Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HKI###.exe keeps popping up in processes, as does QL6Yy4.com also have Google Redirect and recently had XP Internet Security 2012(gone now)


  • This topic is locked This topic is locked
30 replies to this topic

#1 Eric Easterly

Eric Easterly

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 11 August 2011 - 02:05 AM

I've been having some virus problems lately, I have google redirect and have had it for a while, then XP Internet Security 2012, showed up so I downloaded Hitman Pro 3.5 which took care of that one but now after the reboot, other viruses are popping up, some virus that runs a process name hki###.exe multiple times, and they use up all my CPU. and seemingly at the same time QL6Yy4.com is running.

I am running an older computer with XP Home Sp3

AMD Athalon
901 MHz, 384 MB RAM


DDS.TXT

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by PAPASCOTT at 16:53:44 on 2011-08-10
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\PAPASCOTT\My Documents\RCA Detective\RCADetective.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\PAPASCOTT\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\hydravision\HydraDM.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [8DDYX0ZBPZ] c:\windows\temp\Azh.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [4275797212] c:\documents and settings\networkservice.nt authority\local settings\application data\xxq.exe
uPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download all links using BitComet
IE: Download link using &BitComet
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://f:\content\include\XPPatchInstaller.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196414922455
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://f:\content\include\msSecUcd.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1ED6CB8-280A-4597-A1B2-532196F23D78} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\documents and settings\papascott\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
FF - Ext: XUL Cache: {8d523f01-8c77-4d32-a2b5-5c7d5c16d918} - %profile%\extensions\{8d523f01-8c77-4d32-a2b5-5c7d5c16d918}
FF - Ext: XUL Cache: {20f4251a-b568-4e4b-9431-b493c9cbce65} - %profile%\extensions\{20f4251a-b568-4e4b-9431-b493c9cbce65}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? MBAMSwissArmy;MBAMSwissArmy
R? WMZuneComm;Zune Windows Mobile Connectivity Service
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? hitmanpro35;Hitman Pro 3.5 Support Driver
S? SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice.nt authority\local settings\application data\xxq.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-08-10 22:57:15 65024 -csha-r- c:\windows\system32\vxblock3.dll
2011-08-10 22:49:25 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-10 22:49:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-08-10 22:38:44 -------- d-----w- c:\documents and settings\all users.windows\application data\Hitman Pro
2011-08-10 18:39:19 329216 ----a-w- c:\documents and settings\papascott\local settings\application data\sbr.dl_
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-PT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-BR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\nl-NL
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\it-IT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\fr-FR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\es-ES
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\de-DE
2011-08-03 06:00:52 16928 -c----w- c:\windows\system32\spmsgXP_2k3.dll
2011-08-03 05:57:21 -------- dc----w- c:\windows\system32\drivers\umdf\en-US
2011-08-03 04:21:21 -------- dc----w- C:\14a413497be6e71cc32a04a764
2011-07-30 07:36:53 388096 ----a-r- c:\documents and settings\papascott\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-30 07:36:44 -------- d-----w- c:\program files\Trend Micro
2011-07-24 07:28:04 0 ---ha-w- c:\documents and settings\papascott\jenalnblsh.tmp
.
==================== Find3M ====================
.
2011-07-07 02:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-06-27 21:54:15 683801 -c--a-w- c:\windows\unins000.exe
2011-06-02 14:02:05 1858944 -c--a-w- c:\windows\system32\win32k.sys
2001-10-19 03:49:32 988059 -c--a-w- c:\program files\HLSetup.exe
2001-10-19 03:43:36 126031 -c--a-w- c:\program files\DeskFlagSetup.exe
2001-09-03 06:53:32 2885905 -c--a-w- c:\program files\gozilla.exe
2001-09-02 08:18:04 4216083 -c--a-w- c:\program files\f_x86t32.exe
2001-09-02 07:49:24 2396087 -c--a-w- c:\program files\cuteftppro.exe
1997-05-27 06:26:34 1960383 -c--a-w- c:\program files\scrabble.exe
1996-10-26 07:27:34 263168 -c--a-w- c:\program files\MplayNow.exe
1996-01-31 22:10:58 24576 -c--a-w- c:\program files\_ISREG32.DLL
.
============= FINISH: 17:00:05.69 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:51 PM

Posted 16 August 2011 - 12:15 AM

Hi,

If help still needed post fresh dds logs, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Eric Easterly

Eric Easterly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 16 August 2011 - 03:10 PM

ok will do when I get home.

