Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware, trojans, alot of infections


  • Please log in to reply
11 replies to this topic

#1 dinaa

dinaa

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 14 February 2009 - 07:00 AM

Hello these are my logs:

DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 6:49:16.73 on Sat 02/14/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.391 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\MPK\MPK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desk

top
uSearch Page =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=des

ktop
uSearch Bar =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=des

ktop
uDefault_Page_URL =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desk

top
uDefault_Search_URL =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=des

ktop
mDefault_Page_URL =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desk

top
mDefault_Search_URL =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=des

ktop
mSearch Page =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=des

ktop
mStart Page =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desk

top
mSearch Bar =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=des

ktop
uInternet Connection Wizard,ShellNext =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desk

top
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=des

ktop
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\mpk\MPK.exe
BHO: c:\windows\system32\hsfd83jfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} -

c:\windows\system32\hsfd83jfdg.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital

imaging\bin\HPDTLK02.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh

networks\veoh\plugins\reg\VeohToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: ShopperReports: {a7cddcdc-beeb-4685-a062-978f5e07ceee} - c:\program

files\shoppingreport\bin\2.5.0\ShoppingReport.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [jsf8uiw3jnjgffght] c:\docume~1\hp_own~1.you\locals~1\temp\winlognn.exe
mRun: [D-Link AirPlus XtremeG] c:\program files\d-link\airplus xtremeg\AirPlusCFG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [5b22fa17] rundll32.exe "c:\windows\system32\adikpccv.dll",b
mRun: [jsf8uiw3jnjgffght] c:\docume~1\hp_own~1.you\locals~1\temp\winlognn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program

files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program

files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.ht

m
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}

- c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116}

- c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842}

- c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} -

{DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web

printing\hpswp_BHO.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} -

hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -

hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} -

hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program

files\avg\avg8\avgpp.dll
Notify: appvdd - c:\windows\microsoft.net\framework\v3.5\appvdd.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: byXOhExW - byXOhExW.dll
Notify: crypt - crypts.dll
AppInit_DLLs: miutmz.dll
STS: c:\windows\system32\hsfd83jfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} -

c:\windows\system32\hsfd83jfdg.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_own~1.you\applic~1\mozilla\firefox\profiles\ftj1sbki.default\
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys

[2008-9-30 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-30 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-30

107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-30 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-30 298264]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter

Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
S0 mvbbstnd;mvbbstnd;c:\windows\system32\drivers\qxqsobjz.sys []
S3

{DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\

c:\windows\temp\2c1.tmp --> c:\windows\temp\2C1.tmp [?]

=============== Created Last 30 ================

2009-02-13 22:16 <DIR> --d----- c:\docume~1\hp_own~1.you\applic~1\Malwarebytes
2009-02-13 22:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-13 22:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 22:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 22:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-13 16:10 13,942 a------- c:\windows\system32\m3.ico
2009-02-13 16:10 13,942 a------- c:\windows\system32\c.ico
2009-02-13 16:10 7,662 a------- c:\windows\system32\m.ico
2009-02-13 16:10 4,286 a------- c:\windows\system32\s.ico
2009-02-13 16:10 19,214 a------- c:\windows\system32\sf.ico
2009-02-13 16:10 11,062 a------- c:\windows\system32\p.ico
2009-02-13 16:10 3,182 a------- c:\windows\ios.dat
2009-02-13 16:10 99,696 a------- c:\windows\system32\drivers\94c5bbb7.sys
2009-02-13 16:10 2 a------- C:\1529019064
2009-02-13 10:58 35,328 a------- c:\windows\system32\qoMgfFUM.dll
2009-02-12 16:12 1,599,344 ---sh--- c:\windows\system32\vccpkida.ini
2009-02-10 19:04 1,563,220 ---sh--- c:\windows\system32\jjmlccdt.ini
2009-02-09 19:53 200,704 a------- c:\windows\SysNotifier.exe
2009-02-08 10:22 529 a------- c:\windows\system32\winlogon2.exe
2009-02-07 10:27 30,835 a--sh--- c:\windows\system32\EKTtwyay.ini2
2009-02-07 10:27 30,835 a--sh--- c:\windows\system32\EKTtwyay.ini
2009-02-07 10:27 1,104 a------- c:\windows\mvbbstnd
2009-01-15 18:39 <DIR> --d----- c:\program files\Packet Tracer 5.1

