Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Possible Trojan Or Browser Hijacker Attempt?


  • This topic is locked This topic is locked
31 replies to this topic

#1 David Pearce

David Pearce

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 22 November 2006 - 09:19 AM

Dear Jijackthis,

Everytime I turn on the computer, a box would appear saying something like: C:\\WINDOWS run32...etc....etc.

I would NOT click on the "ok" box to run it.

The problem I found was that everytime I was on the internet, it would often say "The page cannot be displayed" and would have to click refresh and keep clicking the "GO" button on the browser several times before the page would finally load.

I do a lot of internet banking and have stopped since this problem. I have also found that with sites such as PayPal, parts of the site don't work. Also, I have telephoned paypal and they think that it is a bug/hijacker attempt on my computer.

On email accounts, I have a "sign-in seal" (Yahoo), and there have been a few times when this will not be there. Again, I've had to reload the page until it is there.

I feel that the computer has been hijacked as the internet pages I often want have to be reloaded several times before they appear. I have followed all the instructions set out by Bleeping Computers, and have recently installed a Firewall that seems to go crazy all the time!!

I hope the below information helps, and I very much look forward to hearing from you.

Below is the results from the scan:

Logfile of HijackThis v1.99.1
Scan saved at 14:05:44, on 22/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\olecnf.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Services] C:\sxe39.tmp
O4 - HKLM\..\Run: [IRQ Assigning Agent] IRQconf.exe
O4 - HKLM\..\Run: [APRfx] C:\WINDOWS\System32\lzxconf.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [msnmsg32] C:\WINDOWS\System32\olecnf.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] Erun.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\RunServices: [IRQ Assigning Agent] IRQconf.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0d\aoltray.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125437944562
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINDOWS\System32\wgareg.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 22 November 2006 - 11:29 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
You've got some stinkers in your log. I'd be very cautious with your online banking until we can get this cleaned up.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
=============



Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 David Pearce

David Pearce
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 22 November 2006 - 12:00 PM

Hi Sam,

I'm glad you're here to help me!

Unfortunately, I can't download the F-Secure online scanner!! I have been to the page, and have clicked to download it. It says that I can't download as I don't have ActiveX running. I then follow the instructions set out by the website, and I can't "accept" the rights, and I can't find the "yellow bit" under the address bar to turn it on to allow!

Do you have any ideas as to what I can do?

Thanks again!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 22 November 2006 - 12:03 PM

That's ok. Let's go a different route.

Please download Bit Defender 8 Free Edition
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Also post the log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 David Pearce

David Pearce
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 22 November 2006 - 01:59 PM

Hi Sam,

Here are the results from the scans I did. The first one is from BitDefender 8 and the second from Combofix. I appreciate you taking the time to look over my PC, and I sure hope that the poor thing can be fixed!!

Thanks again for your help!!

BitDefender 8:


//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 22/11/2006 17:42:52
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 3483
Files : 180713
Archives : 6916
Packed files : 14481
Identified viruses : 4
Infected files : 6
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 4
Renamed files : 0
I/O errors : 27
Scan time : 00:55:27
Scan speed (files/sec) : 54

Virus definitions : 317610
Scan plugins : 13
Archive plugins : 38
Unpack plugins : 6
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\lmpo.exe Infected Generic.Ranky.85D766B3
C:\lmpo.exe Disinfection failed
C:\lmpo.exe Moved
C:\mediaplayer.exe._eac_qt_=>(Instyler o)=>%appfolder%\securaq.exe Detected: Application.HideWindow.B
C:\mediaplayer.exe._eac_qt_=>(Instyler o)=>%appfolder%\securaq.exe Disinfection failed
C:\mediaplayer.exe._eac_qt_=>(Instyler o)=>%appfolder%\securaq.exe Move failed
C:\mediaplayer.exe._eac_qt_=>(Instyler o)=>%appfolder%\tskdig.exe Infected Backdoor.IRC
C:\mediaplayer.exe._eac_qt_=>(Instyler o)=>%appfolder%\tskdig.exe Disinfection failed
C:\mediaplayer.exe._eac_qt_=>(Instyler o)=>%appfolder%\tskdig.exe Move failed
C:\Program Files\Yahoo!\YPSR\Quarantine\20061022174705.zip=>WINDOWS/system32/a.exe Infected DeepScan:Generic.Malware.G!SI!!Wdldg.6991A612
C:\Program Files\Yahoo!\YPSR\Quarantine\20061022174705.zip=>WINDOWS/system32/a.exe Disinfection failed
C:\Program Files\Yahoo!\YPSR\Quarantine\20061022174705.zip Moved
C:\WINDOWS\system32\lzxconf32.exe Infected Generic.Ranky.85D766B3
C:\WINDOWS\system32\lzxconf32.exe Disinfection failed
C:\WINDOWS\system32\lzxconf32.exe Moved
C:\WINDOWS\system32\securaq.exe._eac_qt_ Detected: Application.HideWindow.B
C:\WINDOWS\system32\securaq.exe._eac_qt_ Disinfection failed
C:\WINDOWS\system32\securaq.exe._eac_qt_ Moved

