Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help getting rid of TR\Vundo.Gen Trojan


  • This topic is locked This topic is locked
16 replies to this topic

#1 photolabgirl77

photolabgirl77

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 31 January 2009 - 03:10 PM

I need help please. I have Win Patrol and Anti Vir Gaurd.

AntiVir keeps poping up saying " C:\Windows\SYSTEM32\ymwobc.dll "
TR\Vundo.Gen Trojan


I have tried using SDFix

Here is the Hijack this log from Win Patrol

Log created by WinPatrol version 15.9.2008.5:15.9.2008.5
Scan saved at 2:56:05 PM, on 1/31/2009
Platform: Windows XP SP2 Home Edition Service Pack 2 (Build 2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\sched.exe
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\avguard.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsAuxs.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsSvc.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsTray.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM\hpsysdrv.exe
C:\hp\KBD\KBD.EXE
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb12.exe
C:\PROGRAM FILES\Winamp\winampa.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\atiptaxx.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\HYDRAVISION\HydraDM.exe
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\QUICKTIME\qttask.exe
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\avgnt.exe
C:\PROGRAM FILES\Java\JRE1.5.0_12\bin\jusched.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\CursorXP\CursorXP.exe
C:\PROGRAM FILES\MySpace\IM\MYSPACEIM.EXE
C:\PROGRAM FILES\REGISTRY MECHANIC\RegMech.exe
C:\PROGRAM FILES\Adobe\ACROBAT 7.0\Reader\READER_SL.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\bin\hpqtra08.exe
C:\PROGRAM FILES\ArcSoft\MEDIA CARD COMPANION\MCC MONITOR.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\bin\hpqgalry.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: - {31fdd2fb-c7e8-45e6-8bbe-46544790a30e} -
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: qoMccBuV - {6A12F41C-7C77-4374-9FC7-194F3E2C0079} - C:\WINDOWS\system32\qoMccBuV.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: SDIEInt - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\Program Files\Star Downloader\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv]c:\WINDOWS\SYSTEM\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD]C:\hp\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard]C:\WINDOWS\SMINST\Recguard.exe
O4 - HKLM\..\Run: [S3TRAY2]S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray]C:\WINDOWS\SYSTEM32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]C:\WINDOWS\SYSTEM32\hkcmd.exe
O4 - HKLM\..\Run: [PS2]C:\WINDOWS\SYSTEM32\ps2.EXE
O4 - HKLM\..\Run: [USB]C:\WINDOWS\SYSTEM32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [WinampAgent]C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AtiPTA]C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC]C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HydraVisionDesktopManager]C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [HP Software Update]C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task]C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [avgnt]C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ISTray]C:\Program Files\Spyware Doctor\pctsTray.exe
O4 - HKCU\..\Run: [CursorXP]C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [updateMgr]C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MySpaceIM]C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Aqqhggar]C:\Documents and Settings\Owner\My Documents\?ssembly\r?gedit.exe
O4 - HKCU\..\Run: [RegistryMechanic]C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Global Startup: Adobe Reader Speed Launch.lnk=C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk=C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk=C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Media Card Companion Monitor.lnk=C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.16\AMVConverter\grab.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.5.0_12\bin
O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O16 - DPF: Microsoft XML Parser for Java (xmldso) - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} (http://codecs.microsoft.com/codecs/i386/voxacm) - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276919781
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276899437
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim) - http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O20 - AppInit_DLLs: ymwobc.dll dehzld.dll

O23 - Service: 6to4 - - C:\WINDOWS\System32\SystemInfoCC.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Application Management - - C:\WINDOWS\System32\appmgmts.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: ATI Smart - - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\SYSTEM32\ImapiRox.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service - - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--- Additional WinPatrol Info ---
Browser: Unable to find default browser.
MSIE: Internet Explorer (6.00.2900.2180)
Firefox 3.0 installed in C:\Program Files\Mozilla Firefox.
Mozilla 1.6: 2004011308 installed in C:\Program Files\mozilla.org\Mozilla\.
4 IE Cookies in Folder: C:\Documents and Settings\Owner\Cookies\
0 Mozilla Cookies in Folder: C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\x2mo35dx.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 1:Turn off Automatic Updates.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://


WP16 - ActiveX: {6BF52A52-394A-11D3-B153-00C04F79FAA6} [Windows Media Player] C:\WINDOWS\SYSTEM32\wmp.dll 10.00.00.3646
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\SYSTEM32\Macromed\Flash\Flash10a.ocx 10,0,12,36
WP16 - ActiveX: {05589fa1-c356-11ce-bf01-00aa0055595a} [ActiveMovieControl Object] C:\WINDOWS\SYSTEM32\wmpdxm.dll 10.00.00.3646
WP16 - ActiveX: {0713E8A2-850A-101B-AFC0-4210102A8DA7} [Microsoft TreeView Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {0713E8D2-850A-101B-AFC0-4210102A8DA7} [Microsoft ProgressBar Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {08B0e5c0-4FCB-11CF-AAA5-00401C608501} [Web Browser Applet Control] C:\WINDOWS\SYSTEM32\msjava.dll 5.00.3810
WP16 - ActiveX: {105C7D20-FE19-11D2-ACB6-0080C877D9B9} [MGISlider Class] C:\PROGRAM FILES\COMMON FILES\MGI SHARED\Photo\Slider.dll 3.0.0.560
WP16 - ActiveX: {1D2B4F40-1F10-11D1-9E88-00C04FDCAB92} [ThumbCtl Class] C:\WINDOWS\SYSTEM32\webvw.dll 6.00.2900.2180
WP16 - ActiveX: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} [Windows Media Player] C:\WINDOWS\SYSTEM32\wmpdxm.dll 10.00.00.3646
WP16 - ActiveX: {4FA211A0-FD53-11D2-ACB6-0080C877D9B9} [MGIButton Class] C:\PROGRAM FILES\COMMON FILES\MGI SHARED\Photo\Button.dll 3.0.0.597
WP16 - ActiveX: {58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} [Microsoft ListView Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} [Microsoft ImageList Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {6B7E638F-850A-101B-AFC0-4210102A8DA7} [Microsoft StatusBar Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\SYSTEM32\shdocvw.dll 6.00.2900.2180
WP16 - ActiveX: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} [HHCtrl Object] C:\WINDOWS\SYSTEM32\hhctrl.ocx 5.2.3790.1194
WP16 - ActiveX: {AE24FDAE-03C6-11D1-8B76-0080C744F389} [Microsoft Scriptlet Component] C:\WINDOWS\SYSTEM32\mshtml.dll 6.00.2900.2180
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\Adobe\ACROBAT 7.0\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA} [RealPlayer G2 Control] C:\WINDOWS\SYSTEM32\rmoc3260.dll 6.0.9.1875
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\SYSTEM32\Macromed\Flash\Flash10a.ocx 10,0,12,36

