Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Is this WinXP still infected?

  • This topic is locked This topic is locked
2 replies to this topic

#1 vcpjulle


  • Members
  • 1 posts
  • Local time:12:41 AM

Posted 25 January 2009 - 05:31 AM

Hi forum. I've had the pleasure of following some of the Spyware/Malware removal guides on the site, but I'm not sure that everything is removed. Can you please run through this log file and tell me if I missed something? I've removed a Rootkit of some sort and a keylogger.
I've pasted the DDS.txt file and attached a ZIP file containing the Attach.txt file

Regards VCPJulle



DDS (Ver_09-01-19.01) - NTFSx86
Run by Peter Bonnesen at 11:21:49.53 on 2009-01-25
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.495.233 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\programmer\analog devices\soundmax\smax4pnp.exe
c:\programmer\hp\hp software update\hpwuschd2.exe
c:\programmer\fælles filer\microsoft shared\works shared\wkufind.exe
c:\programmer\hp\digital imaging\bin\hpqtra08.exe
c:\programmer\microsoft sql server\80\tools\binn\sqlmangr.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\documents and settings\peter bonnesen\skrivebord\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.jubii.dk/
mStart Page = hxxp://www.google.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programmer\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programmer\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmer\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmer\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\programmer\messenger\msmsgs.exe" /background
mRun: [SoundMAXPnP] c:\programmer\analog devices\soundmax\SMax4PNP.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\programmer\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\programmer\hp\hp software update\HPWuSchd2.exe
mRun: [Microsoft Works Update Detection] c:\programmer\fælles filer\microsoft shared\works shared\WkUFind.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\adober~1.lnk - c:\programmer\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\hpdigi~1.lnk - c:\programmer\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\nkbmon~1.lnk - c:\programmer\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\servic~1.lnk - c:\programmer\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmer\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {33331111-1111-1111-1111-615111193427}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097609730468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227644768593
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - file://c:\tempei4\ei40_\msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
Notify: igfxcui - igfxsrvc.dll
STS: IPC Configuration Utility - No File

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-01-25 10:59 <DIR> --d----- c:\windows\system32\UAs
2009-01-25 10:53 161,792 a------- c:\windows\SWREG.exe
2009-01-25 10:53 98,816 a------- c:\windows\sed.exe
2009-01-25 10:53 <DIR> --d----- C:\ComboFix
2009-01-25 10:53 391,680 a------- c:\windows\system32\CF17950.exe
2009-01-25 10:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-25 10:43 <DIR> --d----- C:\f-downadup
2009-01-12 13:42 7,101,440 a----r-- c:\windows\system\pdfkit.dll
2009-01-12 13:42 143,360 a----r-- c:\windows\system\PDFSplitMerge.dll
2009-01-12 08:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-12 08:12 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-01-23 16:31 1,878 a------- c:\docume~1\peterb~1\applic~1\wklnhst.dat
2009-01-15 16:38 21,504 a------- c:\windows\system32\powrprof.dll
2009-01-15 16:38 846,848 a------- c:\windows\system32\wininet.dll
2008-12-11 11:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-02 20:55 428,894 a------- c:\windows\system32\perfh006.dat
2008-12-02 20:55 77,868 a------- c:\windows\system32\perfc006.dat
2008-12-02 20:38 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-20 16:58 16,824 a------- c:\docume~1\alluse~1\applic~1\koxyha.scr
2008-11-19 07:32 17,037 a------- c:\windows\tajexevy.dll
2008-11-19 07:32 15,164 a------- c:\programmer\fælles filer\hiqi.bin
2008-11-19 07:32 13,207 a------- c:\programmer\fælles filer\ylesyke.inf
2008-11-19 07:32 16,953 a------- c:\programmer\fælles filer\apef.com
2008-11-19 07:32 15,520 a------- c:\docume~1\alluse~1\applic~1\taro.exe
2008-11-19 07:32 14,601 a------- c:\docume~1\peterb~1\applic~1\zavysyci.pif
2008-11-19 07:32 12,482 a------- c:\programmer\fælles filer\qypyfilus.scr
2008-11-19 07:32 10,243 a------- c:\docume~1\alluse~1\applic~1\ohycakojy.reg
2008-06-21 13:48 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT

============= FINISH: 11:22:10.78 ===============

Attached Files

BC AdBot (Login to Remove)


#2 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:41 PM

Posted 07 February 2009 - 10:50 AM

Hello vcpjulle,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:41 PM

Posted 20 February 2009 - 12:36 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users