----------------------------------------------------------------------------------------------------------------------------

Combofix Results:

Owner - 06-11-22 18:49:38.18 Service Pack 1
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-22 to 2006-11-22 ))))))))))))))))))))))))))))))))))


2006-11-22 18:49 360 --a------ C:\Combo.bat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-22 17:17 -------- d-------- C:\Program Files\Common Files
2006-11-14 18:06 -------- d-------- C:\Program Files\MSN Messenger
2006-11-14 14:17 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-13 14:24 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-10 20:25 -------- d-------- C:\Program Files\Lexmark X1100 Series
2006-11-04 11:55 -------- d-------- C:\Program Files\NetMeeting
2006-10-19 15:04 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-19 06:12 9840 --a------ C:\WINDOWS\system32\pfplgprx.dll
2006-10-19 06:12 5360 --a------ C:\WINDOWS\system32\pfplgnfo.dll
2006-10-19 06:12 16272 --a------ C:\WINDOWS\system32\pfplgflt.dll
2006-10-10 15:34 5790 --a------ C:\WINDOWS\system32\kps001.sys
2006-10-04 07:46 -------- d-------- C:\Program Files\MSN
2006-10-04 07:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\MSNInstaller
2006-09-21 15:42 618328 --a------ C:\WINDOWS\system32\WINSSWEBAGENT.DLL
2006-09-05 09:48 75064 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"CARPService"="carpserv.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"TV Now"="C:\\Program Files\\HPQ\\Notebook Utilities\\TvNow.exe /RK"
"Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"QT4HPOT"="C:\\PROGRA~1\\HPQ\\ONE-TO~1\\OneTouch.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Services"="C:\\sxe39.tmp"
"IRQ Assigning Agent"="IRQconf.exe"
"APRfx"="C:\\WINDOWS\\System32\\lzxconf.exe"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"msnmsg32"="C:\\WINDOWS\\System32\\olecnf.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\""
"BDNewsAgent"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdnagent.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoftf DDEs Control"="Erun.pif"
"Microsoftf DDos Contr0l"="runs.pif"
"IRQ Assigning Agent"="IRQconf.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 06-11-22 18:50:33.66
C:\ComboFix.txt ... 06-11-22 18:50
C:\ComboFix2.txt ... 06-11-22 18:49

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 22 November 2006 - 03:34 PM

It looks like we may have a rootkit present.

Open notepad and copy and paste this text in it:
cd\
cd Windows\system32\drivers
DIR  /s /o:d > drivers.txt
start drivers.txt
cls
exit

Save this as drivers.bat , choose to save it as *all files and place it on your desktop.
Doubleclick on drivers.bat. A log should open up almost immediately. Copy this text and paste it here.


================


Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 David Pearce

David Pearce
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 22 November 2006 - 04:29 PM

Hi Sam,

I have done the "drivers.bat" ok, and the results are below, as are the GMER results.