WP32 - Hidden File: C:\AVG6DB_F.DAT
WP32 - Hidden File: C:\BOOT.INI
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\IPH.PH
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\WINDOWS\WindowsShell.Manifest
WP32 - Hidden File: C:\WINDOWS\winnt.bmp
WP32 - Hidden File: C:\WINDOWS\winnt256.bmp
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\Atmenuxx.GID
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\default.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SAM.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\software.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\system.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\TempKey.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\userdiff.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\logonui.exe.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\Restore\filelist.xml
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\VuBccMoq.ini
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\VuBccMoq.ini2
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\zllictbl.dat

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [Iceows Document]rundll32 C:\WINDOWS\System32\ShellExt\IceGUI.dll,RouteTheCall %L
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .MID: [IrfanView MID File]C:\Program Files\IrfanView\I_VIEW32.EXE %1
WP33 - File Type .MP3: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealPlayer Presentation]C:\Program Files\Real\RealPlayer\RealPlay.exe %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]rundll32.exe shdocvw.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*

Memory currently in use: 45%
Physical Memory Free: 713,612 KB
Paging File Free: 1,255,252 KB
Virtual Memory Free: 2,056,500 KB


--
End of file

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 03 February 2009 - 05:13 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 photolabgirl77

photolabgirl77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 04 February 2009 - 08:15 PM

Ok will do. Thanks :thumbup2:

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 04 February 2009 - 11:06 PM

Waiting for the logs :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 photolabgirl77

photolabgirl77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 05 February 2009 - 10:19 PM

combo fix log

ComboFix 09-02-05.01 - Owner 2009-02-05 21:59:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1280.685 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\installs\ComboFix.exe
AV: AVG 7.5.524 *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Cookies\MM2048.DAT
c:\documents and settings\Owner\Cookies\MM256.DAT
c:\documents and settings\Owner\My Documents\SSEMBL~1
c:\program files\Bat\Info.dll
c:\program files\Common Files\wnsxs~1
c:\program files\Common Files\wnsxs~1\W?nSxS\
c:\program files\INSTALL.LOG
c:\program files\stc
C:\SpyGuardPro
c:\temp\xOe
c:\windows\swin32.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\ejdvgrks.dll
c:\windows\system32\fccyaXro.dll
c:\windows\system32\hluninst.dll
c:\windows\system32\iDlo01
c:\windows\system32\inf\svchost.exe
c:\windows\system32\inf\svchosts.exe
c:\windows\system32\kkfuuhbt.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mvkdverf.dll
c:\windows\system32\usb.exe
c:\windows\system32\vMW02a
c:\windows\system32\VuBccMoq.ini
c:\windows\system32\VuBccMoq.ini2
c:\windows\system32\ymwobc.dll
c:\windows\system32\yvbxudgp.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-02 20:06 . 2009-02-02 20:06 <DIR> d-------- c:\program files\SmitFraudFixTool
2009-02-02 20:06 . 2009-02-02 20:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\SmitFraudFixTool
2009-02-02 19:59 . 2009-02-02 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-31 15:45 . 2009-01-31 15:45 <DIR> d-------- c:\program files\XoftSpySE
2009-01-31 14:38 . 2009-01-31 14:38 577,024 --a------ c:\windows\SYSTEM32\dllcache\user32.dll
2009-01-31 14:34 . 2009-01-31 14:34 <DIR> d-------- c:\windows\ERUNT
2009-01-31 14:28 . 2009-01-31 14:53 <DIR> d-------- C:\SDFix
2009-01-30 23:29 . 2009-01-31 00:46 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-30 23:29 . 2009-01-30 23:29 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-01-30 23:29 . 2008-08-25 12:36 81,288 --a------ c:\windows\SYSTEM32\drivers\iksyssec.sys
2009-01-30 23:29 . 2008-08-25 12:36 66,952 --a------ c:\windows\SYSTEM32\drivers\iksysflt.sys
2009-01-30 23:29 . 2008-08-25 12:36 40,840 --a------ c:\windows\SYSTEM32\drivers\ikfilesec.sys
2009-01-30 23:29 . 2008-06-02 16:19 29,576 --a------ c:\windows\SYSTEM32\drivers\kcom.sys
2009-01-30 23:02 . 2009-01-30 23:02 <DIR> d-------- c:\documents and settings\Owner\Application Data\WinPatrol
2009-01-30 22:36 . 2009-01-30 22:37 119,808 --a------ C:\VundoFix.exe
2009-01-22 19:41 . 2009-01-22 19:41 <DIR> d-------- c:\windows\Sun
2009-01-22 19:40 . 2007-05-02 04:01 49,265 --a------ c:\windows\SYSTEM32\jpicpl32.cpl
2009-01-22 19:37 . 2009-01-22 19:40 <DIR> d-------- c:\program files\Java
2009-01-22 19:36 . 2009-01-22 19:36 <DIR> d-------- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 03:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-06 02:59 --------- d-----w c:\program files\Bat
2009-02-06 02:49 --------- d-----w c:\documents and settings\Owner\Application Data\SlimBrowser
2009-02-03 00:41 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-31 06:06 --------- d-----w c:\program files\SlimBrowser
2009-01-31 05:11 --------- d-----w c:\program files\Media
2009-01-31 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 16:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-29 15:32 --------- d-----w c:\program files\Kazaa Lite Resurrection
2001-05-24 16:59 162,304 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aqqhggar"="c:\documents and settings\Owner\My Documents\?ssembly\r?gedit.exe" [?]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2002-06-18 66560]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"SmitFraudFixTool"="c:\program files\SmitFraudFixTool\SmitFraudFixTool.exe" [2009-01-30 19435520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-14 176128]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-12-20 37376]
"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2002-06-04 262144]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-27 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"S3TRAY2"="S3tray2.exe" [2001-10-04 c:\windows\SYSTEM32\S3tray2.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Media Card Companion Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2005-03-06 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ymwobc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP50"= SP5X_32.DLL
"VIDC.SP51"= SP5X_32.DLL
"VIDC.SP52"= SP5X_32.DLL
"VIDC.SP53"= SP5X_32.DLL
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a------ 2004-03-29 01:07 159744 c:\progra~1\HPINST~1\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\installs\\utorrent.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\drivers\sonyhcb.sys [2003-02-10 6097]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;c:\windows\SYSTEM32\drivers\ousbehci.sys [2003-04-19 29696]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-30 356920]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\SYSTEM32\drivers\ousb2hub.sys [2003-04-19 43648]
S3 CA504AV;Mega Camera, WDM Video Capture;c:\windows\system32\Drivers\CA504AV.SYS --> c:\windows\system32\Drivers\CA504AV.SYS [?]
S3 PCDRDRV;Pcdr Helper Driver;c:\windows\system32\drivers\PCDRDRV.sys --> c:\windows\system32\drivers\PCDRDRV.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\drivers\sonyhcs.sys [2003-02-10 299923]
S3 XIRLINK;IBM PC Camera;c:\windows\SYSTEM32\drivers\C-itNT.sys [2002-05-27 805808]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2284e2b2-590e-11dd-be6a-00e01856bfde}]
\shell\explore\command - F:\test.exe
\shell\open\Command - F:\test.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool\SmitFraudFixTool.exe [2009-01-30 10:49]