==================== Find3M ====================

2009-02-04 08:30 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-04 08:30 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-04 08:30 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-01 13:43 27,440 a------- c:\windows\system32\drivers\secdrv.sys
2008-12-19 18:30 81,920 a------- c:\windows\system32\frapsvid.dll
2006-09-18 14:41 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 6:52:09.28 ===============

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:32 PM

Posted 15 February 2009 - 07:13 AM

Hello Dinaa and welcome to Bleeping Computer,

Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 dinaa

dinaa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 16 February 2009 - 10:52 AM

Hello someone previously asked me to run malwarebytes and SDFix, then i lost contact with them. So im going to post the logs for each and post a new logs.
Please let me know what to do after u reviewed them.
Thanks

MalwareBytes log:

Malwarebytes' Anti-Malware 1.34
Database version: 1761
Windows 5.1.2600 Service Pack 2

2/14/2009 12:55:17 PM
mbam-log-2009-02-14 (12-55-17).txt

Scan type: Quick Scan
Objects scanned: 68271
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 57
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7a85cdf5-284b-4496-a9a7-dd82fee9dcec} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fcd4b2f5-8793-4e1f-8774-6e520cf6cd79} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1cad29df-1d6d-41a2-8c55-eaa2c7edcdeb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{930e7881-d9f3-4293-a24b-23a80c013378} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Spyware.Sinowal) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mvbbstnd (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mvbbstnd (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvbbstnd (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5b22fa17 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\SysNotifier.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\94c5bbb7.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\qxqsobjz.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Favorites\Cheap Software.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Start Menu\Cheap Software.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sf.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Favorites\MP3 Download.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Start Menu\MP3 Download.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\m3.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Favorites\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Start Menu\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Favorites\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Start Menu\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Favorites\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Start Menu\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\m.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\p.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\s.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMgfFUM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Favorites\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Start Menu\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\ios.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadgwfkilv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaebwfkerx.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekafviturux.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekauqcrvhbu.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekavwmvqnhq.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekahntafoxd.sys (Trojan.Agent) -> Delete on reboot.

SDFix log:

SDFix: Version 1.240
Run by HP_Owner on Sat 02/14/2009 at 09:13 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSserv.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\152901~1 - Deleted
C:\WINDOWS\system32\drivers\TDSSserv.sys -

Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth

malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 22:48:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\MPK\MPK.exe [732]

0x86211898

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\se

rvices\sharedaccess\parameters\firewallpolicy\standard

profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste

m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program

Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Updates from

HP\\309731\\Program\\Updates from

HP.exe"="C:\\Program Files\\Updates from

HP\\309731\\Program\\Updates from

HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\\Program Files\\EarthLink

TotalAccess\\TaskPanl.exe"="C:\\Program

Files\\EarthLink

TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program

Files\\Messenger\\msmsgs.exe"="C:\\Program

Files\\Messenger\\msmsgs.exe:*:Enabled:Windows

Messenger"
"C:\\Program Files\\MSN

Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN

Messenger\\msnmsgr.exe:*:Enabled:Windows Live

Messenger 8.1"
"C:\\Program Files\\MSN

Messenger\\livecall.exe"="C:\\Program Files\\MSN

Messenger\\livecall.exe:*:Enabled:Windows Live

Messenger 8.1 (Phone)"
"C:\\Program

Files\\Steam\\steamapps\\prosnowboarder13@hotmail.c

om\\counter-strike source\\hl2.exe"="C:\\Program

Files\\Steam\\steamapps\\prosnowboarder13@hotmail.c

om\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Windows

Live\\Messenger\\msnmsgr.exe"="C:\\Program

Files\\Windows

Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live

Messenger"
"C:\\Program

Files\\BitComet\\BitComet.exe"="C:\\Program

Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a

BitTorrent Client"
"C:\\Program

Files\\BitTorrent\\bittorrent.exe"="C:\\Program

Files\\BitTorrent\\bittorrent.exe:*:Disabled:bittorrent"
"C:\\Program Files\\Veoh