Also XP internet security 2012 came back so some is still left somewhere.

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:51 PM

Posted 16 August 2011 - 11:41 PM

Ok, shall wait for the logs.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Eric Easterly

Eric Easterly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 17 August 2011 - 11:50 AM

ok sorry about that here is my new log

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by PAPASCOTT at 9:42:56 on 2011-08-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.225 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\PAPASCOTT\My Documents\RCA Detective\RCADetective.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\dimsroam32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ativcoxx32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Zune\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\papasc~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\papascott\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download all links using BitComet
IE: Download link using &BitComet
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://f:\content\include\XPPatchInstaller.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196414922455
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://f:\content\include\msSecUcd.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1ED6CB8-280A-4597-A1B2-532196F23D78} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\kbdtuq32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62141
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\documents and settings\papascott\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin6.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
FF - Ext: XUL Cache: {8d523f01-8c77-4d32-a2b5-5c7d5c16d918} - %profile%\extensions\{8d523f01-8c77-4d32-a2b5-5c7d5c16d918}
FF - Ext: XUL Cache: {20f4251a-b568-4e4b-9431-b493c9cbce65} - %profile%\extensions\{20f4251a-b568-4e4b-9431-b493c9cbce65}
FF - Ext: XUL Cache: {f94bd665-e39d-4173-8940-5c196edeee68} - %profile%\extensions\{f94bd665-e39d-4173-8940-5c196edeee68}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R2 NtLmSsp32;NT LM Security Support Provider ;c:\windows\system32\dimsroam32.exe [2011-8-15 706560]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-8-10 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-28 41272]
.
=============== Created Last 30 ================
.
2011-08-16 05:07:15 706560 -c--a-w- c:\windows\system32\ativcoxx32.exe
2011-08-16 05:07:13 155136 -c--a-w- c:\windows\system32\kbdtuq32.dll
2011-08-16 05:07:08 706560 -c--a-w- c:\windows\system32\dimsroam32.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\papascott\local settings\application data\ygse.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\papascott\local settings\application data\njyo.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\papascott\local settings\application data\lvcm.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\smdy.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\owce.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\lljg.exe
2011-08-16 05:06:51 0 ----a-w- c:\documents and settings\papascott\local settings\application data\oamq.exe
2011-08-16 05:06:51 0 ----a-w- c:\documents and settings\all users.windows\application data\wgiu.exe
2011-08-10 22:57:15 65024 -csha-r- c:\windows\system32\vxblock3.dll
2011-08-10 22:49:25 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-10 22:49:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-08-10 22:38:44 -------- d-----w- c:\documents and settings\all users.windows\application data\Hitman Pro
2011-08-10 18:39:19 329216 ----a-w- c:\documents and settings\papascott\local settings\application data\sbr.dl_
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-PT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-BR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\nl-NL
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\it-IT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\fr-FR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\es-ES
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\de-DE
2011-08-03 06:00:52 16928 -c----w- c:\windows\system32\spmsgXP_2k3.dll
2011-08-03 05:57:21 -------- dc----w- c:\windows\system32\drivers\umdf\en-US
2011-08-03 04:21:21 -------- dc----w- C:\14a413497be6e71cc32a04a764
2011-07-30 07:36:53 388096 ----a-r- c:\documents and settings\papascott\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-30 07:36:44 -------- d-----w- c:\program files\Trend Micro
2011-07-24 07:28:04 0 ---ha-w- c:\documents and settings\papascott\jenalnblsh.tmp
.
==================== Find3M ====================
.
2011-07-07 02:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-06-27 21:54:15 683801 -c--a-w- c:\windows\unins000.exe
2011-06-02 14:02:05 1858944 -c--a-w- c:\windows\system32\win32k.sys
2001-10-19 03:49:32 988059 -c--a-w- c:\program files\HLSetup.exe
2001-10-19 03:43:36 126031 -c--a-w- c:\program files\DeskFlagSetup.exe
2001-09-03 06:53:32 2885905 -c--a-w- c:\program files\gozilla.exe
2001-09-02 08:18:04 4216083 -c--a-w- c:\program files\f_x86t32.exe
2001-09-02 07:49:24 2396087 -c--a-w- c:\program files\cuteftppro.exe
1997-05-27 06:26:34 1960383 -c--a-w- c:\program files\scrabble.exe
1996-10-26 07:27:34 263168 -c--a-w- c:\program files\MplayNow.exe
1996-01-31 22:10:58 24576 -c--a-w- c:\program files\_ISREG32.DLL
.
============= FINISH: 9:47:03.57 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:51 PM