2009-02-06 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool [2009-02-02 20:06]

2009-02-06 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 09:29]

2009-01-31 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 09:29]
.
- - - - ORPHANS REMOVED - - - -

BHO-{31fdd2fb-c7e8-45e6-8bbe-46544790a30e} - (no file)
BHO-{6A12F41C-7C77-4374-9FC7-194F3E2C0079} - c:\windows\system32\qoMccBuV.dll
HKCU-Run-ATI Launchpad - (no file)
HKLM-Run-USB - c:\windows\system32\usb.exe
Notify-fcccdef - fcccdef.dll
Notify-LFTosx - LFTosx.dll
Notify-tuvSMdEv - tuvSMdEv.dll
Notify-urqpmjk - urqpmjk.dll
MSConfigStartUp-AutoUpdater - c:\program files\AutoUpdate\AutoUpdate.exe
MSConfigStartUp-IST Service - c:\program files\ISTsvc\istsvc.exe
MSConfigStartUp-KAZAA - c:\program files\Kazaa\Kazaa.exe
MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\Money Express.exe
MSConfigStartUp-msbb - c:\program files\180Solutions\msbb.exe
MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~1.DLL
MSConfigStartUp-P2P Networking - c:\windows\System32\P2P Networking\P2P Networking.exe
MSConfigStartUp-Power Scan - c:\program files\Power Scan\powerscan.exe
MSConfigStartUp-RunWindowsUpdate - c:\windows\uptodate.exe
MSConfigStartUp-updater - c:\program files\Common files\updater\wupdater.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = about:blank
uSearch Page = hxxp://www.google.com
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.16\AMVConverter\grab.html
IE: Download with Star Downloader - c:\program files\Star Downloader\sdie.htm
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 22:07:42
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3684)
c:\program files\ATI Technologies\HydraVision\HydraDMH.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Grisoft\AVG Free\avgupsvc.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-05 22:12:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 03:12:23

Pre-Run: 274,752,196,608 bytes free
Post-Run: 274,726,146,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

254



hijack this log


Log created by WinPatrol version 15.9.2008.5:15.9.2008.5
Scan saved at 10:19:05 PM, on 2/05/2009
Platform: Windows XP SP2 Home Edition Service Pack 2 (Build 2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\sched.exe
C:\WINDOWS\SYSTEM\hpsysdrv.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb12.exe
C:\PROGRAM FILES\Winamp\winampa.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\atiptaxx.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\HYDRAVISION\HydraDM.exe
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\QUICKTIME\qttask.exe
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\avgnt.exe
C:\PROGRAM FILES\Java\JRE1.5.0_12\bin\jusched.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsTray.exe
C:\PROGRAM FILES\CursorXP\CursorXP.exe
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\avguard.exe
C:\PROGRAM FILES\REGISTRY MECHANIC\RegMech.exe
C:\PROGRAM FILES\HP\DIGITAL IMAGING\bin\hpqtra08.exe
C:\PROGRAM FILES\ArcSoft\MEDIA CARD COMPANION\MCC MONITOR.EXE
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRAM FILES\HP\DIGITAL IMAGING\bin\hpqgalry.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsAuxs.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsSvc.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\PROGRAM FILES\SLIMBROWSER\sbrowser.exe
C:\PROGRAM FILES\Yahoo!\MESSENGER\YAHOOMESSENGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: SDIEInt - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\Program Files\Star Downloader\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv]c:\WINDOWS\SYSTEM\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD]C:\hp\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard]C:\WINDOWS\SMINST\Recguard.exe
O4 - HKLM\..\Run: [S3TRAY2]S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray]C:\WINDOWS\SYSTEM32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]C:\WINDOWS\SYSTEM32\hkcmd.exe
O4 - HKLM\..\Run: [PS2]C:\WINDOWS\SYSTEM32\ps2.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [WinampAgent]C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AtiPTA]C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager]C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [HP Software Update]C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task]C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [avgnt]C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ISTray]C:\Program Files\Spyware Doctor\pctsTray.exe
O4 - HKCU\..\Run: [CursorXP]C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [updateMgr]C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MySpaceIM]C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Aqqhggar]C:\Documents and Settings\Owner\My Documents\?ssembly\r?gedit.exe
O4 - HKCU\..\Run: [RegistryMechanic]C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [SmitFraudFixTool]C:\Program Files\SmitFraudFixTool\SmitFraudFixTool.exe -boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk=C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk=C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk=C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Media Card Companion Monitor.lnk=C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.16\AMVConverter\grab.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.5.0_12\bin
O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O16 - DPF: Microsoft XML Parser for Java (xmldso) - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} (http://codecs.microsoft.com/codecs/i386/voxacm) - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276919781
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276899437
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim) - http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O20 - AppInit_DLLs: ymwobc.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Application Management - - C:\WINDOWS\System32\appmgmts.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: ATI Smart - - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service - - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--- Additional WinPatrol Info ---
Default Browser: Internet Explorer - Internet Explorer version 6.00.2900.2180
MSIE: Internet Explorer (6.00.2900.2180)
Firefox 3.0 installed in C:\Program Files\Mozilla Firefox.
Mozilla 1.6: 2004011308 installed in C:\Program Files\mozilla.org\Mozilla\.
2 IE Cookies in Folder: C:\Documents and Settings\Owner\Cookies\
0 Mozilla Cookies in Folder: C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\x2mo35dx.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 1:Turn off Automatic Updates.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://