Networks\\Veoh\\VeohClient.exe"="C:\\Program

Files\\Veoh

Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program

Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program

Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program

Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program

Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\WINDOWS\\system32\\MPK\\Mpk.exe"="C:\\WI

NDOWS\\system32\\MPK\\Mpk.exe:*:Enabled:TCP\\IP"
"C:\\WINDOWS\\system32\\MPK\\MpkView.exe"="C:\

\WINDOWS\\system32\\MPK\\MpkView.exe:*:Enabled:

TCP\\IP"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqtra08.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqste08.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpofxm08.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hposfx08.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hposid01.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqcopy.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpqcopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpfccopy.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpzwiz01.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpoews01.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpiscnapp.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqkygrp.exe"="C:\\Program

Files\\HP\\Digital

Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\Veoh

Networks\\VeohWebPlayer\\veohwebplayer.exe"="C:\\Pr

ogram Files\\Veoh

Networks\\VeohWebPlayer\\veohwebplayer.exe:*:Enable

d:Veoh Web Player "
"C:\\Program Files\\Packet Tracer

5.1\\bin\\PacketTracer5.exe"="C:\\Program

Files\\Packet Tracer

5.1\\bin\\PacketTracer5.exe:*:Enabled:PacketTracer5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\se

rvices\sharedaccess\parameters\firewallpolicy\domainpr

ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste

m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles

%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\MSN

Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN

Messenger\\msnmsgr.exe:*:Enabled:Windows Live

Messenger 8.1"
"C:\\Program Files\\MSN

Messenger\\livecall.exe"="C:\\Program Files\\MSN

Messenger\\livecall.exe:*:Enabled:Windows Live

Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 31 Aug 2008 213 A.SHR --- "C:\BOOT.BAK"
Sat 3 Mar 2007 30,720 ...HR ---

"C:\WINDOWS\CdaC13BA.EXE"
Sat 3 Mar 2007 112,128 ...HR ---

"C:\WINDOWS\CdaC14BA.DLL"
Sun 23 Apr 2006 13,824 A.SH. --- "C:\Program

Files\MSN Messenger\Secur32.dll"
Sun 15 Oct 2006 4,348 A.SH. --- "C:\Documents

and Settings\All Users\DRM\DRMv1.bak"
Sun 27 Nov 2005 31,232 A..H. --- "C:\Documents and

Settings\HP_Owner\My Documents\~WRL3920.tmp"
Mon 17 Nov 2008 37,580 ...H. --- "C:\Documents and

Settings\HP_Owner.YOUR-F78BF48CE2\My

Documents\~WRL2831.tmp"
Thu 9 Nov 2006 20,480 A..H. ---

"C:\Nexon\Audition\Hshield\22dde3da.dll"
Thu 9 Nov 2006 20,480 A..H. ---

"C:\Nexon\Audition\Hshield\3c45a02.dll"
Fri 27 Feb 2004 233,472 A..H. --- "C:\Program

Files\Image-Line\FL Studio 7\REX Shared Library.dll"
Sun 1 Apr 2007 0 A.SH. --- "C:\Documents and

Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 28 Nov 2005 1,339 A..H. --- "C:\Program

Files\Common Files\AOL\IPHSend\IPH.BAK"
Tue 28 Aug 2007 0 A..H. ---

"C:\WINDOWS\SoftwareDistribution\Download\85d72

ebd3332986fe72a8378dc1d1a21\BIT16.tmp"
Sat 7 Feb 2009 137 A..H. --- "C:\Documents and

Settings\All Users\Application

Data\avg8\scanlogs\srmcheck.tmp"
Thu 18 Aug 2005 444 A..HR --- "C:\Documents and

Settings\HP_Owner\Application

Data\SecuROM\UserData\securom_v7_01.bak"
Tue 18 Nov 2008 31,744 ...H. --- "C:\Documents and

Settings\HP_Owner.YOUR-F78BF48CE2\Application

Data\Microsoft\Word\~WRL0005.tmp"
Wed 15 Feb 2006 0 A..H. ---

"C:\WINDOWS\SoftwareDistribution\Download\S-1-5-

18\438592bd0a35d9254fb9860cffa394f2\BIT152.tmp

"

Finished!

