Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Everything!


  • This topic is locked This topic is locked
9 replies to this topic

#1 powerchordantics

powerchordantics

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 28 September 2008 - 02:46 PM

I have been having many, many problems with my laptop recently, which is extremely frustrating as I have just started university and so I desperately need my laptop to work properly! It does the following:
  • Freezes, so that whilst entering text the text will stop typing for a few moments and I will have to re-enter what I have typed when the laptop unfreezes
  • I frequently get popups such as for an "X-Ray Scanner" and "Antivirus 2009". I have never had problems with popups until recently as Zone Alarm should block them, which is why I think it's a virus as opposed to real popups.
  • Webpages take ages to load, especially certain ones which I check everyday such as Facebook. If they load the first time, clicking on different links through the site will result in a system crash within about 10-15 minutes.
  • I am now unable to open Mozilla Firefox. The mouse pointer turns into the egg timer, as if it's about to load, but then nothing happens.
  • The performance of the laptop is generally slow
  • It frequently crashes and freezes; even more so when I am using internet facilities.
I know that I have had a number of viruses. I have downloaded different antivirus, antimalware and antispywaresoftware as reccommended by this site, and each one has caught a few baddies, but it's still playing up. At least one baddy seems to re-spawn itself when I restart the laptop. Can anyone help please?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:35:14, on 28/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: AVG Security Toolbar -

{A057A204-BACC-4D26-9990-79A187E2698E} -

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY]

C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program

Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU -

{d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and

Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file

missing)
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: GenealogyBrowser.Cab -

http://209.90.101.200/cabs/zinst.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi

Class) -

http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers

Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace

Uploader Control) -

http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}

(EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Pictur

e_Control_v1-0-3-48.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E}

(AccountTracking Profile Manager Class) -

https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo

Upload Tool) -

http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl

Class) -

http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400}

(CSEQueryObject Object) -

http://www.myheritage.com/Genoogle/Components/ActiveX/Search

EngineQuery.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl

Class) -

http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.

cab56907.cab
O18 - Protocol: linkscanner -

{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs:

itoghe.dll,nygusv.dll,uzajzw.dll,bgmcxt.dll,vlpnzf.dll,avgrs

stx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) -

Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG

Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG

Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone

Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) -

Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6021 bytes

Edited by powerchordantics, 28 September 2008 - 02:48 PM.


BC AdBot (Login to Remove)

 


#2 powerchordantics

powerchordantics
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 02 October 2008 - 04:23 PM

I know it says not to bump topics but it's been a few days and I'm getting desperate, I also noticed people posting after me getting responses...if there's any more information anyone needs for this please let me know, I'm desperate to fix whatever's wrong with my laptop!

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 05 October 2008 - 04:41 AM

Hello powerchordantics,

I apologise for the delay, the forum is busy.
----------------------------------------------
Your HijackThis log, is messed up, and it's unreadable. This is caused by having Word Wrap checked.
So before posting a new Hijackthis Log:

1. Click Start > All Programs > Accessories > Notepad
2. On the menu bar in Notepad select Format and click on WordWrap so it appears un-checked.
----------------------------------------------
RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#4 powerchordantics

powerchordantics
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 05 October 2008 - 06:46 AM