Here is the drivers.bat results:

Volume in drive C has no label.
Volume Serial Number is 0000-6AAC

Directory of C:\WINDOWS\system32\drivers

17/08/2001 07:13 27,164 CE3N5.SYS
17/08/2001 07:19 174,464 es198x.sys
17/08/2001 07:48 289,664 atimpab.sys
17/08/2001 08:48 5,120 MSPCLOCK.sys
17/08/2001 08:48 4,608 MSPQM.sys
17/08/2001 08:57 14,080 battc.sys
17/08/2001 08:58 25,472 AGP440.SYS
17/08/2001 08:58 9,344 compbatt.sys
17/08/2001 08:59 3,072 audstub.sys
17/08/2001 08:59 50,048 DMusic.sys
17/08/2001 09:00 54,272 swmidi.sys
17/08/2001 13:07 14,592 StreamIP.sys
17/08/2001 13:07 8,064 NdisIP.sys
17/08/2001 13:07 10,752 SLIP.sys
17/08/2001 13:07 18,560 WSTCODEC.SYS
17/08/2001 13:07 83,712 NABTSFEC.sys
17/08/2001 13:48 12,160 mouhid.sys
17/08/2001 14:02 9,600 hidusb.sys
17/08/2001 15:51 3,328 pciide.sys
17/08/2001 15:58 35,840 isapnp.sys
17/08/2001 20:46 6,400 enum1394.sys
17/08/2001 20:51 19,584 rasirda.sys
17/08/2001 20:51 55,296 irda.sys
17/08/2001 20:51 5,248 aliide.sys
17/08/2001 20:57 16,128 MODEMCSA.sys
17/12/2001 11:54 26,112 aliirda.sys
04/01/2002 17:10 19,012 atwpkt.sys
10/01/2002 16:40 28,396 wanatw4.sys
23/01/2002 13:08 54,222 cpqsetup.sys
26/02/2002 09:40 58,224 SYMEVENT.SYS
17/07/2002 11:09 14,504 hpci.sys
18/07/2002 13:07 23,602 atisgkaf.SYS
15/08/2002 23:31 471,168 ati2mtag.sys
28/08/2002 18:16 142,208 aec.sys
28/08/2002 20:09 13,184 CmBatt.sys
28/08/2002 20:27 7,040 MSKSSRV.sys
28/08/2002 20:32 5,888 splitter.sys
28/08/2002 20:32 159,360 kmixer.sys
28/08/2002 20:32 2,816 drmkaud.sys
28/08/2002 21:00 77,440 wdmaud.sys
28/08/2002 21:01 56,832 sysaudio.sys
29/08/2002 00:00 16,512 DP83815.sys
29/08/2002 00:27 4,992 MSTEE.sys
29/08/2002 00:32 57,856 drmk.sys
29/08/2002 00:32 44,416 stream.sys
29/08/2002 00:33 16,384 CCDECODE.sys
29/08/2002 00:48 14,208 usbscan.sys
29/08/2002 01:01 134,272 portcls.sys
29/08/2002 01:13 131,712 ks.sys
29/08/2002 01:32 21,760 USBSTOR.SYS
29/08/2002 01:50 24,960 usbprint.sys
29/08/2002 02:00 13,184 diskdump.sys
29/08/2002 02:00 33,792 disk.sys
29/08/2002 02:00 780,928 dmboot.sys
29/08/2002 02:00 146,304 dmio.sys
29/08/2002 02:00 5,888 dmload.sys
29/08/2002 02:00 32,512 amdk7.sys
29/08/2002 02:00 70,912 videoprt.sys
29/08/2002 02:00 135,552 usbport.sys
29/08/2002 02:00 31,488 crusoe.sys
29/08/2002 02:00 47,488 cdrom.sys
29/08/2002 02:00 15,232 usbintel.sys
29/08/2002 02:00 10,496 dxapi.sys
29/08/2002 02:00 68,992 dxg.sys
29/08/2002 02:00 3,328 dxgthk.sys
29/08/2002 02:00 51,968 usbhub.sys
29/08/2002 02:00 32,000 amdk6.sys
29/08/2002 02:00 19,712 vga.sys
29/08/2002 02:00 4,736 usbd.sys
29/08/2002 02:00 145,152 fastfat.sys
29/08/2002 02:00 26,240 fdc.sys
29/08/2002 02:00 34,944 fips.sys
29/08/2002 02:00 19,712 flpydisk.sys
29/08/2002 02:00 12,160 fsvga.sys
29/08/2002 02:00 7,936 fs_rec.sys