WP31 - Scheduled Tasks: [XoftSpySE.job]C:\Program Files\XoftSpySE\XoftSpy.exe Never
WP31 - Scheduled Tasks: [XoftSpySE 2.job]C:\Program Files\XoftSpySE\XoftSpy.exe 02/05/2009 10:06 PM
WP31 - Scheduled Tasks: [SmitFraudFixTool Scheduled Scan.job]C:\Program Files\SmitFraudFixTool\SmitFraudFixTool.exe Never

WP16 - ActiveX: {6BF52A52-394A-11D3-B153-00C04F79FAA6} [Windows Media Player] C:\WINDOWS\SYSTEM32\wmp.dll 10.00.00.3646
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\SYSTEM32\Macromed\Flash\Flash10a.ocx 10,0,12,36
WP16 - ActiveX: {05589fa1-c356-11ce-bf01-00aa0055595a} [ActiveMovieControl Object] C:\WINDOWS\SYSTEM32\wmpdxm.dll 10.00.00.3646
WP16 - ActiveX: {0713E8A2-850A-101B-AFC0-4210102A8DA7} [Microsoft TreeView Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {0713E8D2-850A-101B-AFC0-4210102A8DA7} [Microsoft ProgressBar Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {08B0e5c0-4FCB-11CF-AAA5-00401C608501} [Web Browser Applet Control] C:\WINDOWS\SYSTEM32\msjava.dll 5.00.3810
WP16 - ActiveX: {105C7D20-FE19-11D2-ACB6-0080C877D9B9} [MGISlider Class] C:\PROGRAM FILES\COMMON FILES\MGI SHARED\Photo\Slider.dll 3.0.0.560
WP16 - ActiveX: {1D2B4F40-1F10-11D1-9E88-00C04FDCAB92} [ThumbCtl Class] C:\WINDOWS\SYSTEM32\webvw.dll 6.00.2900.2180
WP16 - ActiveX: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} [Windows Media Player] C:\WINDOWS\SYSTEM32\wmpdxm.dll 10.00.00.3646
WP16 - ActiveX: {4FA211A0-FD53-11D2-ACB6-0080C877D9B9} [MGIButton Class] C:\PROGRAM FILES\COMMON FILES\MGI SHARED\Photo\Button.dll 3.0.0.597
WP16 - ActiveX: {58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} [Microsoft ListView Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} [Microsoft ImageList Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {6B7E638F-850A-101B-AFC0-4210102A8DA7} [Microsoft StatusBar Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\SYSTEM32\shdocvw.dll 6.00.2900.2180
WP16 - ActiveX: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} [HHCtrl Object] C:\WINDOWS\SYSTEM32\hhctrl.ocx 5.2.3790.1194
WP16 - ActiveX: {AE24FDAE-03C6-11D1-8B76-0080C744F389} [Microsoft Scriptlet Component] C:\WINDOWS\SYSTEM32\mshtml.dll 6.00.2900.2180
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\Adobe\ACROBAT 7.0\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA} [RealPlayer G2 Control] C:\WINDOWS\SYSTEM32\rmoc3260.dll 6.0.9.1875
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\SYSTEM32\Macromed\Flash\Flash10a.ocx 10,0,12,36

WP32 - Hidden File: C:\AVG6DB_F.DAT
WP32 - Hidden File: C:\BOOT.INI
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\IPH.PH
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\WINDOWS\WindowsShell.Manifest
WP32 - Hidden File: C:\WINDOWS\winnt.bmp
WP32 - Hidden File: C:\WINDOWS\winnt256.bmp
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\Atmenuxx.GID
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\default.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\default.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SAM.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SAM.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SECURITY.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\software.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\software.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\system.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\system.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\TempKey.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\userdiff.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\logonui.exe.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\Restore\filelist.xml
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\zllictbl.dat

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [Iceows Document]rundll32 C:\WINDOWS\System32\ShellExt\IceGUI.dll,RouteTheCall %L
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .MID: [IrfanView MID File]C:\Program Files\IrfanView\I_VIEW32.EXE %1
WP33 - File Type .MP3: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealPlayer Presentation]C:\Program Files\Real\RealPlayer\RealPlay.exe %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]rundll32.exe shdocvw.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*

Memory currently in use: 41%
Physical Memory Free: 768,768 KB
Paging File Free: 1,264,836 KB
Virtual Memory Free: 2,056,068 KB


--
End of file

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 06 February 2009 - 03:28 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Folder::
c:\documents and settings\Owner\My Documents\?ssembly

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aqqhggar"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2284e2b2-590e-11dd-be6a-00e01856bfde}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the ComboFix log in your next reply...





Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply...