Oops! I did what you said, here's the results-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:17, on 05/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IP - {000051AF-07E2-461B-BA37-A2AF7E652E7D} - C:\Documents and Settings\All Users\Application Data\ipd\ipb.dll (file missing)
O2 - BHO: (no name) - {0AB429C8-3ED2-4B84-9E42-B26E23E6A46E} - (no file)
O2 - BHO: (no name) - {0D68B335-1F11-40A5-9D88-16A678B59E6F} - C:\WINDOWS\system32\geBqRhGA.dll (file missing)
O2 - BHO: (no name) - {135615B6-5B60-4BE4-9132-E79AC8DC9EEA} - (no file)
O2 - BHO: (no name) - {1550FDFB-3AE5-46E5-974F-FCE61650459B} - (no file)
O2 - BHO: (no name) - {20F74679-3A8D-4B39-A4ED-E6D497F65FE3} - (no file)
O2 - BHO: (no name) - {3B1A967E-1B39-4F39-8AD4-805AB2062437} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {405CD330-015D-494D-8A27-25AA5B567A6F} - (no file)
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\awcggkvp.dll (file missing)
O2 - BHO: (no name) - {68256422-DEFA-4B08-A406-4EE1CF59E3C6} - (no file)
O2 - BHO: (no name) - {74276A48-6949-4858-9E53-7C26C291354D} - C:\WINDOWS\system32\geBrsQhe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {85F6E67B-A86D-4FC0-8E66-8E75628DE9B6} - (no file)
O2 - BHO: (no name) - {8B8AE999-1246-4536-B7B7-C542BD77D0D1} - C:\WINDOWS\system32\byXNfCSl.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91593584-0E72-486D-846C-D98C955F1DFF} - C:\WINDOWS\system32\urqNDVnn.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A83A596F-8AA2-4240-A6C9-6D0AC1D3D331} - (no file)
O2 - BHO: (no name) - {AD37559C-9AB1-4064-850C-2B35BA955496} - (no file)
O2 - BHO: (no name) - {AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\geBtQkHY.dll
O2 - BHO: (no name) - {BEA98502-5DB6-4A08-A274-0C97C2F1B04E} - (no file)
O2 - BHO: (no name) - {C1FAE180-B6D1-461F-95A0-64D5159C83B8} - C:\WINDOWS\system32\opnopQgh.dll (file missing)
O2 - BHO: (no name) - {D1AFAD1F-2378-4ACC-BE69-2E2A7610065F} - C:\WINDOWS\system32\mlJAsPjk.dll (file missing)
O2 - BHO: (no name) - {DEA54972-1A0C-47C7-BDBF-D40CCD229C75} - (no file)
O2 - BHO: (no name) - {DF412788-9A9D-41B2-9B58-B3150D8FA54B} - C:\WINDOWS\system32\mlJBSlJA.dll (file missing)
O2 - BHO: (no name) - {E9DE4218-5D73-4E7C-B484-F60414C919A6} - (no file)
O2 - BHO: (no name) - {f120d22f-1e4e-4164-8611-0e93a05a7c59} - (no file)
O2 - BHO: (no name) - {F8A187BE-EFCF-44A4-BA9D-5FA1D8B0ADE1} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [4c8bfad7] rundll32.exe "C:\WINDOWS\system32\pwilfnmv.dll",b
O4 - HKLM\..\Run: [BM4fb8c94b] Rundll32.exe "C:\WINDOWS\system32\xljxtqyu.dll",s
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: GenealogyBrowser.Cab - http://209.90.101.200/cabs/zinst.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: itoghe.dll,nygusv.dll,uzajzw.dll,bgmcxt.dll,vlpnzf.dll,avgrsstx.dll
O20 - Winlogon Notify: byxwttt - byxwttt.dll (file missing)
O20 - Winlogon Notify: geBtQkHY - C:\WINDOWS\SYSTEM32\geBtQkHY.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9639 bytes

#5 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 05 October 2008 - 12:33 PM

Hello power,

Can i call you like that? Your user name is too big :thumbsup:
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#6 powerchordantics

powerchordantics
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 06 October 2008 - 05:05 AM

Hi, thanks for the quick reply! I'm trying to follow the instructions but when I gt to step 3 (dragging and dropping the Recovery Console icon onto the Combofix icon on the desktop) it doesn't install the Recovery Console- instead it just starts up Combofix. Is there anything can do to rectify this?

#7 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 06 October 2008 - 11:09 AM

Hello power,

Do not drag again Recovery Console icon onto Combofix.

Double click Combofix to run, see my post (disable your protection programs) and keep away your hands from the pc untill it finishes.

Then post back the log and a new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#8 powerchordantics

powerchordantics
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 06 October 2008 - 03:30 PM