#4 dinaa

dinaa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 16 February 2009 - 10:55 AM

new hijack logs:


DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 10:53:07.25 on Mon 02/16/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.515 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\MPK\MPK.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\mpk\MPK.exe,
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [jsf8uiw3jnjgffght] c:\docume~1\hp_own~1.you\locals~1\temp\winlognn.exe
mRun: [D-Link AirPlus XtremeG] c:\program files\d-link\airplus xtremeg\AirPlusCFG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [jsf8uiw3jnjgffght] c:\docume~1\hp_own~1.you\locals~1\temp\winlognn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: appvdd - c:\windows\microsoft.net\framework\v3.5\appvdd.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: byXOhExW - byXOhExW.dll
AppInit_DLLs: miutmz.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\yaywtTKE

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_own~1.you\applic~1\mozilla\firefox\profiles\ftj1sbki.default\
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-30 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-30 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-30 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-30 298264]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
S1 94c5bbb7;94c5bbb7;c:\windows\system32\drivers\94c5bbb7.sys --> c:\windows\system32\drivers\94c5bbb7.sys [?]

=============== Created Last 30 ================

2009-02-14 21:00 <DIR> --d----- c:\windows\ERUNT
2009-02-14 20:50 <DIR> --d----- C:\SDFix
2009-02-13 22:16 <DIR> --d----- c:\docume~1\hp_own~1.you\applic~1\Malwarebytes
2009-02-13 22:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-13 22:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 22:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 22:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-12 16:12 1,599,344 ---sh--- c:\windows\system32\vccpkida.ini
2009-02-10 19:04 1,563,220 ---sh--- c:\windows\system32\jjmlccdt.ini
2009-02-08 10:22 529 a------- c:\windows\system32\winlogon2.exe
2009-02-07 10:27 30,835 a--sh--- c:\windows\system32\EKTtwyay.ini2
2009-02-07 10:27 30,835 a--sh--- c:\windows\system32\EKTtwyay.ini
2009-02-07 10:27 1,104 a------- c:\windows\mvbbstnd
2009-02-07 10:27 302,080 a------- c:\windows\system32\yaywtTKE.dll.vir
2009-02-07 10:21 0 a------- c:\windows\system32\drivers\senekaylkmppxi.sys

==================== Find3M ====================

2009-02-04 08:30 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-04 08:30 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-04 08:30 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-01 13:43 27,440 a------- c:\windows\system32\drivers\secdrv.sys
2008-12-19 18:30 81,920 a------- c:\windows\system32\frapsvid.dll
2006-09-18 14:41 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 10:54:11.29 ===============

Attached Files



#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:32 PM

Posted 16 February 2009 - 04:16 PM

Hello Dinaa,

Thank you for the additional info.
Now please run ComboFix as I asked in my previous post, and post the log in your next reply. :thumbup2:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 dinaa

dinaa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 17 February 2009 - 03:59 PM

Thanks again, and here's the combofix log you requested.