1. ComboFix
2. Eset Online
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 photolabgirl77

photolabgirl77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 08 February 2009 - 04:52 PM

here is the Combofix log

ComboFix 09-02-05.01 - Owner 2009-02-08 16:42:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1280.769 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\installs\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\installs\ComboFix.exe c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG 7.5.524 *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: COMODO Firewall Pro *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-02 20:06 . 2009-02-02 20:06 <DIR> d-------- c:\program files\SmitFraudFixTool
2009-02-02 20:06 . 2009-02-02 20:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\SmitFraudFixTool
2009-02-02 19:59 . 2009-02-02 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-31 15:45 . 2009-01-31 15:45 <DIR> d-------- c:\program files\XoftSpySE
2009-01-31 14:38 . 2009-01-31 14:38 577,024 --a------ c:\windows\SYSTEM32\dllcache\user32.dll
2009-01-31 14:34 . 2009-01-31 14:34 <DIR> d-------- c:\windows\ERUNT
2009-01-31 14:28 . 2009-01-31 14:53 <DIR> d-------- C:\SDFix
2009-01-30 23:29 . 2009-01-31 00:46 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-30 23:29 . 2009-01-30 23:29 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-01-30 23:29 . 2008-08-25 12:36 81,288 --a------ c:\windows\SYSTEM32\drivers\iksyssec.sys
2009-01-30 23:29 . 2008-08-25 12:36 66,952 --a------ c:\windows\SYSTEM32\drivers\iksysflt.sys
2009-01-30 23:29 . 2008-08-25 12:36 40,840 --a------ c:\windows\SYSTEM32\drivers\ikfilesec.sys
2009-01-30 23:29 . 2008-06-02 16:19 29,576 --a------ c:\windows\SYSTEM32\drivers\kcom.sys
2009-01-30 23:02 . 2009-01-30 23:02 <DIR> d-------- c:\documents and settings\Owner\Application Data\WinPatrol
2009-01-30 22:36 . 2009-01-30 22:37 119,808 --a------ C:\VundoFix.exe
2009-01-22 19:41 . 2009-01-22 19:41 <DIR> d-------- c:\windows\Sun
2009-01-22 19:40 . 2007-05-02 04:01 49,265 --a------ c:\windows\SYSTEM32\jpicpl32.cpl
2009-01-22 19:37 . 2009-01-22 19:40 <DIR> d-------- c:\program files\Java
2009-01-22 19:36 . 2009-01-22 19:36 <DIR> d-------- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 21:47 --------- d-----w c:\documents and settings\Owner\Application Data\SlimBrowser
2009-02-08 21:33 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-06 02:59 --------- d-----w c:\program files\Bat
2009-02-03 00:41 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-31 06:06 --------- d-----w c:\program files\SlimBrowser
2009-01-31 05:11 --------- d-----w c:\program files\Media
2009-01-31 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 16:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-29 15:32 --------- d-----w c:\program files\Kazaa Lite Resurrection
2001-05-24 16:59 162,304 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aqqhggar"="c:\documents and settings\Owner\My Documents\?ssembly\r?gedit.exe" [?]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2002-06-18 66560]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"SmitFraudFixTool"="c:\program files\SmitFraudFixTool\SmitFraudFixTool.exe" [2009-01-30 19435520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-14 176128]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-12-20 37376]
"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2002-06-04 262144]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-27 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"S3TRAY2"="S3tray2.exe" [2001-10-04 c:\windows\SYSTEM32\S3tray2.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Media Card Companion Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2005-03-06 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ymwobc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP50"= SP5X_32.DLL
"VIDC.SP51"= SP5X_32.DLL
"VIDC.SP52"= SP5X_32.DLL
"VIDC.SP53"= SP5X_32.DLL
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a------ 2004-03-29 01:07 159744 c:\progra~1\HPINST~1\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\installs\\utorrent.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\drivers\sonyhcb.sys [2003-02-10 6097]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;c:\windows\SYSTEM32\drivers\ousbehci.sys [2003-04-19 29696]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-30 356920]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\SYSTEM32\drivers\ousb2hub.sys [2003-04-19 43648]
S3 CA504AV;Mega Camera, WDM Video Capture;c:\windows\system32\Drivers\CA504AV.SYS --> c:\windows\system32\Drivers\CA504AV.SYS [?]
S3 PCDRDRV;Pcdr Helper Driver;c:\windows\system32\drivers\PCDRDRV.sys --> c:\windows\system32\drivers\PCDRDRV.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\drivers\sonyhcs.sys [2003-02-10 299923]
S3 XIRLINK;IBM PC Camera;c:\windows\SYSTEM32\drivers\C-itNT.sys [2002-05-27 805808]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2284e2b2-590e-11dd-be6a-00e01856bfde}]
\shell\explore\command - F:\test.exe
\shell\open\Command - F:\test.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool\SmitFraudFixTool.exe [2009-01-30 10:49]

2009-02-08 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool [2009-02-02 20:06]

2009-02-08 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 09:29]

2009-01-31 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 09:29]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~1.DLL


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = about:blank
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.16\AMVConverter\grab.html
IE: Download with Star Downloader - c:\program files\Star Downloader\sdie.htm
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 16:47:12
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3724)
c:\program files\ATI Technologies\HydraVision\HydraDMH.dll
c:\program files\CursorXP\CurXP0.dll
.
Completion time: 2009-02-08 16:51:07
ComboFix-quarantined-files.txt 2009-02-08 21:50:58
ComboFix2.txt 2009-02-06 03:12:38