29/08/2002 02:00 125,056 ftdisk.sys
29/08/2002 02:00 3,440,660 gm.dls
29/08/2002 02:00 646 gmreadme.txt
29/08/2002 02:00 34,560 hidclass.sys
29/08/2002 02:00 23,680 hidparse.sys
29/08/2002 02:00 23,936 usbcamd2.sys
29/08/2002 02:00 59,648 cdfs.sys
29/08/2002 02:00 23,808 usbcamd.sys
29/08/2002 02:00 11,136 usb8023.sys
29/08/2002 02:00 137,088 update.sys
29/08/2002 02:00 64,000 udfs.sys
29/08/2002 02:00 9,856 tunmp.sys
29/08/2002 02:00 51,072 i8042prt.sys
29/08/2002 02:00 39,808 imapi.sys
29/08/2002 02:00 21,376 tsbvcap.sys
29/08/2002 02:00 32,896 ipfltdrv.sys
29/08/2002 02:00 19,584 ipinip.sys
29/08/2002 02:00 79,488 ipnat.sys
29/08/2002 02:00 57,984 ipsec.sys
29/08/2002 02:00 18,688 cdaudio.sys
29/08/2002 02:00 10,496 irenum.sys
29/08/2002 02:00 12,032 ws2ifsl.sys
29/08/2002 02:00 23,424 kbdclass.sys
29/08/2002 02:00 13,952 cbidf2k.sys
29/08/2002 02:00 11,776 cpqdap01.sys
29/08/2002 02:00 79,744 ksecdd.sys
29/08/2002 02:00 7,680 mcd.sys
29/08/2002 02:00 51,712 tosdvd.sys
29/08/2002 02:00 62,208 mf.sys
29/08/2002 02:00 20,232 tdtcp.sys
29/08/2002 02:00 4,224 mnmdd.sys
29/08/2002 02:00 28,800 modem.sys
29/08/2002 02:00 49,152 volsnap.sys
29/08/2002 02:00 22,016 mouclass.sys
29/08/2002 02:00 33,280 wanarp.sys
29/08/2002 02:00 37,504 mountmgr.sys
29/08/2002 02:00 172,672 mrxdav.sys
29/08/2002 02:00 57,344 arp1394.sys
29/08/2002 02:00 18,048 msfs.sys
29/08/2002 02:00 33,792 msgpc.sys
29/08/2002 02:00 68,864 bridge.sys
29/08/2002 02:00 11,144 tdpipe.sys
29/08/2002 02:00 4,224 beep.sys
29/08/2002 02:00 13,568 asyncmac.sys
29/08/2002 02:00 104,064 mup.sys
29/08/2002 02:00 131,968 afd.sys
29/08/2002 02:00 167,552 ndis.sys
29/08/2002 02:00 4,352 wmilib.sys
29/08/2002 02:00 9,600 ndistapi.sys
29/08/2002 02:00 12,288 ndisuio.sys
29/08/2002 02:00 87,552 ndiswan.sys
29/08/2002 02:00 38,016 ndproxy.sys
29/08/2002 02:00 33,152 netbios.sys
29/08/2002 02:00 157,056 netbt.sys
29/08/2002 02:00 57,984 nic1394.sys
29/08/2002 02:00 12,032 nikedrv.sys
29/08/2002 02:00 38,272 nmnt.sys
29/08/2002 02:00 29,568 npfs.sys
29/08/2002 02:00 561,920 ntfs.sys
29/08/2002 02:00 2,944 null.sys
29/08/2002 02:00 12,416 nwlnkflt.sys
29/08/2002 02:00 32,512 nwlnkfwd.sys
29/08/2002 02:00 84,864 nwlnkipx.sys
29/08/2002 02:00 63,232 nwlnknb.sys
29/08/2002 02:00 55,936 nwlnkspx.sys
29/08/2002 02:00 16,256 tdi.sys
29/08/2002 02:00 196,288 tcpip6.sys
29/08/2002 02:00 3,456 oprghdlr.sys
29/08/2002 02:00 37,504 p3.sys
29/08/2002 02:00 76,032 parport.sys
29/08/2002 02:00 18,688 partmgr.sys
29/08/2002 02:00 6,784 parvdm.sys
29/08/2002 02:00 332,928 tcpip.sys
29/08/2002 02:00 13,824 tape.sys
29/08/2002 02:00 57,216 atmarpc.sys
29/08/2002 02:00 115,712 pcmcia.sys
29/08/2002 02:00 262,528 cinemst2.sys
29/08/2002 02:00 30,592 processr.sys
29/08/2002 02:00 66,048 psched.sys
29/08/2002 02:00 17,792 ptilink.sys
