Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Automatic Updates Disabled and Browser automatically launching


  • This topic is locked This topic is locked
26 replies to this topic

#1 Hart111

Hart111

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 11 October 2008 - 03:16 AM

Hi. Please could someone offer me some support with a malware infection. My Windows Automatic Updates are automatically disabled (even if I reset) and my Firefox browser keeps launching new instances and loading web pages of its own choosing.

I found this topic in the forum which seems to have similar symptoms, so I have followed the recommended steps to create an OTScanIt report which I will attach. I have not yet attempted any fix to the problem other than running my version of Norton Internet Security 2009 which can't find a thing.

Please could someone offer some assistance? Many thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 11 October 2008 - 04:08 PM

Oops - re-read the entire forum guidelines and have now undergone a quite extensive set of procedures before generating this Hijack file.

Windows Automated Updates are disabled and keep being disabled even if I try to reactivate them. Also my browser keeps generating new instances and loading unrequired websites.

Any chance someone could offer me some support?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03:00, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Simon Hart\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R240 Series on GlenysLaptop] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" /P51 "Auto EPSON Stylus Photo R240 Series on GlenysLaptop" /O27 "\\GLENYSLAPTOP\EPSONStylu~2" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [2c61de00] rundll32.exe "C:\WINDOWS\system32\ncgkfigh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O20 - AppInit_DLLs: yxxunf.dll
O21 - SSODL: SmartWin - {6AFD0C9C-A9C7-3A8F-B982-04F568E80ED5} - C:\Program Files\atllizf\SmartWin.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6790 bytes

Edited by Orange Blossom, 11 October 2008 - 08:50 PM.
Merged topics. ~ OB


#3 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 12 October 2008 - 02:39 PM

Disturbingly I have just noticed that the browser windows that are popping up are related to terms that I have posted in websites I am using. e.g. If I type in "Batman" in the BBC iPlayer search field, a pop up window appears with ebay content relating to Batman. Not sure if this helps in any way?

#4 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 14 October 2008 - 05:48 PM

On a hunh I decided to uninstall Internet Explorer and Firefox using System Mechanic to get rid of any associated registry files. On rebooting although the automatic updates were disabled I was able to temorarily re-enable them via the MSFT security centre interface. After about 2 seconds however it disabled itself again. :-(

#5 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 18 October 2008 - 03:05 PM

Hello Hart111,

I apologise for the delay, the forum is busy.

If you still need help, post a new HijackThis log following my instructions below.
----------------------------------------------
RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Documents and Settings\Simon Hart\Desktop\hijackthis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.

Please do not use System Mechanic as you might do more harm than good on your pc.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#6 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 22 October 2008 - 05:33 AM

Thanks for your help (and sorry for my delay - my wife had a baby on the 18th and haven't re-checked the forum for a few days).
Have removed System Mechanic as per your suggestion.Attached File  hijackthis.log   8.85KB   30 downloads

#7 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 22 October 2008 - 06:46 AM

Hello Hart111,

Posted Image
Wishes from me for the new baby! :thumbsup:

Can you please post your HijackThis log properly and not as an attachment?
Do not post attachments, unless i ask you to. It makes my work harder.

Thank you
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#8 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 22 October 2008 - 01:27 PM

:-) thanks - a girl. Here is the Hijack Log . . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:22, on 22/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Applications\iebtm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Applications\iebtmm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Simon Hart\Desktop\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09EFA143-5421-4337-A9C6-7982559D5F08} - C:\WINDOWS\system32\cbXPhHww.dll
O2 - BHO: (no name) - {4DB79F35-BFE4-43C4-AB98-F1677A8360EF} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {573E333C-F3F0-4AE5-9F5C-953DA969397B} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: {0c25f388-a175-a058-ee24-1af0a1b5f827} - {728f5b1a-0fa1-42ee-850a-571a883f52c0} - C:\WINDOWS\system32\mngpxb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {998DAE3E-7D4F-4952-A71F-467D8FE64407} - C:\WINDOWS\system32\hgGYRLDW.dll
O2 - BHO: (no name) - {BE1A344F-9FF5-4024-949B-52205E6DB2D0} - C:\Program Files\Applications\iebt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O3 - Toolbar: Internet Service - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - C:\Program Files\Applications\iebr.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R240 Series on GlenysLaptop] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" /P51 "Auto EPSON Stylus Photo R240 Series on GlenysLaptop" /O27 "\\GLENYSLAPTOP\EPSONStylu~2" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [2c61de00] rundll32.exe "C:\WINDOWS\system32\habxoyaq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.howtoiexplorer.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.howtoiexplorer.com/redirect.php (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O20 - AppInit_DLLs: weqxao.dll mngpxb.dll
O20 - Winlogon Notify: gtipod - gtipod32.dll (file missing)
O20 - Winlogon Notify: hgGYRLDW - C:\WINDOWS\SYSTEM32\hgGYRLDW.dll
O21 - SSODL: SmartWin - {6AFD0C9C-A9C7-3A8F-B982-04F568E80ED5} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9065 bytes