ComboFix-

ComboFix 08-10-05.05 - User 2008-10-06 20:24:55.1 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[3].txt
C:\Documents and Settings\User\Cookies\user@revsci[3].txt
C:\Documents and Settings\User\Cookies\user@serving-sys[2].txt
C:\Documents and Settings\User\Cookies\user@trafficmp[2].txt
C:\WINDOWS\BM4fb8c94b.txt
C:\WINDOWS\BM4fb8c94b.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AGhRqBeg.ini
C:\WINDOWS\system32\AGhRqBeg.ini2
C:\WINDOWS\system32\AJlSBJlm.ini
C:\WINDOWS\system32\AJlSBJlm.ini2
C:\WINDOWS\system32\aoxltr.dll
C:\WINDOWS\system32\aulgkbft.ini
C:\WINDOWS\system32\bgdxfjkc.ini
C:\WINDOWS\system32\bgmcxt.dll
C:\WINDOWS\system32\caqxbdyr.ini
C:\WINDOWS\system32\cbJjPXbc.ini
C:\WINDOWS\system32\cbXPjJbc.dll
C:\WINDOWS\system32\cocqcgpd.dll
C:\WINDOWS\system32\dnaelrlu.dll
C:\WINDOWS\system32\dqapvbbk.dll
C:\WINDOWS\system32\dqvsgoee.dll
C:\WINDOWS\system32\EhjlTAKj.ini
C:\WINDOWS\system32\ehqkklcc.dll
C:\WINDOWS\system32\ehQsrBeg.ini
C:\WINDOWS\system32\ehQsrBeg.ini2
C:\WINDOWS\system32\evngxork.dll
C:\WINDOWS\system32\feecbckm.dll
C:\WINDOWS\system32\ftogpwxm.dll
C:\WINDOWS\system32\fuygywjo.dll
C:\WINDOWS\system32\fwcmqkat.ini
C:\WINDOWS\system32\geBtQkHY.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tmp54.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-03 20:58 . 2008-10-03 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-10-03 20:55 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-10-03 20:55 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-10-03 20:46 . 2008-10-03 20:46 412 --a------ C:\WINDOWS\MAXLINK.INI
2008-10-03 20:45 . 2008-10-03 20:45 <DIR> d-------- C:\Documents and Settings\User\Application Data\ScanSoft
2008-10-03 20:45 . 2008-10-03 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-10-03 20:44 . 2008-10-03 20:44 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-10-03 20:44 . 2008-10-03 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-10-03 20:43 . 2008-10-03 20:43 <DIR> d-------- C:\Program Files\ScanSoft
2008-10-03 20:39 . 2008-10-03 20:39 <DIR> d-------- C:\Program Files\Common Files\CANON
2008-10-03 20:34 . 2008-10-03 20:34 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-10-03 20:33 . 2008-10-03 20:33 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-10-03 20:33 . 2007-03-23 08:30 1,400,832 --a------ C:\WINDOWS\system32\CNC220C.DLL
2008-10-03 20:33 . 2007-03-18 21:00 215,040 --a------ C:\WINDOWS\system32\CNMLM8T.DLL
2008-10-03 20:33 . 2007-03-19 02:18 200,704 --a------ C:\WINDOWS\system32\CNC220L.DLL
2008-10-03 20:33 . 2007-03-15 06:12 188,416 --a------ C:\WINDOWS\system32\CNC220O.DLL
2008-10-03 20:33 . 2007-03-23 08:29 98,304 --a------ C:\WINDOWS\system32\CNC220I.DLL
2008-10-03 20:32 . 2008-10-03 20:32 <DIR> d--h----- C:\Program Files\CanonBJ
2008-10-03 20:31 . 2008-10-03 20:58 <DIR> d-------- C:\Program Files\Canon
2008-09-28 20:34 . 2008-09-28 20:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-24 16:10 . 2008-10-04 12:41 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-24 16:03 . 2008-10-06 21:09 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-24 16:03 . 2008-09-24 16:03 <DIR> d-------- C:\Program Files\AVG
2008-09-24 16:03 . 2008-09-24 19:55 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-09-24 16:03 . 2008-09-24 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-24 16:03 . 2008-09-24 16:03 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-24 16:03 . 2008-09-24 16:03 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-24 16:03 . 2008-09-24 16:03 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-18 21:57 . 2008-09-18 21:57 <DIR> d-------- C:\Program Files\Panda Security
2008-09-08 07:51 . 2008-09-28 20:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-08 07:51 . 2008-09-28 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 01:00 . 2008-09-08 01:00 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-08 00:58 . 2008-09-08 01:34 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-09-08 00:58 . 2008-09-08 00:58 <DIR> d-------- C:\Program Files\CyberFlix
2008-09-08 00:58 . 2008-09-08 00:58 <DIR> d-------- C:\Program Files\Corel
2008-09-07 21:48 . 2008-09-08 00:57 <DIR> d-------- C:\Documents and Settings\User\Application Data\DivX
2008-09-07 00:13 . 2008-09-08 07:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\DNA
2008-09-06 23:34 . 2008-09-08 19:53 <DIR> d-------- C:\WINDOWS\system32\yb
2008-09-06 23:34 . 2008-09-24 19:08 <DIR> d-------- C:\WINDOWS\system32\xde
2008-09-06 23:34 . 2008-09-24 19:08 <DIR> d-------- C:\WINDOWS\system32\wTR02
2008-09-06 23:34 . 2008-09-06 23:34 <DIR> d-------- C:\WINDOWS\system32\itv
2008-09-06 23:34 . 2008-09-08 19:50 <DIR> d-------- C:\WINDOWS\system32\cs
2008-09-06 23:34 . 2008-09-06 23:34 <DIR> d-------- C:\Documents and Settings\User\Application Data\IBPlugin
2008-09-06 20:19 . 2008-09-06 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-09-06 20:16 . 2008-09-06 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-09-06 20:13 . 2008-09-06 20:13 0 --ahs---- C:\WINDOWS\SC67AA1BE.tmp
2008-09-06 19:46 . 2008-09-19 21:30 <DIR> d-------- C:\Program Files\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 19:44 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-18 21:30 --------- d-----w C:\Documents and Settings\User\Application Data\BitTorrent
2008-09-07 23:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-07 23:58 --------- d-----w C:\Program Files\DivX
2008-09-07 23:58 --------- d-----w C:\Program Files\Dell
2008-09-06 23:11 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2008-08-30 11:45 98,304 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-08-30 11:45 3,750,912 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-08-27 13:49 1,061,888 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-22 23:28 --------- d-----w C:\Program Files\Apple Software Update