Posted 17 August 2011 - 03:11 PM

Hi,

BitComet

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Eric Easterly

Eric Easterly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 17 August 2011 - 06:00 PM

New DDS
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by PAPASCOTT at 15:56:34 on 2011-08-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.51 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\PAPASCOTT\My Documents\RCA Detective\RCADetective.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ativcoxx32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Zune\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\dimsroam32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\papasc~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\papascott\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download all links using BitComet
IE: Download link using &BitComet
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://f:\content\include\XPPatchInstaller.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196414922455
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://f:\content\include\msSecUcd.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1ED6CB8-280A-4597-A1B2-532196F23D78} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\kbdtuq32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62141
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\documents and settings\papascott\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R2 NtLmSsp32;NT LM Security Support Provider ;c:\windows\system32\dimsroam32.exe [2011-8-15 706560]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-8-10 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-28 41272]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-17 22:09:20 -------- dcsha-r- C:\cmdcons
2011-08-17 21:58:06 98816 -c--a-w- c:\windows\sed.exe
2011-08-17 21:58:06 518144 -c--a-w- c:\windows\SWREG.exe
2011-08-17 21:58:06 256000 -c--a-w- c:\windows\PEV.exe
2011-08-17 21:58:06 208896 -c--a-w- c:\windows\MBR.exe
2011-08-16 05:07:15 706560 -c--a-w- c:\windows\system32\ativcoxx32.exe
2011-08-16 05:07:13 155136 -c--a-w- c:\windows\system32\kbdtuq32.dll
2011-08-16 05:07:08 706560 -c--a-w- c:\windows\system32\dimsroam32.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\smdy.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\owce.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\lljg.exe
2011-08-16 05:06:51 0 ----a-w- c:\documents and settings\all users.windows\application data\wgiu.exe
2011-08-10 22:57:15 65024 -csha-r- c:\windows\system32\vxblock3.dll
2011-08-10 22:49:25 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-10 22:49:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-08-10 22:38:44 -------- d-----w- c:\documents and settings\all users.windows\application data\Hitman Pro
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-PT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-BR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\nl-NL
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\it-IT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\fr-FR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\es-ES
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\de-DE
2011-08-03 06:00:52 16928 -c----w- c:\windows\system32\spmsgXP_2k3.dll
2011-08-03 05:57:21 -------- dc----w- c:\windows\system32\drivers\umdf\en-US
2011-08-03 04:21:21 -------- dc----w- C:\14a413497be6e71cc32a04a764
2011-07-30 07:36:53 388096 ----a-r- c:\documents and settings\papascott\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-30 07:36:44 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-07-07 02:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-06-27 21:54:15 683801 -c--a-w- c:\windows\unins000.exe
2011-06-02 14:02:05 1858944 -c--a-w- c:\windows\system32\win32k.sys
2001-10-19 03:49:32 988059 -c--a-w- c:\program files\HLSetup.exe
2001-10-19 03:43:36 126031 -c--a-w- c:\program files\DeskFlagSetup.exe
2001-09-03 06:53:32 2885905 -c--a-w- c:\program files\gozilla.exe
2001-09-02 08:18:04 4216083 -c--a-w- c:\program files\f_x86t32.exe
2001-09-02 07:49:24 2396087 -c--a-w- c:\program files\cuteftppro.exe
1997-05-27 06:26:34 1960383 -c--a-w- c:\program files\scrabble.exe
1996-10-26 07:27:34 263168 -c--a-w- c:\program files\MplayNow.exe
1996-01-31 22:10:58 24576 -c--a-w- c:\program files\_ISREG32.DLL
.
============= FINISH: 15:59:08.72 ===============