#9 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 23 October 2008 - 06:37 AM

Hello Hart111,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
----------------------------------------------
Download ComboFix from one of these locations:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this topic if you need help to disable your protection programs.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a HijackThis log so we can continue cleaning the system.
----------------------------------------------
Post back:
SDfix report.
Combofix report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#10 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 23 October 2008 - 05:19 PM

Ok . . . I followed the instructions. And attach the reports below.

I should point out that I did get an error message which read as follows. In the Find3M window the message "Preparing the log report. Do not run and programs until ComboFix has finished. Access is denied. Access is denied. SED: can't read temp00: permission denied. Access is denied. SED: can't read temp0C: permission denied." Then in a seperate window entitled REgistry Editor: "Cannot export RegRuns00: Error getting the file. There may be a disk or file system error." I then clicked OK and the ComboFix log file report was generated.

================================================================

SDFix: Version 1.237
Run by Simon Hart on 23/10/2008 at 20:27

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\hgGYRLDW.dll - Deleted
C:\Documents and Settings\Simon Hart\Application Data\Rapid Antivirus\Rapid Antivirus.ini - Deleted
C:\Documents and Settings\All Users\Desktop\Antivirus Scan.url - Deleted
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url - Deleted
C:\Documents and Settings\All Users\Desktop\Online Spyware Test.url - Deleted
C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url - Deleted
C:\Documents and Settings\Simon Hart\Favorites\Antivirus Scan.url - Deleted
C:\Documents and Settings\Simon Hart\My Documents\My Documents.url - Deleted
C:\Documents and Settings\Simon Hart\My Documents\My Music\My Music.url - Deleted
C:\Documents and Settings\Simon Hart\My Documents\My Pictures\My Pictures.url - Deleted
C:\Documents and Settings\Simon Hart\My Documents\My Videos\My Video.url - Deleted
C:\Program Files\Applications\iebr.dll - Deleted
C:\Program Files\Applications\iebt.dll - Deleted
C:\Program Files\Applications\iebtm.exe - Deleted
C:\Program Files\Applications\iebtmm.exe - Deleted
C:\Program Files\Applications\iebtu.exe - Deleted
C:\Program Files\Applications\iebu.exe - Deleted
C:\Program Files\Applications\myd.ico - Deleted
C:\Program Files\Applications\mym.ico - Deleted
C:\Program Files\Applications\myp.ico - Deleted
C:\Program Files\Applications\myv.ico - Deleted
C:\Program Files\Applications\ot.ico - Deleted
C:\Program Files\Applications\ts.ico - Deleted
C:\Program Files\Applications\wcu.exe - Deleted



Folder C:\Documents and Settings\Simon Hart\Application Data\Rapid Antivirus - Removed
Folder C:\Program Files\Applications - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 20:43:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 12 Oct 2008 120 ..SH. --- "C:\WINDOWS\system32\exkhjvpw.tmp"
Mon 13 Oct 2008 120 ..SH. --- "C:\WINDOWS\system32\ynabqxng.tmp"

Finished!