Pre-Run: 274,696,704,000 bytes free
Post-Run: 274,691,182,592 bytes free

184

#8 photolabgirl77

photolabgirl77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 08 February 2009 - 06:27 PM

and here is the Eset log

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3836 (20090207)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=78e61d5db1d60845aff4208d93f3d7b6
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-08 11:20:29
# local_time=2009-02-08 06:20:29 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=246207
# found=70
# scan_time=4929
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »setup233.exe multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »setup233.exe »NSIS »dp-k13w13.exe Win32/TrojanDownloader.Agent.AC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »setup233.exe »NSIS »IEDRIVER.EXE Win32/TrojanDownloader.Turown.H trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »setup233.exe »NSIS »ieupdate.exe Win32/TrojanDownloader.Turown.E trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »setup233.exe »NSIS »td.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »sys_ai_client_loader.exe Win32/SecondThought.I trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe »NSIS »wmedia_bbi8015.exe Win32/Adware.BargainBuddy application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe »NSIS »dp-k13w13.exe Win32/TrojanDownloader.Agent.AC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe »NSIS »IEDRIVER.EXE Win32/TrojanDownloader.Turown.H trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe »NSIS »ieupdate.exe Win32/TrojanDownloader.Turown.E trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe »NSIS »td.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »sys_ai_client_loader.exe Win32/SecondThought.I trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe »NSIS »wmedia_bbi8015.exe Win32/Adware.BargainBuddy application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »setup233.exe multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »setup233.exe »NSIS »dp-k13w13.exe Win32/TrojanDownloader.Agent.AC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »setup233.exe »NSIS »IEDRIVER.EXE Win32/TrojanDownloader.Turown.H trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »setup233.exe »NSIS »ieupdate.exe Win32/TrojanDownloader.Turown.E trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »setup233.exe »NSIS »td.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »sys_ai_client_loader.exe Win32/SecondThought.I trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe »NSIS »wmedia_bbi8015.exe Win32/Adware.BargainBuddy application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe »NSIS »dp-k13w13.exe Win32/TrojanDownloader.Agent.AC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe »NSIS »IEDRIVER.EXE Win32/TrojanDownloader.Turown.H trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe »NSIS »ieupdate.exe Win32/TrojanDownloader.Turown.E trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »setup233.exe »NSIS »td.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »dist1_1_00.exe Win32/TrojanDownloader.Agent.EC trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »ezStub.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »sys_ai_client_loader.exe Win32/SecondThought.I trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe »NSIS »wmedia_bbi8015.exe Win32/Adware.BargainBuddy application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\hp\bin\AUTOPLAY.EXE Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\AIM\aim95.exe Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Program Files\AIM\aim95.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AIM\aim95.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\SmitFraudFixTool\SmitFraudFixTool.exe Win32/Adware.SpywareRemover application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\SmitFraudFixTool\SpyCleaner.dll Win32/Adware.SpywareRemover application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\SmitFraudFixTool\TCL.dll Win32/Adware.AntiSpyware2008 application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ymwobc.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yvbxudgp.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP324\A0301687.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP324\A0301688.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301873.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301874.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301875.EXE Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301876.exe Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301876.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301876.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301877.EXE Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301877.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301878.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301879.exe Win32/Adware.SpywareRemover application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301880.dll Win32/Adware.SpywareRemover application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301881.dll Win32/Adware.AntiSpyware2008 application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP325\A0301882.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 08 February 2009 - 11:00 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2284e2b2-590e-11dd-be6a-00e01856bfde}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 photolabgirl77

photolabgirl77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 11 February 2009 - 07:33 PM

I want to Thank you for your time. Here is the Combofix log

ComboFix 09-02-11.02 - Owner 2009-02-11 19:22:39.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1280.733 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG 7.5.524 *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-08 16:56 . 2009-02-08 18:20 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-02 20:06 . 2009-02-08 17:54 <DIR> d-------- c:\program files\SmitFraudFixTool
2009-02-02 20:06 . 2009-02-02 20:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\SmitFraudFixTool
2009-02-02 19:59 . 2009-02-02 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-31 15:45 . 2009-01-31 15:45 <DIR> d-------- c:\program files\XoftSpySE
2009-01-31 14:38 . 2009-01-31 14:38 577,024 --a------ c:\windows\SYSTEM32\dllcache\user32.dll
2009-01-31 14:34 . 2009-01-31 14:34 <DIR> d-------- c:\windows\ERUNT
2009-01-31 14:28 . 2009-01-31 14:53 <DIR> d-------- C:\SDFix
2009-01-30 23:29 . 2009-01-31 00:46 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-30 23:29 . 2009-01-30 23:29 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-01-30 23:29 . 2008-08-25 12:36 81,288 --a------ c:\windows\SYSTEM32\drivers\iksyssec.sys
2009-01-30 23:29 . 2008-08-25 12:36 66,952 --a------ c:\windows\SYSTEM32\drivers\iksysflt.sys
2009-01-30 23:29 . 2008-08-25 12:36 40,840 --a------ c:\windows\SYSTEM32\drivers\ikfilesec.sys
2009-01-30 23:29 . 2008-06-02 16:19 29,576 --a------ c:\windows\SYSTEM32\drivers\kcom.sys
2009-01-30 23:02 . 2009-01-30 23:02 <DIR> d-------- c:\documents and settings\Owner\Application Data\WinPatrol
2009-01-30 22:36 . 2009-01-30 22:37 119,808 --a------ C:\VundoFix.exe
2009-01-22 19:41 . 2009-01-22 19:41 <DIR> d-------- c:\windows\Sun
2009-01-22 19:40 . 2007-05-02 04:01 49,265 --a------ c:\windows\SYSTEM32\jpicpl32.cpl
2009-01-22 19:37 . 2009-01-22 19:40 <DIR> d-------- c:\program files\Java
2009-01-22 19:36 . 2009-01-22 19:36 <DIR> d-------- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 00:19 --------- d-----w c:\documents and settings\Owner\Application Data\SlimBrowser
2009-02-11 23:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-09 03:34 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-02-09 01:11 --------- d-----w c:\program files\Broderbund
2009-02-08 22:23 --------- d-----w c:\program files\AIM
2009-02-08 21:54 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!
2009-02-06 02:59 --------- d-----w c:\program files\Bat
2009-01-31 06:06 --------- d-----w c:\program files\SlimBrowser
2009-01-31 05:11 --------- d-----w c:\program files\Media
2009-01-31 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 16:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-29 15:32 --------- d-----w c:\program files\Kazaa Lite Resurrection
2001-05-24 16:59 162,304 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_22.09.55.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-27 19:49:02 196,683 ----a-w c:\windows\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 19:49:02 225,355 ----a-w c:\windows\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 00:25:22 139,264 ----a-w c:\windows\SYSTEM32\lnod32umc.dll
+ 2005-12-05 17:37:10 106,496 ----a-w c:\windows\SYSTEM32\lnod32upd.dll
+ 2008-02-11 14:39:26 253,952 ----a-w c:\windows\SYSTEM32\OnlineScannerDLLA.dll
+ 2008-02-11 14:39:18 237,568 ----a-w c:\windows\SYSTEM32\OnlineScannerDLLW.dll
+ 2008-02-08 18:53:46 110,592 ----a-w c:\windows\SYSTEM32\OnlineScannerLang.dll
+ 2008-02-05 13:48:04 77,824 ----a-w c:\windows\SYSTEM32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aqqhggar"="c:\documents and settings\Owner\My Documents\?ssembly\r?gedit.exe" [?]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2002-06-18 66560]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-14 176128]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-12-20 37376]
"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2002-06-04 262144]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-27 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"S3TRAY2"="S3tray2.exe" [2001-10-04 c:\windows\SYSTEM32\S3tray2.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Media Card Companion Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2005-03-06 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP50"= SP5X_32.DLL
"VIDC.SP51"= SP5X_32.DLL
"VIDC.SP52"= SP5X_32.DLL
"VIDC.SP53"= SP5X_32.DLL
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a------ 2004-03-29 01:07 159744 c:\progra~1\HPINST~1\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\installs\\utorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\drivers\sonyhcb.sys [2003-02-10 6097]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;c:\windows\SYSTEM32\drivers\ousbehci.sys [2003-04-19 29696]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-30 356920]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\SYSTEM32\drivers\ousb2hub.sys [2003-04-19 43648]
S3 CA504AV;Mega Camera, WDM Video Capture;c:\windows\system32\Drivers\CA504AV.SYS --> c:\windows\system32\Drivers\CA504AV.SYS [?]
S3 PCDRDRV;Pcdr Helper Driver;c:\windows\system32\drivers\PCDRDRV.sys --> c:\windows\system32\drivers\PCDRDRV.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\drivers\sonyhcs.sys [2003-02-10 299923]
S3 XIRLINK;IBM PC Camera;c:\windows\SYSTEM32\drivers\C-itNT.sys [2002-05-27 805808]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool\SmitFraudFixTool.exe []