29/08/2002 02:00 31,360 atmepvc.sys
29/08/2002 02:00 58,112 vdmindvd.sys
29/08/2002 02:00 8,832 rasacd.sys
29/08/2002 02:00 352,256 atmuni.sys
29/08/2002 02:00 48,384 rasl2tp.sys
29/08/2002 02:00 38,912 raspppoe.sys
29/08/2002 02:00 46,336 raspptp.sys
29/08/2002 02:00 16,512 raspti.sys
29/08/2002 02:00 34,432 rawwan.sys
29/08/2002 02:00 163,328 rdbss.sys
29/08/2002 02:00 4,224 rdpcdd.sys
29/08/2002 02:00 3,840 swenum.sys
29/08/2002 02:00 115,976 rdpwd.sys
29/08/2002 02:00 179,328 acpi.sys
29/08/2002 02:00 12,032 rio8drv.sys
29/08/2002 02:00 12,032 riodrv.sys
29/08/2002 02:00 200,064 RMCast.sys
29/08/2002 02:00 27,648 rndismp.sys
29/08/2002 02:00 5,888 rootmdm.sys
29/08/2002 02:00 90,240 scsiport.sys
29/08/2002 02:00 27,440 secdrv.sys
29/08/2002 02:00 14,976 serenum.sys
29/08/2002 02:00 62,464 serial.sys
29/08/2002 02:00 10,496 sfloppy.sys
29/08/2002 02:00 11,648 acpiec.sys
29/08/2002 02:00 14,592 smclib.sys
29/08/2002 02:00 407,552 mrxsmb.sys
29/08/2002 02:00 24,448 sonydcam.sys
29/08/2002 02:00 53,888 atmlane.sys
29/08/2002 02:00 69,248 sr.sys
29/08/2002 02:00 330,368 srv.sys
29/08/2002 02:00 19,328 usbuhci.sys
29/08/2002 02:00 46,336 classpnp.sys
29/08/2002 03:06 182,400 rdpdr.sys
29/08/2002 03:09 62,976 pci.sys
29/08/2002 03:27 4,736 intelide.sys
29/08/2002 03:27 23,680 pciidex.sys
29/08/2002 03:27 4,864 viaide.sys
29/08/2002 03:27 86,912 atapi.sys
29/08/2002 05:46 38,024 termdd.sys
29/08/2002 08:27 56,576 redbook.sys
29/08/2002 08:32 15,744 usbohci.sys
29/08/2002 08:33 55,680 ohci1394.sys
29/08/2002 08:33 50,560 1394bus.sys
10/09/2002 22:20 262,608 SynTP.sys
11/10/2002 15:52 14,543 DKbFltr.SYS
15/10/2002 08:50 29,451 oca_mrk.vbs
17/10/2002 01:00 57,344 Express.sys
05/11/2002 01:00 231,867 hpm0850.cty
27/11/2002 07:09 236,544 snpp106.sys
17/12/2002 11:27 206,464 udfreadr_xp.sys
17/12/2002 11:29 139,674 pwd_2K.sys
17/12/2002 11:29 30,630 Mmc_2k.sys
17/12/2002 11:29 25,930 Dvd_2k.sys
17/12/2002 11:32 23,436 cdralw2k.sys
17/12/2002 11:32 61,424 cdr4_xp.sys
07/04/2003 20:15 <DIR> disdn
09/04/2003 12:48 11,043 mdmxsdk.sys
21/05/2003 14:31 1,063,040 HSF_DP.sys
21/05/2003 14:32 631,296 HSF_CNXT.sys
21/05/2003 14:33 179,712 HSFHWALI.sys
21/05/2003 14:35 30,592 strmdisp.sys
18/06/2003 14:42 258,325 hpd002x.cty
28/08/2003 11:47 30,568 YP55r.sys
28/08/2003 11:48 30,504 StMp3Rec.sys
10/09/2003 17:50 241,280 cdudf_xp.sys
15/10/2003 16:47 8,552 asctrm.sys
17/02/2004 16:58 292,352 caliaud.sys
17/02/2004 16:59 273,536 calihal.sys
22/09/2004 17:46 18,944 wpdusb.sys
04/07/2005 12:58 14,848 avgntmgr.sys
23/02/2006 18:17 32,768 avgntdd.sys
14/06/2006 17:24 <DIR> etc
05/09/2006 16:03 3,968 AvgAsCln.sys
08/09/2006 10:19 11,648 pxscrmbl.sys
22/11/2006 20:41 <DIR> ..
22/11/2006 20:41 <DIR> .
22/11/2006 20:41 0 drivers.txt
229 File(s) 19,983,657 bytes