================================================================================

ComboFix Report

ComboFix 08-10-23.01 - Simon Hart 2008-10-23 21:14:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1350 [GMT 1:00]
Running from: C:\Documents and Settings\Simon Hart\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\arluadge.ini
C:\WINDOWS\system32\awttssRH.dll
C:\WINDOWS\system32\bbababfp.ini
C:\WINDOWS\system32\cjuipn.dll
C:\WINDOWS\system32\exkhjvpw.ini2
C:\WINDOWS\system32\exkhjvpw.tmp
C:\WINDOWS\system32\flbrxvxs.ini
C:\WINDOWS\system32\fuifrtij.dll
C:\WINDOWS\system32\geBrqrsT.dll
C:\WINDOWS\system32\glntdend.ini
C:\WINDOWS\system32\gnxqbany.dll
C:\WINDOWS\system32\gpjksjyg.dll
C:\WINDOWS\system32\hgifkgcn.ini
C:\WINDOWS\system32\hymdqj.dll
C:\WINDOWS\system32\iifdDSlI.dll
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\nyivlmcq.dll
C:\WINDOWS\system32\obthcctu.dll
C:\WINDOWS\system32\pfbababb.dll
C:\WINDOWS\system32\pnqajvqj.dll
C:\WINDOWS\system32\qayoxbah.ini
C:\WINDOWS\system32\qcmlviyn.ini
C:\WINDOWS\system32\ricooidh.dll
C:\WINDOWS\system32\wpvjhkxe.dll
C:\WINDOWS\system32\wwHhPXbc.ini
C:\WINDOWS\system32\wwHhPXbc.ini2
C:\WINDOWS\system32\xjweihdp.ini
C:\WINDOWS\system32\xymybhkp.ini
C:\WINDOWS\system32\ynabqxng.ini
C:\WINDOWS\system32\ynabqxng.ini2
C:\WINDOWS\system32\ynabqxng.tmp
C:\WINDOWS\system32\yniciv.dll
C:\WINDOWS\system32\yxxunf.dll
C:\WINDOWS\system32\zbqnlq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 )))))))))))))))))))))))))))))))
.