2009-02-08 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool [2009-02-08 17:54]

2009-02-11 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 09:29]

2009-01-31 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 09:29]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SmitFraudFixTool - c:\program files\SmitFraudFixTool\SmitFraudFixTool.exe
MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~1.DLL


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = about:blank
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.16\AMVConverter\grab.html
IE: Download with Star Downloader - c:\program files\Star Downloader\sdie.htm
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 19:27:01
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3460)
c:\program files\ATI Technologies\HydraVision\HydraDMH.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\CursorXP\CurXP0.dll
.
Completion time: 2009-02-11 19:31:31
ComboFix-quarantined-files.txt 2009-02-12 00:31:21
ComboFix2.txt 2009-02-08 21:51:11
ComboFix3.txt 2009-02-06 03:12:38

Pre-Run: 272,161,267,712 bytes free
Post-Run: 272,146,112,512 bytes free

194

#11 photolabgirl77

photolabgirl77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 11 February 2009 - 07:34 PM

here is the Hijack this log

Log created by WinPatrol version 15.9.2008.5:15.9.2008.5
Scan saved at 7:34:07 PM, on 2/11/2009
Platform: Windows XP SP2 Home Edition Service Pack 2 (Build 2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\sched.exe
C:\WINDOWS\SYSTEM\hpsysdrv.exe
C:\hp\KBD\KBD.EXE
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb12.exe
C:\PROGRAM FILES\Winamp\winampa.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\atiptaxx.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\HYDRAVISION\HydraDM.exe
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\QUICKTIME\qttask.exe
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\avgnt.exe
C:\PROGRAM FILES\Java\JRE1.5.0_12\bin\jusched.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsTray.exe
C:\PROGRAM FILES\CursorXP\CursorXP.exe
C:\PROGRAM FILES\MySpace\IM\MYSPACEIM.EXE
C:\PROGRAM FILES\REGISTRY MECHANIC\RegMech.exe
C:\PROGRAM FILES\HP\DIGITAL IMAGING\bin\hpqtra08.exe
C:\PROGRAM FILES\ArcSoft\MEDIA CARD COMPANION\MCC MONITOR.EXE
C:\PROGRAM FILES\Avira\ANTIVIR PERSONALEDITION CLASSIC\avguard.exe
C:\PROGRAM FILES\HP\DIGITAL IMAGING\bin\hpqgalry.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsAuxs.exe
C:\PROGRAM FILES\SPYWARE DOCTOR\pctsSvc.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\PROGRAM FILES\SLIMBROWSER\sbrowser.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: SDIEInt - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\Program Files\Star Downloader\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv]c:\WINDOWS\SYSTEM\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD]C:\hp\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard]C:\WINDOWS\SMINST\Recguard.exe
O4 - HKLM\..\Run: [S3TRAY2]S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray]C:\WINDOWS\SYSTEM32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]C:\WINDOWS\SYSTEM32\hkcmd.exe
O4 - HKLM\..\Run: [PS2]C:\WINDOWS\SYSTEM32\ps2.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [WinampAgent]C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AtiPTA]C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager]C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [HP Software Update]C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task]C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [avgnt]C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ISTray]C:\Program Files\Spyware Doctor\pctsTray.exe
O4 - HKCU\..\Run: [CursorXP]C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [updateMgr]C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MySpaceIM]C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Aqqhggar]C:\Documents and Settings\Owner\My Documents\?ssembly\r?gedit.exe
O4 - HKCU\..\Run: [RegistryMechanic]C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Global Startup: Adobe Reader Speed Launch.lnk=C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk=C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk=C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Media Card Companion Monitor.lnk=C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.16\AMVConverter\grab.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.5.0_12\bin
O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O16 - DPF: Microsoft XML Parser for Java (xmldso) - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} (http://codecs.microsoft.com/codecs/i386/voxacm) - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276919781
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276899437
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim) - http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_12) - http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Application Management - - C:\WINDOWS\System32\appmgmts.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: ATI Smart - - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service - - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--- Additional WinPatrol Info ---
Default Browser: Internet Explorer - Internet Explorer version 6.00.2900.2180
MSIE: Internet Explorer (6.00.2900.2180)
Firefox 3.0 installed in C:\Program Files\Mozilla Firefox.
Mozilla 1.6: 2004011308 installed in C:\Program Files\mozilla.org\Mozilla\.
4 IE Cookies in Folder: C:\Documents and Settings\Owner\Cookies\
0 Mozilla Cookies in Folder: C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\x2mo35dx.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP01 - HKLM\CS1: PendingFileRenameOperations = \??\C:\test0123
WP01 - HKLM\CCS: PendingFileRenameOperations = \??\C:\test0123
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 1:Turn off Automatic Updates.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://