2008-08-22 23:23 --------- d-----w C:\Program Files\iTunes
2008-08-22 23:23 --------- d-----w C:\Program Files\iPod
2008-08-22 23:21 --------- d-----w C:\Program Files\QuickTime Alternative
2008-08-22 22:55 --------- d-----w C:\Program Files\Safari
2008-08-18 20:18 16,426 ----a-w C:\Documents and Settings\User\Application Data\wklnhst.dat
2008-08-09 23:37 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-09 21:54 --------- d-----w C:\Documents and Settings\User\Application Data\Lionhead Studios
2008-08-09 21:47 --------- d-----w C:\Documents and Settings\User\Application Data\Corel
2008-08-05 10:56 17,648,593 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-16 15:16 8 ----a-w C:\Documents and Settings\New User\Application Data\usb.dat.bin
2007-03-18 21:16 172 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
2008-05-31 11:06 168 --sh--r C:\WINDOWS\system32\954E59C346.sys
2008-05-31 11:06 5,642 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-12 06:15 24,048,672 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-12 06:09 1,753,376 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedswitchXP"="C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-06 606208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-02 1234712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DIV3"= DivXc32.dll
"VIDC.DIV4"= DivXc32f.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"vidc.i263"= i263_32.drv
"VIDC.VP31"= vp31vfw.dll
"VIDC.MPG4"= msmpeg4.dll
"VIDC.MP42"= msmpeg4.dll
"VIDC.MP43"= msmpeg4.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start Shopper Link System Tray App.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start Shopper Link System Tray App.lnk
backup=C:\WINDOWS\pss\Start Shopper Link System Tray App.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 15:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 20:42 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-11-10 22:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2005-12-19 10:08 1347584 C:\WINDOWS\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 17:50 1603152 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 17:01 644696 C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-06-29 13:13 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 12:02 79400 C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 17:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-07-07 09:42 2156368 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-23 09:14 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"vsmon"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-24 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-24 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-24 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-24 76040]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 92550]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{676d8930-235a-11dd-b922-00904b1218c0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-09-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0AB429C8-3ED2-4B84-9E42-B26E23E6A46E} - (no file)
BHO-{0D68B335-1F11-40A5-9D88-16A678B59E6F} - C:\WINDOWS\system32\geBqRhGA.dll
BHO-{135615B6-5B60-4BE4-9132-E79AC8DC9EEA} - (no file)
BHO-{1550FDFB-3AE5-46E5-974F-FCE61650459B} - (no file)
BHO-{2081622E-4336-4342-8BB4-8EC1B02D8847} - C:\WINDOWS\system32\urqNDVnn.dll
BHO-{20F74679-3A8D-4B39-A4ED-E6D497F65FE3} - (no file)
BHO-{3B1A967E-1B39-4F39-8AD4-805AB2062437} - (no file)
BHO-{405CD330-015D-494D-8A27-25AA5B567A6F} - (no file)
BHO-{68256422-DEFA-4B08-A406-4EE1CF59E3C6} - (no file)
BHO-{74276A48-6949-4858-9E53-7C26C291354D} - C:\WINDOWS\system32\geBrsQhe.dll
BHO-{85F6E67B-A86D-4FC0-8E66-8E75628DE9B6} - (no file)
BHO-{8B8AE999-1246-4536-B7B7-C542BD77D0D1} - C:\WINDOWS\system32\byXNfCSl.dll
BHO-{A83A596F-8AA2-4240-A6C9-6D0AC1D3D331} - (no file)
BHO-{AD37559C-9AB1-4064-850C-2B35BA955496} - (no file)
BHO-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\geBtQkHY.dll
BHO-{BEA98502-5DB6-4A08-A274-0C97C2F1B04E} - (no file)
BHO-{C1FAE180-B6D1-461F-95A0-64D5159C83B8} - C:\WINDOWS\system32\opnopQgh.dll
BHO-{D1AFAD1F-2378-4ACC-BE69-2E2A7610065F} - C:\WINDOWS\system32\mlJAsPjk.dll
BHO-{DEA54972-1A0C-47C7-BDBF-D40CCD229C75} - (no file)
BHO-{DF412788-9A9D-41B2-9B58-B3150D8FA54B} - C:\WINDOWS\system32\mlJBSlJA.dll
BHO-{E9DE4218-5D73-4E7C-B484-F60414C919A6} - (no file)
BHO-{f120d22f-1e4e-4164-8611-0e93a05a7c59} - (no file)
BHO-{F8A187BE-EFCF-44A4-BA9D-5FA1D8B0ADE1} - (no file)
HKLM-Run-BM4fb8c94b - C:\WINDOWS\system32\ypsveurk.dll
HKLM-Run-4c8bfad7 - C:\WINDOWS\system32\naqtubbs.dll
ShellExecuteHooks-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\geBtQkHY.dll
Notify-byxwttt - byxwttt.dll
MSConfigStartUp-4c8bfad7 - C:\WINDOWS\system32\rydbxqac.dll
MSConfigStartUp-4oD - C:\Program Files\Kontiki\KHost.exe
MSConfigStartUp-Aim6 - C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe
MSConfigStartUp-AnyDVD - C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
MSConfigStartUp-avgnt - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
MSConfigStartUp-BitTorrent DNA - C:\Program Files\DNA\btdna.exe
MSConfigStartUp-BM4fb8c94b - C:\WINDOWS\system32\xdlbvhhh.dll
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1175102144\ee\AOLSoftware.exe
MSConfigStartUp-IPHSend - C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
MSConfigStartUp-kdx - C:\Program Files\Kontiki\KHost.exe
MSConfigStartUp-NeroCheck - C:\WINDOWS\system32\\NeroCheck.exe
MSConfigStartUp-{BF-FA-A7-78-DW} - C:\windows\system32\dwwnw64r.exe
MSConfigStartUp-adiras - adiras.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\soy1aphx.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 21:08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-06 21:22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-06 20:22:07