Directory of C:\WINDOWS\system32\drivers\disdn

07/04/2003 20:15 <DIR> ..
07/04/2003 20:15 <DIR> .
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\drivers\etc

29/08/2002 02:00 407 networks
29/08/2002 02:00 7,116 services
29/08/2002 02:00 3,683 lmhosts.sam
29/08/2002 02:00 799 protocol
07/01/2006 09:18 734 hosts.msn
14/06/2006 17:24 <DIR> ..
14/06/2006 17:24 <DIR> .
22/10/2006 16:50 734 hosts
6 File(s) 13,473 bytes

Total Files Listed:
235 File(s) 19,997,130 bytes
8 Dir(s) 10,656,833,536 bytes free

--------------------------------------------------------------------------------
GMER Results:

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-22 21:30:13
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1A0 8050261C 4 Bytes
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C4 80502640 12 Bytes
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1D4 80502650 4 Bytes
.text ...
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 72033A2A
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72033BB5
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72033A99
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72033A48
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1A0 8050261C 4 Bytes
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C4 80502640 12 Bytes
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1D4 80502650 4 Bytes
.text ...

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [B8DB62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B8DB62A0] vsdatant.sys

---- EOF - GMER 1.0.12 ----

Edited by David Pearce, 22 November 2006 - 04:36 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 22 November 2006 - 04:42 PM

That's ok, we might not need that log after all.

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 David Pearce

David Pearce
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 22 November 2006 - 05:00 PM

Hey Sam,

Scan done as requested - below are the results:

HAXFIX logfile - by Marckie

version 4.29
22/11/2006 21:53:15.69

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
CmBatt

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found


Finished!

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 22 November 2006 - 05:03 PM

Please follow these steps.

Option 2 autofix
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile along with a new HijackThis log.
Also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 David Pearce

David Pearce
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 22 November 2006 - 05:18 PM

Hi Sam,

I did as you suggested, and the results came back as no viruses found.

I ran it twice, and twice the computer didn't close down/reboot - it just returned back to the red menu.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 22 November 2006 - 05:32 PM

Ok, that's good.
Go ahead and post a new hijackthis log and a new log from Combofix so we can clean up the leftovers.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 David Pearce

David Pearce
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 22 November 2006 - 05:48 PM

Hi Sam,

Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:38:44, on 22/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\olecnf.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Services] C:\sxe39.tmp
O4 - HKLM\..\Run: [IRQ Assigning Agent] IRQconf.exe
O4 - HKLM\..\Run: [APRfx] C:\WINDOWS\System32\lzxconf.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [msnmsg32] C:\WINDOWS\System32\olecnf.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] Erun.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\RunServices: [IRQ Assigning Agent] IRQconf.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0d\aoltray.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125437944562
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINDOWS\System32\wgareg.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

------------------------------------------------------------------------------------------------------------------------

Here is the Combofix log:

Owner - 06-11-22 22:39:45.77 Service Pack 1
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-22 to 2006-11-22 ))))))))))))))))))))))))))))))))))