2008-10-23 21:13 . 2008-10-23 21:14 <DIR> drahs---- C:\cmdcons
2008-10-23 21:10 . 2008-10-23 21:23 <DIR> d-------- C:\Qoobox
2008-10-23 21:10 . 2008-10-23 21:25 <DIR> d-------- C:\ComboFix
2008-10-23 20:37 . 2,137,509,888 C:\hiberfil.sys
2008-10-23 20:07 . 2008-10-23 20:07 74,752 --a------ C:\WINDOWS\system32\egdaulra.dll
2008-10-22 10:46 . 2008-10-22 10:46 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-22 10:46 . 2008-10-22 10:46 <DIR> d-------- C:\Program Files\Texas Instruments Inc
2008-10-15 00:03 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-14 23:17 . 2004-08-04 14:00 40,960 --a------ C:\WINDOWS\system32\dllcache\trialoc.dll
2008-10-14 23:17 . 2004-08-04 14:00 16,384 --a------ C:\WINDOWS\system32\dllcache\isignup.exe
2008-10-14 09:06 . 2008-10-14 09:06 <DIR> d-------- C:\fsaua.data
2008-10-14 09:06 . 2008-10-14 09:06 <DIR> d-------- C:\fsaua.data
2008-10-13 23:05 . 2008-10-13 23:05 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-10-13 23:05 . 2008-10-13 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-10-13 22:43 . 2008-10-13 22:43 109,568 --a------ C:\WINDOWS\system32\weqxao.dll
2008-10-13 22:43 . 2008-10-13 22:43 109,568 --a------ C:\WINDOWS\system32\hrwapbqh.dll
2008-10-13 00:02 . 2008-10-13 00:01 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-10-13 00:01 . 2008-10-13 00:02 <DIR> d-------- C:\Program Files\Symantec
2008-10-13 00:01 . 2008-10-13 00:01 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-13 00:01 . 2008-10-13 00:01 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-13 00:01 . 2008-10-13 00:01 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-13 00:01 . 2008-10-13 00:01 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-13 00:00 . 2008-10-13 00:00 <DIR> d-------- C:\WINDOWS\system32\drivers\NIS
2008-10-13 00:00 . 2008-10-13 00:00 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-10-13 00:00 . 2008-10-13 00:00 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-10-12 23:59 . 2008-10-12 23:59 <DIR> d-------- C:\Program Files\NortonInstaller
2008-10-12 23:42 . 2008-10-12 23:42 <DIR> d-------- C:\Documents and Settings\Simon Hart\Application Data\install_4876_MHw0MXwxMDAwMDAwMDAwfHx8fHx8fHw_[3]
2008-10-11 23:00 . 2008-10-11 23:00 95 --a------ C:\WINDOWS\wininit.ini
2008-10-11 20:15 . 2008-10-11 20:38 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-11 20:13 . 2008-10-11 20:39 <DIR> d-------- C:\Documents and Settings\Simon Hart\.housecall6.6
2008-10-11 20:06 . 2008-10-11 20:10 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-10-11 18:08 . 2008-10-11 18:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-11 18:08 . 2008-10-11 22:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 14:49 . 2008-10-11 14:49 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-11 14:49 . 2008-10-11 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-11 14:48 . 2008-10-11 14:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-10 23:38 . 2008-10-10 23:39 268,288 --a------ C:\WINDOWS\system32\cbXPhHww.dll
2008-10-10 22:57 . 2008-10-10 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-09-28 00:09 . 2008-09-28 00:09 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-26 23:54 . 2008-09-26 23:54 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-09-26 23:51 . 2008-09-26 23:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-26 23:51 . 2008-10-23 20:46 <DIR> d-------- C:\SDFix
2008-09-26 23:51 . 2008-10-23 20:46 <DIR> d-------- C:\SDFix
2008-09-25 20:28 . 2008-09-25 20:28 <DIR> d-------- C:\Program Files\Windows Defender
2008-09-25 20:17 . 2008-09-25 21:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-09-25 11:28 . 2008-09-25 11:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt
2008-09-24 20:05 . 2008-09-24 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WebRoot
2008-09-23 01:00 . 2008-09-23 01:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-09-23 00:50 . 2008-10-11 19:20 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-09-23 00:47 . 2008-09-23 00:47 <DIR> d-------- C:\Program Files\Webroot
2008-09-23 00:46 . 2008-09-23 00:46 164 --a------ C:\install.dat
2008-09-23 00:46 . 2008-09-23 00:46 164 --a------ C:\install.dat
2008-09-23 00:37 . 2008-09-23 00:37 <DIR> d-------- C:\WINDOWS\LMI419.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 21:14 --------- d-----w C:\Documents and Settings\Simon Hart\Application Data\AdobeUM
2008-10-22 10:19 --------- d-----w C:\Program Files\iolo
2008-10-22 09:59 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2008-10-22 09:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-14 23:03 --------- d-----w C:\Program Files\Java
2008-10-14 11:39 --------- d-----w C:\Program Files\atllizf
2008-10-12 23:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-12 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Norton
2008-10-10 21:37 --------- d-----w C:\Program Files\Apoint2K
2008-10-10 20:40 --------- d-----w C:\Program Files\Easy Internet signup
2008-09-26 07:52 --------- d-----w C:\Documents and Settings\Simon Hart\Application Data\Skype
2008-09-24 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-09-22 22:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-21 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\cxevsbyj
2008-09-21 22:44 32,256 ----a-w C:\WINDOWS\system32\drivers\ati6wexx.sys
2008-09-21 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-21 21:52 --------- d-----w C:\Program Files\Norton AntiVirus
2008-09-21 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCSettings
2008-09-20 18:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-20 18:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-12 06:22 --------- d-----w C:\Documents and Settings\Simon Hart\Application Data\U3
2008-09-02 17:05 --------- d-----w C:\Documents and Settings\Simon Hart\Application Data\HP
2008-08-28 23:08 --------- d-----w C:\Documents and Settings\Simon Hart\Application Data\Image Zone Express
2004-11-05 13:31 1,597,440 ----a-w C:\Documents and Settings\Simon Hart\Application Data\SecureTraveler.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE03BF9F-4EBC-4435-BECD-07AF05BE4982}]
2008-10-10 23:39 268288 --a------ C:\WINDOWS\system32\cbXPhHww.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"Auto EPSON Stylus Photo R240 Series on GlenysLaptop"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" [2005-04-25 98304]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-11-01 290816]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=weqxao.dll yniciv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6wexx.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-06-04 13:38 286720 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-05-29 21:02 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMEFA.SYS [2008-10-13 309296]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2008-10-13 254512]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2008-10-13 362544]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081015.001\IDSxpx86.sys [2008-10-13 274808]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Program Files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll [ ]
S0 ati6wexx;ati6wexx;C:\WINDOWS\system32\Drivers\ati6wexx.sys [2008-09-21 32256]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\SIMONH~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [ ]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ed5bc20-8092-11dd-b9db-0012f0418172}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ed5bc21-8092-11dd-b9db-0012f0418172}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ada6675a-e16e-11d9-b820-0012f0418172}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - system.exe
\Shell\Open\command - system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3d37ea6-0bb8-11dc-b959-0012f0418172}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - system.exe
\Shell\Open\command - system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3d37ea7-0bb8-11dc-b959-0012f0418172}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - system.exe
\Shell\Open\command - system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dec4b56c-7a5f-11dc-b973-0012f0418172}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-23 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4DB79F35-BFE4-43C4-AB98-F1677A8360EF} - (no file)
BHO-{573E333C-F3F0-4AE5-9F5C-953DA969397B} - (no file)
BHO-{9828275b-b124-4a3d-a95a-91ad840d9129} - C:\WINDOWS\system32\yniciv.dll
SSODL-SmartWin-{6AFD0C9C-A9C7-3A8F-B982-04F568E80ED5} - (no file)
Notify-gtipod - gtipod32.dll
MSConfigStartUp-SystemGuardAlerter - C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Simon Hart\Application Data\Mozilla\Firefox\Profiles\7uveaj7u.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.bbc.co.uk
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 21:23:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"C:\Program Files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-10-23 23:01:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-23 22:01:41