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:51 PM

Posted 18 August 2011 - 12:06 AM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic413872.html
DDS::
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
AppInit_DLLs: c:\windows\system32\kbdtuq32.dll
Driver::
NtLmSsp32
Collect::
c:\windows\system32\ativcoxx32.exe
c:\windows\system32\kbdtuq32.dll
c:\windows\system32\dimsroam32.exe
c:\documents and settings\all users.windows\application data\smdy.exe
c:\documents and settings\all users.windows\application data\owce.exe
c:\documents and settings\all users.windows\application data\lljg.exe
c:\documents and settings\all users.windows\application data\wgiu.exe
c:\windows\system32\vxblock3.dll
Firefox::
FF - ProfilePath - c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62141
FF - prefs.js: network.proxy.type - 0
RenV::
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\ATI Technologies\HydraVision\HydraDM .exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security Protection]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vkkbkpth]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 7.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.



Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Eric Easterly

Eric Easterly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 18 August 2011 - 08:48 PM

DDS

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by PAPASCOTT at 18:44:55 on 2011-08-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.91 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\PAPASCOTT\My Documents\RCA Detective\RCADetective.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\papasc~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\papascott\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download all links using BitComet
IE: Download link using &BitComet
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://f:\content\include\XPPatchInstaller.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196414922455
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://f:\content\include\msSecUcd.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1ED6CB8-280A-4597-A1B2-532196F23D78} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\papasc~1\locals~1\temp\cfcatchme.sys --> c:\docume~1\papasc~1\locals~1\temp\CFcatchme.sys [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-8-10 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-28 41272]
.
=============== Created Last 30 ================
.
2011-08-18 23:19:53 -------- d-----w- c:\program files\ESET
2011-08-18 23:13:04 128000 -c--a-w- c:\windows\system32\javacpl.cpl
2011-08-18 22:49:44 -------- dc----w- C:\8fc3c13f1b4cbc8d7b7f62692447a3e8
2011-08-18 22:42:43 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-18 21:33:21 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-17 22:09:20 -------- dcsha-r- C:\cmdcons
2011-08-17 21:58:06 98816 -c--a-w- c:\windows\sed.exe
2011-08-17 21:58:06 518144 -c--a-w- c:\windows\SWREG.exe
2011-08-17 21:58:06 256000 -c--a-w- c:\windows\PEV.exe
2011-08-17 21:58:06 208896 -c--a-w- c:\windows\MBR.exe
2011-08-16 05:07:15 706560 -c--a-w- c:\windows\system32\ativcoxx32.exe
2011-08-16 05:07:13 155136 -c--a-w- c:\windows\system32\kbdtuq32.dll
2011-08-16 05:07:08 706560 -c--a-w- c:\windows\system32\dimsroam32.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\smdy.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\owce.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\lljg.exe
2011-08-16 05:06:51 0 ----a-w- c:\documents and settings\all users.windows\application data\wgiu.exe
2011-08-10 22:57:15 65024 -csha-r- c:\windows\system32\vxblock3.dll
2011-08-10 22:49:25 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-10 22:49:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-08-10 22:38:44 -------- d-----w- c:\documents and settings\all users.windows\application data\Hitman Pro
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-PT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-BR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\nl-NL
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\it-IT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\fr-FR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\es-ES
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\de-DE
2011-08-03 06:00:52 16928 -c----w- c:\windows\system32\spmsgXP_2k3.dll
2011-08-03 05:57:21 -------- dc----w- c:\windows\system32\drivers\umdf\en-US
2011-08-03 04:21:21 -------- dc----w- C:\14a413497be6e71cc32a04a764
2011-07-30 07:36:53 388096 ----a-r- c:\documents and settings\papascott\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-30 07:36:44 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-08-18 23:12:01 544656 -c--a-w- c:\windows\system32\deployJava1.dll
2011-07-08 14:02:00 10496 -c--a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-06-27 21:54:15 683801 -c--a-w- c:\windows\unins000.exe
2011-06-23 18:36:30 916480 -c--a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 -c--a-w- c:\windows\system32\html.iec
2011-06-02 14:02:05 1858944 -c--a-w- c:\windows\system32\win32k.sys
2001-10-19 03:49:32 988059 -c--a-w- c:\program files\HLSetup.exe
2001-10-19 03:43:36 126031 -c--a-w- c:\program files\DeskFlagSetup.exe
2001-09-03 06:53:32 2885905 -c--a-w- c:\program files\gozilla.exe
2001-09-02 08:18:04 4216083 -c--a-w- c:\program files\f_x86t32.exe
2001-09-02 07:49:24 2396087 -c--a-w- c:\program files\cuteftppro.exe
1997-05-27 06:26:34 1960383 -c--a-w- c:\program files\scrabble.exe
1996-10-26 07:27:34 263168 -c--a-w- c:\program files\MplayNow.exe
1996-01-31 22:10:58 24576 -c--a-w- c:\program files\_ISREG32.DLL
.
============= FINISH: 18:47:13.31 ===============