Pre-Run: 21,635,985,408 bytes free
Post-Run: 21,871,755,264 bytes free

316 --- E O F --- 2008-08-22 19:52:04




HijackThis-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:29:38, on 06/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: GenealogyBrowser.Cab - http://209.90.101.200/cabs/zinst.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6583 bytes

#9 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 07 October 2008 - 12:14 PM

Hello power,

(dragging and dropping the Recovery Console icon onto the Combofix icon on the desktop) it doesn't install the Recovery Console- instead it just starts up Combofix.

So you don't get a message if you want to install it?
When you tried did Combofix started running and you stopped it?

Posted Image

Please retry and if you get the screeen like my image above, which says Yes or No, just click No.

If Recovery Console is installed i will know from Combofix report.

If you don't get that screen let Combofix run, and keep the report.
I might need it later.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\WINDOWS\SC67AA1BE.tmp
    
    Folder::
    C:\WINDOWS\system32\yb
    C:\WINDOWS\system32\xde
    C:\WINDOWS\system32\wTR02
    C:\WINDOWS\system32\itv
    C:\WINDOWS\system32\cs
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start Shopper Link System Tray App.lnk
    C:\WINDOWS\pss\Start Shopper Link System Tray App.lnkCommon Startup
    C:\Documents and Settings\User\Start Menu\Programs\Startup\DW_Start.lnk
    C:\Documents and Settings\User\Start Menu\Programs\Startup\DW_Start.lnk
    C:\WINDOWS\pss\DW_Start.lnkStartup
    
    Registry::
    [-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start Shopper Link System Tray App.lnk]
    [-HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^DW_Start.lnk]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Combofix report.
Malwarebytes' Anti-Malware report.
Let me know how the pc behaves.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 13 October 2008 - 10:55 AM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users