Pre-Run: 51,375,190,016 bytes free
Post-Run: 51,138,404,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

287 --- E O F --- 2008-10-10 18:17:07
===========================================================================

HiJack Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:07:48, on 23/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Simon Hart\Desktop\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: (no name) - {0706EF5B-2D18-4B85-BBC3-9200A57C9E16} - C:\WINDOWS\system32\cbXPhHww.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {22e1fec4-5abc-ae9a-7b24-c2c93ed86efc} - {cfe68de3-9c2c-42b7-a9ea-cba54cef1e22} - C:\WINDOWS\system32\gnwdud.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R240 Series on GlenysLaptop] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" /P51 "Auto EPSON Stylus Photo R240 Series on GlenysLaptop" /O27 "\\GLENYSLAPTOP\EPSONStylu~2" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O20 - AppInit_DLLs: weqxao.dll yniciv.dll gnwdud.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7461 bytes
========================================================


Many thanks

#11 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 24 October 2008 - 06:55 AM

Hello Hart111,

Before we move on, i need some information from you.

Did you have installed anytime on your pc CounterSpy by Sunbelt and it's uninstalled now?
I see some remainants so if you don't have the program anymore (as i can't see it) i will remove the remainants.
----------------------------------------------
*here

Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\WINDOWS\system32\drivers\ati6wexx.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
Also tell me what is your F: drive?

Is it a USB drive?

If yes, i want you to upload this file to Jotti using the same way i explained in my first post.
To do so, you have to plug in the pc the USB.
Then go to Jotti, and follow the instructions i posted *here but for this file.

F:\system.exe
----------------------------------------------
Post back Jotti results and information about CounterSpy.
Avoid using too much this pc on the internet, untill we clean it.
Please do not use this pc much online, untill we get it clean.
Just to make the necessary steps.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#12 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 24 October 2008 - 03:58 PM

Hi.

1. The F Drive. This is an external hard drive of my father's (it is his machine) that he uses to back up personal files. He'll bring it round tomorrow and I'll upload the system.exe and report.