Attached Files



#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:51 PM

Posted 19 August 2011 - 12:05 AM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\ativcoxx32.exe
c:\windows\system32\kbdtuq32.dll
c:\windows\system32\dimsroam32.exe
c:\documents and settings\all users.windows\application data\smdy.exe
c:\documents and settings\all users.windows\application data\owce.exe
c:\documents and settings\all users.windows\application data\lljg.exe
c:\documents and settings\all users.windows\application data\wgiu.exe
c:\windows\system32\vxblock3.dll
C:\Documents and Settings\PAPASCOTT\Application Data\Sun\Java\Deployment\cache\6.0\12\5ebac80c-5df84d9b
C:\Documents and Settings\PAPASCOTT\Application Data\Sun\Java\Deployment\cache\6.0\50\16ae3272-3d4ae29d-temp
C:\Documents and Settings\PAPASCOTT\Application Data\Sun\Java\Deployment\cache\6.0\6\6c6f4fc6-73860a02
C:\Documents and Settings\PAPASCOTT\Desktop\screen savers\gamingharbor_installer.exe
C:\Documents and Settings\PAPASCOTT\Desktop\screen savers\jkz2-28-planet_earth.exe
C:\Program Files\gozilla.exe
C:\Program Files\Trend Micro\HiJackThis\backups\backup-20110730-010027-641.dll
C:\WINDOWS\Fonts\QL6Yy4.com_


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log + fresh dds.txt log. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Eric Easterly

Eric Easterly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 19 August 2011 - 01:49 PM

New DDS, Combo Fix also gave me something to manually submit malware for further analysis, I will post that as well. Other wise the Computer seems to be running better