WP31 - Scheduled Tasks: [XoftSpySE.job]C:\Program Files\XoftSpySE\XoftSpy.exe Never
WP31 - Scheduled Tasks: [XoftSpySE 2.job]C:\Program Files\XoftSpySE\XoftSpy.exe 02/11/2009 6:21 PM
WP31 - Scheduled Tasks: [SmitFraudFixTool Scheduled Scan.job]C:\Program Files\SmitFraudFixTool\SmitFraudFixTool.exe Never

WP16 - ActiveX: {6BF52A52-394A-11D3-B153-00C04F79FAA6} [Windows Media Player] C:\WINDOWS\SYSTEM32\wmp.dll 10.00.00.3646
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\SYSTEM32\Macromed\Flash\Flash10a.ocx 10,0,12,36
WP16 - ActiveX: {05589fa1-c356-11ce-bf01-00aa0055595a} [ActiveMovieControl Object] C:\WINDOWS\SYSTEM32\wmpdxm.dll 10.00.00.3646
WP16 - ActiveX: {0713E8A2-850A-101B-AFC0-4210102A8DA7} [Microsoft TreeView Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {0713E8D2-850A-101B-AFC0-4210102A8DA7} [Microsoft ProgressBar Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {08B0e5c0-4FCB-11CF-AAA5-00401C608501} [Web Browser Applet Control] C:\WINDOWS\SYSTEM32\msjava.dll 5.00.3810
WP16 - ActiveX: {105C7D20-FE19-11D2-ACB6-0080C877D9B9} [MGISlider Class] C:\PROGRAM FILES\COMMON FILES\MGI SHARED\Photo\Slider.dll 3.0.0.560
WP16 - ActiveX: {1D2B4F40-1F10-11D1-9E88-00C04FDCAB92} [ThumbCtl Class] C:\WINDOWS\SYSTEM32\webvw.dll 6.00.2900.2180
WP16 - ActiveX: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} [Windows Media Player] C:\WINDOWS\SYSTEM32\wmpdxm.dll 10.00.00.3646
WP16 - ActiveX: {4FA211A0-FD53-11D2-ACB6-0080C877D9B9} [MGIButton Class] C:\PROGRAM FILES\COMMON FILES\MGI SHARED\Photo\Button.dll 3.0.0.597
WP16 - ActiveX: {58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} [Microsoft ListView Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} [Microsoft ImageList Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {6B7E638F-850A-101B-AFC0-4210102A8DA7} [Microsoft StatusBar Control, version 5.0 (SP2)] C:\WINDOWS\SYSTEM32\COMCTL32.OCX 6.00.8105
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\SYSTEM32\shdocvw.dll 6.00.2900.2180
WP16 - ActiveX: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} [HHCtrl Object] C:\WINDOWS\SYSTEM32\hhctrl.ocx 5.2.3790.1194
WP16 - ActiveX: {AE24FDAE-03C6-11D1-8B76-0080C744F389} [Microsoft Scriptlet Component] C:\WINDOWS\SYSTEM32\mshtml.dll 6.00.2900.2180
WP16 - ActiveX: {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA} [RealPlayer G2 Control] C:\WINDOWS\SYSTEM32\rmoc3260.dll 6.0.9.1875
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\SYSTEM32\Macromed\Flash\Flash10a.ocx 10,0,12,36

WP32 - Hidden File: C:\AVG6DB_F.DAT
WP32 - Hidden File: C:\BOOT.INI
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\IPH.PH
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\WINDOWS\WindowsShell.Manifest
WP32 - Hidden File: C:\WINDOWS\winnt.bmp
WP32 - Hidden File: C:\WINDOWS\winnt256.bmp
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\Atmenuxx.GID
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\default.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\default.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SAM.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SAM.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\SECURITY.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\software.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\software.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\system.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\system.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\TempKey.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\config\userdiff.LOG
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\logonui.exe.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\Restore\filelist.xml
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\SYSTEM32\zllictbl.dat

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [Iceows Document]rundll32 C:\WINDOWS\System32\ShellExt\IceGUI.dll,RouteTheCall %L
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .MID: [IrfanView MID File]C:\Program Files\IrfanView\I_VIEW32.EXE %1
WP33 - File Type .MP3: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealPlayer Presentation]C:\Program Files\Real\RealPlayer\RealPlay.exe %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]rundll32.exe shdocvw.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*

Memory currently in use: 44%
Physical Memory Free: 722,752 KB
Paging File Free: 1,216,704 KB
Virtual Memory Free: 2,056,468 KB


--
End of file

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 11 February 2009 - 10:26 PM

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 photolabgirl77

photolabgirl77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 12 February 2009 - 09:04 PM

the only thing I notice now is that winpatrol pops up a screen every min or so saying
" a change has been detected in background page displayed on your desktop
If this is ok click yes or press enter
click no and well restore your page to default"

everything else seems to be fine
and again I greatly appreciate your time

Edited by photolabgirl77, 12 February 2009 - 09:04 PM.


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 13 February 2009 - 03:21 AM

I'm not familiar with WinPatrol.. Can you tell me the full path or the full error that WinPatrol find? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 photolabgirl77

photolabgirl77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 15 February 2009 - 04:29 PM

it actually hasnt done it now for a while. Maybe now that my pc is cleaned up it fixed it?
But when it was popping up it was saying this message

-a change has been detected in background page displayed on your desktop
If this is ok click yes or press enter
click no and we'll restore your page to default :about home




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users