2. CounterSpy. Think I might have used it in the past to try and remove a virus. Not currently installed.

3. ATI6WEXX.SYS Report

File: ati6wexx.sys
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: d81019b0dcb55c636b9520e979e8b63b
Packers detected:
-
Scanner results
Scan taken on 24 Oct 2008 20:37:53 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Other:Malware-gen
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found Vundo.EQJ
Panda Antivirus
Found Generic
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Statistics
Last file scanned at least one scanner reported something about: encrypted.exe (MD5: f09722a1161a5ee11db00d61c3616ce8, size: 223751 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir DR/Delphi.Gen
ArcaVir Trojan.Buzus.Aaup
Avast X
AVG Antivirus X
BitDefender Backdoor.IRCBot.ACKK
ClamAV Trojan.IRCBot-3063
CPsecure X
Dr.Web Trojan.MulDrop.19497
F-Prot Antivirus W32/Backdoor2.CVKP
F-Secure Anti-Virus Trojan.Win32.Buzus.aaup
G DATA X
Ikarus BehavesLike.Win32.ProcessHijack
Kaspersky Anti-Virus Trojan.Win32.Buzus.aaup
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Trojan.Win32.Buzus.aaup

#13 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 25 October 2008 - 02:11 AM

Hello Hart111,

1. The F Drive. This is an external hard drive of my father's (it is his machine) that he uses to back up personal files. He'll bring it round tomorrow and I'll upload the system.exe and report.

I will remove all the points your father's hard drive uses to connect with your pc, just in case they are bad.
If your father has another pc, can he upload the file, and not attempt to connect ithe external HDD to your pc, untill we know the results please? Results can be saved in notepad and posted here, and they can be transfered on your pc with a USB stick.
Let me know and i will tell you what to do as i see the results.

2. CounterSpy. Think I might have used it in the past to try and remove a virus. Not currently installed.

Ok, we'll remove the remainants.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop << If the URL is not the provider of your computer or your ISP fix this line.


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/173768/automatic-updates-disabled-and-browser-automatically-launching/?p=984803
    
    Collect::
    C:\WINDOWS\system32\egdaulra.dll
    C:\WINDOWS\system32\weqxao.dll
    C:\WINDOWS\system32\hrwapbqh.dll
    C:\WINDOWS\system32\cbXPhHww.dll
    C:\WINDOWS\system32\drivers\ati6wexx.sys
    
    File::
    C:\WINDOWS\system32\drivers\SBREdrv.sys
    F:\system.exe
    
    Folder::
    C:\Documents and Settings\Simon Hart\Application Data\install_4876_MHw0MXwxMDAwMDAwMDAwfHx8fHx8fHw_[3]
    C:\WINDOWS\LMI419.tmp
    C:\Program Files\atllizf
    C:\Documents and Settings\All Users\Application Data\cxevsbyj
    C:\Documents and Settings\Administrator\Application Data\Sunbelt
    
    Driver::
    ati6wexx
    SBRE
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE03BF9F-4EBC-4435-BECD-07AF05BE4982}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6wexx.sys]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ed5bc21-8092-11dd-b9db-0012f0418172}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ada6675a-e16e-11d9-b820-0012f0418172}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3d37ea6-0bb8-11dc-b959-0012f0418172}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3d37ea7-0bb8-11dc-b959-0012f0418172}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#14 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 25 October 2008 - 06:04 AM

Hi. I have followed the instructions below apart from the F Drive. The machine has rebooted and Windows Automatic updates is working again! :thumbsup: Not sure about the browser pop ups yet as have not used the browser as per instructions other than to post this.

I left Combofix to run unattended, and when I returned to the machine there was no log file report? Perhaps this was because there was a report there from when we ran it before?? I have checked that it did not overwrite the old log file by looking at the time stamp on the file. Would you like me to re-run ComboFix to generate a new log?


Here at least is the Hijack this report . . . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:05, on 25/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Simon Hart\Desktop\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R240 Series on GlenysLaptop] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" /P51 "Auto EPSON Stylus Photo R240 Series on GlenysLaptop" /O27 "\\GLENYSLAPTOP\EPSONStylu~2" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6855 bytes
================================================================================================

#15 Hart111

Hart111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 25 October 2008 - 08:27 AM

Hi. I have just checked the Maxtor external hard drive and his SD card that he uses to get photos onto the computer. Neither have a file called System.exe on the root. The F drive maps dynamically so I can't tell which one was F anyway? I can't think of any other peripherals he might use which would classify as F? Perhaps his USB sticks?? Shall I check those??

Also of note, the issue of the browser spawning new instances seems to have been solved as well.

It seems as though everything is working properly now - but I guess the logs will show that best. Many thanks for all of your help - it is a constant amazement to me that forums like this exist - thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users