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by PAPASCOTT at 11:41:22 on 2011-08-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.63 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\PAPASCOTT\My Documents\RCA Detective\RCADetective.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\papasc~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\papascott\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download all links using BitComet
IE: Download link using &BitComet
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://f:\content\include\XPPatchInstaller.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196414922455
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://f:\content\include\msSecUcd.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1ED6CB8-280A-4597-A1B2-532196F23D78} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-18 136176]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\papasc~1\locals~1\temp\cfcatchme.sys --> c:\docume~1\papasc~1\locals~1\temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-18 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-8-10 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-28 41272]
.
=============== Created Last 30 ================
.
2011-08-19 11:25:14 -------- d-----w- c:\documents and settings\papascott\local settings\application data\Sun
2011-08-18 23:19:53 -------- d-----w- c:\program files\ESET
2011-08-18 23:13:04 128000 -c--a-w- c:\windows\system32\javacpl.cpl
2011-08-18 22:49:44 -------- dc----w- C:\8fc3c13f1b4cbc8d7b7f62692447a3e8
2011-08-18 22:42:43 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-18 21:35:21 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 21:33:21 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-17 22:09:20 -------- dcsha-r- C:\cmdcons
2011-08-17 21:58:06 98816 -c--a-w- c:\windows\sed.exe
2011-08-17 21:58:06 518144 -c--a-w- c:\windows\SWREG.exe
2011-08-17 21:58:06 256000 -c--a-w- c:\windows\PEV.exe
2011-08-17 21:58:06 208896 -c--a-w- c:\windows\MBR.exe
2011-08-16 05:07:15 706560 -c--a-w- c:\windows\system32\ativcoxx32.exe
2011-08-16 05:07:13 155136 -c--a-w- c:\windows\system32\kbdtuq32.dll
2011-08-16 05:07:08 706560 -c--a-w- c:\windows\system32\dimsroam32.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\smdy.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\owce.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\lljg.exe
2011-08-16 05:06:51 0 ----a-w- c:\documents and settings\all users.windows\application data\wgiu.exe
2011-08-10 22:57:15 65024 -csha-r- c:\windows\system32\vxblock3.dll
2011-08-10 22:49:25 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-10 22:49:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-08-10 22:38:44 -------- d-----w- c:\documents and settings\all users.windows\application data\Hitman Pro
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-PT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-BR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\nl-NL
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\it-IT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\fr-FR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\es-ES
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\de-DE
2011-08-03 06:00:52 16928 -c----w- c:\windows\system32\spmsgXP_2k3.dll
2011-08-03 05:57:21 -------- dc----w- c:\windows\system32\drivers\umdf\en-US
2011-08-03 04:21:21 -------- dc----w- C:\14a413497be6e71cc32a04a764
2011-07-30 07:36:53 388096 ----a-r- c:\documents and settings\papascott\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-30 07:36:44 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-08-19 17:23:13 2885905 -c--a-w- c:\program files\gozilla.exe
2011-08-18 23:12:01 544656 -c--a-w- c:\windows\system32\deployJava1.dll
2011-07-15 13:29:31 456320 -c--a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 -c--a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-06-27 21:54:15 683801 -c--a-w- c:\windows\unins000.exe
2011-06-24 14:10:36 139656 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 -c--a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 -c--a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 -c--a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 -c--a-w- c:\windows\system32\win32k.sys
2001-10-19 03:49:32 988059 -c--a-w- c:\program files\HLSetup.exe
2001-10-19 03:43:36 126031 -c--a-w- c:\program files\DeskFlagSetup.exe
2001-09-02 08:18:04 4216083 -c--a-w- c:\program files\f_x86t32.exe
2001-09-02 07:49:24 2396087 -c--a-w- c:\program files\cuteftppro.exe
1997-05-27 06:26:34 1960383 -c--a-w- c:\program files\scrabble.exe
1996-10-26 07:27:34 263168 -c--a-w- c:\program files\MplayNow.exe
1996-01-31 22:10:58 24576 -c--a-w- c:\program files\_ISREG32.DLL
.
============= FINISH: 11:43:36.17 ===============

Attached Files



#12 Eric Easterly

Eric Easterly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 19 August 2011 - 01:52 PM

sorry forgot to say I tried to submit it manually myself but it said that the file size was larger than The Max size of 5 mbs

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:51 PM

Posted 19 August 2011 - 02:40 PM

Hi,

Please run ComboFix with that cfscript in my previous post again letting ComboFix update itself if/when prompted.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Eric Easterly

Eric Easterly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 19 August 2011 - 04:43 PM