ComboFix 09-02-15.01 - HP_Owner 2009-02-17 15:45:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.578 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\senekaylkmppxi.sys
c:\windows\system32\EKTtwyay.ini
c:\windows\system32\EKTtwyay.ini2
c:\windows\system32\jjmlccdt.ini
c:\windows\system32\vccpkida.ini
c:\windows\system32\winlogon2.exe
c:\windows\Tasks\emeturtj.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-14 21:00 . 2009-02-14 21:01 <DIR> d-------- c:\windows\ERUNT
2009-02-14 20:54 . 2005-06-01 10:47 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-02-14 20:54 . 2005-06-01 11:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-14 20:54 . 2005-06-01 11:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-02-14 20:54 . 2005-06-01 11:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterMute
2009-02-14 20:54 . 2005-06-01 10:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-02-14 20:54 . 2009-02-14 20:54 <DIR> d-------- c:\documents and settings\Administrator
2009-02-14 20:50 . 2009-02-14 22:50 <DIR> d-------- C:\SDFix
2009-02-13 22:16 . 2009-02-13 22:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 22:16 . 2009-02-13 22:16 <DIR> d-------- c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Application Data\Malwarebytes
2009-02-13 22:16 . 2009-02-13 22:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 22:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 22:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-07 10:27 . 2009-02-07 10:27 302,080 --a------ c:\windows\system32\yaywtTKE.dll.vir
2009-02-07 10:27 . 2009-02-14 12:57 1,104 --a------ c:\windows\mvbbstnd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 20:34 --------- d-sh--w c:\documents and settings\All Users\Application Data\MPK
2009-02-14 03:11 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-14 00:00 --------- d-----w c:\program files\WildTangent
2009-02-13 23:50 --------- d-----w c:\program files\Microsoft Works
2009-02-13 23:50 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 20:18 --------- d-----w c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Application Data\HPAppData
2009-02-08 02:18 --------- d-----w c:\program files\Easy Internet signup
2009-02-07 14:38 --------- d-----w c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Application Data\GetRightToGo
2009-02-04 13:30 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-04 13:30 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-01 18:50 --------- d-----w c:\program files\DOSBox-0.72
2009-02-01 18:43 27,440 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-01-27 21:47 --------- d-----w c:\program files\CCleaner
2009-01-15 23:40 --------- d-----w c:\program files\Packet Tracer 5.1
2009-01-03 01:35 --------- d-----w c:\program files\Veoh Networks
2009-01-01 17:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 03:50 --------- d-----w c:\program files\Trymedia
2008-12-22 10:28 --------- d-sh--w c:\program files\Kkb
2007-10-24 22:52 0 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2006-09-18 19:41 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-04-07 20:41 93,988 ----a-w c:\documents and settings\HP_Owner\Winsock2.reg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2007-03-01 43008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"D-Link AirPlus XtremeG"="c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 1011712]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-01 180269]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-04 08:30 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=miutmz.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner.YOUR-F78BF48CE2^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2005-10-19 20:19 49152 c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-03-18 06:05 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-03-01 18:11 43008 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-02-26 00:34 245760 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 15:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 10:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-06-01 10:38 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steamapps\\prosnowboarder13@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\MPK\\Mpk.exe"=
"c:\\WINDOWS\\system32\\MPK\\MpkView.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Packet Tracer 5.1\\bin\\PacketTracer5.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25290:TCP"= 25290:TCP:BitComet 25290 TCP
"25290:UDP"= 25290:UDP:BitComet 25290 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-09-30 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-09-30 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-30 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-30 298264]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-03-22 450400]
S1 94c5bbb7;94c5bbb7;c:\windows\system32\drivers\94c5bbb7.sys --> c:\windows\system32\drivers\94c5bbb7.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-01-02 c:\windows\Tasks\109569.job
- c:\downloads\109569.mp3 [2007-12-30 18:36]

2008-01-02 c:\windows\Tasks\109569h.job
- c:\downloads\109569.mp3 [2007-12-30 18:36]

2009-02-17 c:\windows\Tasks\AA56AA9997F95B91.job
- c:\docume~1\hp_owner\applic~1\upwebw~1\Rect Dash Bird.exe []

2009-02-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-14 c:\windows\Tasks\At1.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At10.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At11.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At12.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At13.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At14.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At15.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At16.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At17.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At18.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At19.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At2.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-17 c:\windows\Tasks\At20.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At21.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At22.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-15 c:\windows\Tasks\At23.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At24.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At25.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At26.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At27.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At28.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At29.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At3.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At30.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At31.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At32.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At33.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At34.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At35.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-16 c:\windows\Tasks\At36.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-16 c:\windows\Tasks\At37.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-16 c:\windows\Tasks\At38.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-16 c:\windows\Tasks\At39.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At4.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-16 c:\windows\Tasks\At40.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-16 c:\windows\Tasks\At41.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-16 c:\windows\Tasks\At42.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-16 c:\windows\Tasks\At43.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-17 c:\windows\Tasks\At44.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At45.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At46.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-15 c:\windows\Tasks\At47.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At48.job
- c:\windows\system32\3XXQWJ4a.exe []

2009-02-14 c:\windows\Tasks\At5.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At6.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At7.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At8.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-14 c:\windows\Tasks\At9.job
- c:\windows\system32\bAV1xYjp.exe []

2009-02-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE []

2009-02-17 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
Notify-appvdd - c:\windows\Microsoft.NET\Framework\v3.5\appvdd.dll
Notify-byXOhExW - byXOhExW.dll
MSConfigStartUp-WeatherDPA - c:\program files\Zango\bin\10.3.74.0\Weather.exe
MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
MSConfigStartUp-WT GameChannel - c:\program files\WildTangent\Apps\GameChannel.exe
MSConfigStartUp-ZangoOE - c:\program files\Zango\bin\10.3.74.0\OEAddOn.exe
MSConfigStartUp-ZangoSA - c:\program files\Zango\bin\10.3.74.0\ZangoSA.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Application Data\Mozilla\Firefox\Profiles\ftj1sbki.default\
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 15:51:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dumprep.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-02-17 15:56:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-17 20:56:01

Pre-Run: 11,416,621,056 bytes free
Post-Run: 11,536,502,784 bytes free

341

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:32 PM

Posted 17 February 2009 - 05:06 PM

Hello Dinaa,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\system32\yaywtTKE.dll.vir
c:\windows\mvbbstnd
c:\windows\system32\drivers\94c5bbb7.sys
c:\downloads\109569.mp3
c:\windows\Tasks\109569.job
c:\windows\Tasks\109569h.job
c:\windows\Tasks\AA56AA9997F95B91.job
AtJob::
Driver::
94c5bbb7
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 dinaa

dinaa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 17 February 2009 - 05:43 PM

should i turn my antivirus and firewalls off also before doing this step?
thanks

#9 dinaa

dinaa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 17 February 2009 - 06:08 PM

Hello, thanks for the help. Performance is much better now, but i have one question. Every time I reboot my pc i get a message that says "To help protect your computer, Windows has closed Generic Host Process for WIn32 Services". I keep trying to close this message but it keeps popping up. My question is whether or not this message is some kind of threat to my computer or not. Thanks

Also this is the combofix log you requested.

ComboFix 09-02-15.01 - HP_Owner 2009-02-17 17:50:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.588 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\downloads\109569.mp3
c:\windows\mvbbstnd
c:\windows\system32\drivers\94c5bbb7.sys
c:\windows\system32\yaywtTKE.dll.vir
c:\windows\Tasks\109569.job
c:\windows\Tasks\109569h.job
c:\windows\Tasks\AA56AA9997F95B91.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\downloads\109569.mp3
c:\windows\mvbbstnd
c:\windows\system32\yaywtTKE.dll.vir
c:\windows\Tasks\109569.job
c:\windows\Tasks\109569h.job
c:\windows\Tasks\AA56AA9997F95B91.job
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_94c5bbb7


((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-14 21:00 . 2009-02-14 21:01 <DIR> d-------- c:\windows\ERUNT
2009-02-14 20:54 . 2005-06-01 10:47 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-02-14 20:54 . 2005-06-01 11:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-14 20:54 . 2005-06-01 11:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-02-14 20:54 . 2005-06-01 11:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterMute
2009-02-14 20:54 . 2005-06-01 10:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-02-14 20:54 . 2009-02-14 20:54 <DIR> d-------- c:\documents and settings\Administrator
2009-02-14 20:50 . 2009-02-14 22:50 <DIR> d-------- C:\SDFix
2009-02-13 22:16 . 2009-02-13 22:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 22:16 . 2009-02-13 22:16 <DIR> d-------- c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Application Data\Malwarebytes
2009-02-13 22:16 . 2009-02-13 22:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 22:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 22:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 20:34 --------- d-sh--w c:\documents and settings\All Users\Application Data\MPK
2009-02-14 03:11 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-14 00:00 --------- d-----w c:\program files\WildTangent
2009-02-13 23:50 --------- d-----w c:\program files\Microsoft Works
2009-02-13 23:50 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 20:18 --------- d-----w c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Application Data\HPAppData
2009-02-08 02:18 --------- d-----w c:\program files\Easy Internet signup
2009-02-07 14:38 --------- d-----w c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Application Data\GetRightToGo
2009-02-04 13:30 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-04 13:30 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-01 18:50 --------- d-----w c:\program files\DOSBox-0.72
2009-02-01 18:43 27,440 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-01-27 21:47 --------- d-----w c:\program files\CCleaner
2009-01-15 23:40 --------- d-----w c:\program files\Packet Tracer 5.1
2009-01-03 01:35 --------- d-----w c:\program files\Veoh Networks
2009-01-01 17:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 03:50 --------- d-----w c:\program files\Trymedia
2008-12-22 10:28 --------- d-sh--w c:\program files\Kkb
2007-10-24 22:52 0 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2006-09-18 19:41 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-04-07 20:41 93,988 ----a-w c:\documents and settings\HP_Owner\Winsock2.reg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2007-03-01 43008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"D-Link AirPlus XtremeG"="c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 1011712]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-01 180269]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-04 08:30 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner.YOUR-F78BF48CE2^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2005-10-19 20:19 49152 c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-03-18 06:05 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-03-01 18:11 43008 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-02-26 00:34 245760 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 15:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 10:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-06-01 10:38 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steamapps\\prosnowboarder13@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\MPK\\Mpk.exe"=
"c:\\WINDOWS\\system32\\MPK\\MpkView.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Packet Tracer 5.1\\bin\\PacketTracer5.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25290:TCP"= 25290:TCP:BitComet 25290 TCP
"25290:UDP"= 25290:UDP:BitComet 25290 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-09-30 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-09-30 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-30 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-30 298264]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-03-22 450400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-02-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE []

2009-02-17 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\HP_Owner.YOUR-F78BF48CE2\Application Data\Mozilla\Firefox\Profiles\ftj1sbki.default\
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 17:56:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dumprep.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-02-17 18:00:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-17 23:00:49
ComboFix2.txt 2009-02-17 20:56:04

Pre-Run: 11,511,681,024 bytes free
Post-Run: 11,493,007,360 bytes free

284

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:32 PM

Posted 18 February 2009 - 05:50 PM

Hello Dinaa,

Do you update your Windows version regularly ? What Service Pack do you have installed right now ?
Your log looks fine now. :thumbup2:

Please run another DDS scan and attach the Attach.txt to your next reply.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update12.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windowsi586-p.exe to install the newest version.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 dinaa

dinaa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 18 February 2009 - 08:45 PM

Hello, I have Microsoft WIndows XP Home Edition Version 2002 Service Pack 2, but i'm not sure if i know how to update window versions. Anyways here are my new dds logs.

Thanks


DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 20:41:05.00 on Wed 02/18/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.579 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
mRun: [D-Link AirPlus XtremeG] c:\program files\d-link\airplus xtremeg\AirPlusCFG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_own~1.you\applic~1\mozilla\firefox\profiles\ftj1sbki.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-30 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-30 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-30 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-30 298264]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]

=============== Created Last 30 ================

2009-02-18 19:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-18 19:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-17 15:44 161,792 a------- c:\windows\SWREG.exe
2009-02-17 15:44 98,816 a------- c:\windows\sed.exe
2009-02-14 21:00 <DIR> --d----- c:\windows\ERUNT
2009-02-14 20:50 <DIR> --d----- C:\SDFix
2009-02-13 22:16 <DIR> --d----- c:\docume~1\hp_own~1.you\applic~1\Malwarebytes
2009-02-13 22:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-13 22:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 22:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 22:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-02-04 08:30 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-04 08:30 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-04 08:30 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-01 13:43 27,440 a------- c:\windows\system32\drivers\secdrv.sys
2008-12-19 18:30 81,920 a------- c:\windows\system32\frapsvid.dll
2006-09-18 14:41 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 20:41:41.54 ===============

Attached Files



#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:32 PM

Posted 19 February 2009 - 03:45 AM

Hello Dinaa,

Download and unzip Dial-a-Fix to its own folder on your desktop:Open the Dial-a-Fix folder, launch the program by clicking on the blue cog-wheel icon.
First, click the "Policies..." button on the bottom.
If anything is found, make sure it's checked and then, click the "Remove" button and click the "Close" button to close that window.
Now click the green, double check icon (Check all) on the bottom.
Then click on 'GO' at the bottom.
Click "Exit" and restart your pc when Dial-a-Fix has done.
The automatic updater should be operational again now.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still getting that message on reboot ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users