06-23 15:38:34 615,936 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2004-08-04 12:00:00 417,792 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
- 2006-06-19 20:20:42 702,768 ----a-w C:\WINDOWS\SYSTEM32\WgaLogon.dll
+ 2007-04-10 18:00:46 236,928 ----a-w C:\WINDOWS\SYSTEM32\WgaLogon.dll
- 2006-06-19 20:19:26 304,944 ----a-w C:\WINDOWS\SYSTEM32\WgaTray.exe
+ 2007-04-10 18:01:18 336,768 ----a-w C:\WINDOWS\SYSTEM32\WgaTray.exe
- 2005-01-28 18:44:28 224,768 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
+ 2007-10-27 21:40:06 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2008-07-03 09:14:02 351,744 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2008-08-27 22:03:47 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_538.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 08:46 188416]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [2002-06-20 15:06 339968]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 10:38 78008]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18 270648]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-07-01 13:15 131072]

C:\Documents and Settings\Bill Barr\Start Menu\Programs\Startup\
MessengerBlocker.exe [2004-10-11 08:01:55 483328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"uiwincmd"= {0756C43C-8E7B-795B-CE98-057697B5FD0F} - C:\Program Files\bxhyaff\uiwincmd.dll [2008-08-17 14:12 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dmupqp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
R4 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys []
S3 adxapie;adxapie;C:\DOCUME~1\BILLBA~1\LOCALS~1\Temp\adxapie.sys []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]

2008-08-27 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]

2008-08-27 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ShAplApi - C:\WINDOWS\system32\irersxax.exe
HKCU-Run-WebCfgStr - C:\WINDOWS\system32\mhohmluh.exe
HKCU-Run-AdmStr - C:\WINDOWS\system32\rozwhodw.exe
HKCU-Run-DbMsgEn - C:\WINDOWS\system32\szspwbej.exe
HKCU-Run-sysenui - C:\WINDOWS\system32\uponiryv.exe
HKCU-Run-ProcHlp - C:\WINDOWS\system32\lmnwleti.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.weather.com/weather/local/29464?lswe=29464&lwsa=WeatherLocalUndeclared
R0 -: HKLM-Main,Start Page = hxxp://www.weather.com/weather/local/29464?lswe=29464&lwsa=WeatherLocalUndeclared
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 22:00:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\BILLBA~1\LOCALS~1\Temp\RGI13.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-08-27 22:02:10
ComboFix-quarantined-files.txt 2008-08-28 02:02:05
ComboFix2.txt 2008-08-17 17:38:30
ComboFix3.txt 2007-11-11 16:32:31

Pre-Run: 6,435,192,832 bytes free
Post-Run: 6,425,935,872 bytes free

395 --- E O F --- 2008-08-24 12:28:42

Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:53 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Documents and Settings\Bill Barr\Start Menu\Programs\Startup\MessengerBlocker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/29464...LocalUndeclared
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/29464...LocalUndeclared
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MessengerBlocker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O20 - AppInit_DLLs: dmupqp.dll
O21 - SSODL: uiwincmd - {0756C43C-8E7B-795B-CE98-057697B5FD0F} - C:\Program Files\bxhyaff\uiwincmd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 5301 bytes

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 28 August 2008 - 09:16 AM

Hi,

Disable Realtime Protection
Realtime security programs are important for keeping out malware. However, they can interfere with the tools we need to run. Please
Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

Refer to this page, if you are unsure how

Please Install Recovery Console

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.
Posted Image
Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click No
Posted Image

Run ComboFix with CFScript
We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:


    File::
    C:\Windows\System32\dmupqp.dll

    Folder::
    C:\Program Files\bxhyaff
    C:\Documents and Settings\All Users\Application Data\shktcfif

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""

    O21 - SSODL: uiwincmd - {0756C43C-8E7B-795B-CE98-057697B5FD0F} -

    Driver::
    ewido security suite driver
    adxapie
    AvFlt

    rootkit::
    C:\DOCUME~1\BILLBA~1\LOCALS~1\Temp\RGI13.tmp
    C:\WINDOWS\system32\lmnwleti.exe

    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

NOTE:Please Do NOT run Combofix more than once.

Thanks :thumbsup:

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For your next reply please provide the following:
  • Combofix log
  • Malwarebytes Anti-malware log
  • Fresh Hijackthis log (please RUN Hijackthis after you completed the above steps.)
Thanks :)

With Regards
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Bill Barr

Bill Barr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 30 August 2008 - 10:16 AM

Extemebot, All appears well. The pop up I was having appears to be gone.

Thank you,

Bill Barr

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 30 August 2008 - 10:38 AM

Hi Bill Barr,

That is good to know :thumbsup:
Can you please follow finishing the above instructions and post it here in this thread.

Extemebot, All appears well. The pop up I was having appears to be gone.

Does that mean that you do not need help anymore? Even if everything seems better, there are probably more symptoms of infections present, therefore I suggust you follow the above instructions.
If your sure that you don't need help anymore please say so, so this topic can be closed.

Thanks :)

With Regards,
Extremeboy

Edited by extremeboy, 30 August 2008 - 10:40 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Bill Barr

Bill Barr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 02 September 2008 - 07:00 AM

Extremeboy,

All appears well. Please close the topic if it reoccurs I'll log back on.

Thank you,

Bill Barr




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users