OK done

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by PAPASCOTT at 14:40:39 on 2011-08-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.384.43 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\PAPASCOTT\My Documents\RCA Detective\RCADetective.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\papasc~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\papascott\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download all links using BitComet
IE: Download link using &BitComet
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://f:\content\include\XPPatchInstaller.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196414922455
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://f:\content\include\msSecUcd.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1ED6CB8-280A-4597-A1B2-532196F23D78} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\papascott\application data\mozilla\firefox\profiles\5lokreq8.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-18 136176]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\papasc~1\locals~1\temp\cfcatchme.sys --> c:\docume~1\papasc~1\locals~1\temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-18 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-8-10 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-28 41272]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-19 20:46:30 -------- d-----w- c:\documents and settings\papascott\local settings\application data\Temp
2011-08-19 11:25:14 -------- d-----w- c:\documents and settings\papascott\local settings\application data\Sun
2011-08-18 23:19:53 -------- d-----w- c:\program files\ESET
2011-08-18 23:13:04 128000 -c--a-w- c:\windows\system32\javacpl.cpl
2011-08-18 22:49:44 -------- dc----w- C:\8fc3c13f1b4cbc8d7b7f62692447a3e8
2011-08-18 22:42:43 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-18 21:35:21 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 21:33:21 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-17 22:09:20 -------- dcsha-r- C:\cmdcons
2011-08-17 21:58:06 98816 -c--a-w- c:\windows\sed.exe
2011-08-17 21:58:06 518144 -c--a-w- c:\windows\SWREG.exe
2011-08-17 21:58:06 256000 -c--a-w- c:\windows\PEV.exe
2011-08-17 21:58:06 208896 -c--a-w- c:\windows\MBR.exe
2011-08-16 05:07:15 706560 -c--a-w- c:\windows\system32\ativcoxx32.exe
2011-08-16 05:07:13 155136 -c--a-w- c:\windows\system32\kbdtuq32.dll
2011-08-16 05:07:08 706560 -c--a-w- c:\windows\system32\dimsroam32.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\smdy.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\owce.exe
2011-08-16 05:06:52 0 ----a-w- c:\documents and settings\all users.windows\application data\lljg.exe
2011-08-16 05:06:51 0 ----a-w- c:\documents and settings\all users.windows\application data\wgiu.exe
2011-08-10 22:57:15 65024 -csha-r- c:\windows\system32\vxblock3.dll
2011-08-10 22:49:25 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-10 22:49:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-08-10 22:38:44 -------- d-----w- c:\documents and settings\all users.windows\application data\Hitman Pro
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-PT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\pt-BR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\nl-NL
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\it-IT
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\fr-FR
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\es-ES
2011-08-03 06:12:52 -------- dc----w- c:\windows\system32\de-DE
2011-08-03 06:00:52 16928 -c----w- c:\windows\system32\spmsgXP_2k3.dll
2011-08-03 05:57:21 -------- dc----w- c:\windows\system32\drivers\umdf\en-US
2011-08-03 04:21:21 -------- dc----w- C:\14a413497be6e71cc32a04a764
2011-07-30 07:36:53 388096 ----a-r- c:\documents and settings\papascott\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-30 07:36:44 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-08-19 17:23:13 2885905 -c--a-w- c:\program files\gozilla.exe
2011-08-18 23:12:01 544656 -c--a-w- c:\windows\system32\deployJava1.dll
2011-07-15 13:29:31 456320 -c--a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 -c--a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-06-27 21:54:15 683801 -c--a-w- c:\windows\unins000.exe
2011-06-24 14:10:36 139656 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 -c--a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 -c--a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 -c--a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 -c--a-w- c:\windows\system32\win32k.sys
2001-10-19 03:49:32 988059 -c--a-w- c:\program files\HLSetup.exe
2001-10-19 03:43:36 126031 -c--a-w- c:\program files\DeskFlagSetup.exe
2001-09-02 08:18:04 4216083 -c--a-w- c:\program files\f_x86t32.exe
2001-09-02 07:49:24 2396087 -c--a-w- c:\program files\cuteftppro.exe
1997-05-27 06:26:34 1960383 -c--a-w- c:\program files\scrabble.exe
1996-10-26 07:27:34 263168 -c--a-w- c:\program files\MplayNow.exe
1996-01-31 22:10:58 24576 -c--a-w- c:\program files\_ISREG32.DLL
.
============= FINISH: 14:42:41.22 ===============

Attached Files



#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:51 PM

Posted 19 August 2011 - 04:54 PM

Hi,


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete these files if found (Note: pay attention to the filenames to not delete wrong ones!):
c:\windows\system32\ativcoxx32.exe
c:\windows\system32\kbdtuq32.dll
c:\windows\system32\dimsroam32.exe
c:\documents and settings\all users.windows\application data\smdy.exe
c:\documents and settings\all users.windows\application data\owce.exe
c:\documents and settings\all users.windows\application data\lljg.exe
c:\documents and settings\all users.windows\application data\wgiu.exe
c:\windows\system32\vxblock3.dll
C:\Documents and Settings\PAPASCOTT\Application Data\Sun\Java\Deployment\cache\6.0\12\5ebac80c-5df84d9b
C:\Documents and Settings\PAPASCOTT\Application Data\Sun\Java\Deployment\cache\6.0\50\16ae3272-3d4ae29d-temp
C:\Documents and Settings\PAPASCOTT\Application Data\Sun\Java\Deployment\cache\6.0\6\6c6f4fc6-73860a02
C:\Documents and Settings\PAPASCOTT\Desktop\screen savers\gamingharbor_installer.exe
C:\Documents and Settings\PAPASCOTT\Desktop\screen savers\jkz2-28-planet_earth.exe
C:\Program Files\gozilla.exe
C:\Program Files\Trend Micro\HiJackThis\backups\backup-20110730-010027-641.dll
C:\WINDOWS\Fonts\QL6Yy4.com_

When done, re-run DDS and post back its log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users