2006-11-22 21:53 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-11-22 21:53 7,483 --a------ C:\clean.bat
2006-11-22 21:53 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-22 21:53 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-11-22 21:53 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-11-22 21:52 <DIR> d-------- C:\Program Files\HaxFix
2006-11-22 20:49 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-22 17:19 <DIR> d--hs---- C:\Config.Msi
2006-11-22 17:19 <DIR> d-------- C:\Program Files\Softwin
2006-11-22 17:17 <DIR> d-------- C:\Program Files\Common Files\Softwin
2006-11-22 13:42 <DIR> d-------- C:\Program Files\HijackThis
2006-11-22 13:20 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-11-22 13:20 <DIR> d-------- C:\Program Files\Zone Labs
2006-11-22 13:19 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-11-14 15:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-14 15:37 <DIR> d-------- C:\Program Files\Grisoft
2006-11-08 23:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2006-11-04 16:57 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2006-11-03 06:57 143,360 --a------ C:\WINDOWS\system32\olecnf.exe
2006-11-03 06:57 143,360 --a------ C:\ox32.exe
2006-10-30 13:05 57,344 --a------ C:\WINDOWS\system32\avsda.dll
2006-10-30 13:05 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2006-10-30 13:05 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-10-30 13:05 <DIR> d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-10-30 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2006-10-23 11:43 <DIR> d-------- C:\WINDOWS\pss
2006-10-23 08:39 <DIR> d-------- C:\Program Files\XoftSpy
2006-10-22 22:28 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-10-22 22:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Registry Booster
2006-10-22 21:24 <DIR> dr-h----- C:\Documents and Settings\Owner\Recent
2006-10-22 17:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SuperAdBlocker.com
2006-10-22 17:19 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2006-10-22 17:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-22 17:17 -------- d-------- C:\Program Files\Common Files
2006-11-14 18:06 -------- d-------- C:\Program Files\MSN Messenger
2006-11-14 14:17 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-13 14:24 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-10 20:25 -------- d-------- C:\Program Files\Lexmark X1100 Series
2006-11-04 11:55 -------- d-------- C:\Program Files\NetMeeting
2006-10-19 15:04 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-19 06:12 9840 --a------ C:\WINDOWS\system32\pfplgprx.dll
2006-10-19 06:12 5360 --a------ C:\WINDOWS\system32\pfplgnfo.dll
2006-10-19 06:12 16272 --a------ C:\WINDOWS\system32\pfplgflt.dll
2006-10-10 15:34 5790 --a------ C:\WINDOWS\system32\kps001.sys
2006-10-04 07:46 -------- d-------- C:\Program Files\MSN
2006-10-04 07:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\MSNInstaller
2006-09-21 15:42 618328 --a------ C:\WINDOWS\system32\WINSSWEBAGENT.DLL
2006-09-05 09:48 75064 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"CARPService"="carpserv.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"TV Now"="C:\\Program Files\\HPQ\\Notebook Utilities\\TvNow.exe /RK"
"Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"QT4HPOT"="C:\\PROGRA~1\\HPQ\\ONE-TO~1\\OneTouch.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Services"="C:\\sxe39.tmp"
"IRQ Assigning Agent"="IRQconf.exe"
"APRfx"="C:\\WINDOWS\\System32\\lzxconf.exe"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"msnmsg32"="C:\\WINDOWS\\System32\\olecnf.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\""
"BDNewsAgent"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdnagent.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoftf DDEs Control"="Erun.pif"
"Microsoftf DDos Contr0l"="runs.pif"
"IRQ Assigning Agent"="IRQconf.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 06-11-22 22:41:02.46
C:\ComboFix.txt ... 06-11-22 22:41
C:\ComboFix2.txt ... 06-11-22 18:50
C:\ComboFix3.txt ... 06-11-22 18:49

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:19 PM

Posted 22 November 2006 - 06:15 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Services] C:\sxe39.tmp
O4 - HKLM\..\Run: [IRQ Assigning Agent] IRQconf.exe
O4 - HKLM\..\Run: [APRfx] C:\WINDOWS\System32\lzxconf.exe
O4 - HKLM\..\Run: [msnmsg32] C:\WINDOWS\System32\olecnf.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] Erun.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\RunServices: [IRQ Assigning Agent] IRQconf.exe




Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\sxe39.tmp
    C:\WINDOWS\System32\lzxconf.exe
    C:\WINDOWS\System32\olecnf.exe
    C:\ox32.exe
    C:\WINDOWS\system32\pfplgprx.dll
    C:\WINDOWS\system32\pfplgnfo.dll
    C:\WINDOWS\system32\pfplgflt.dll
    C:\WINDOWS\system32\kps001.sys



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
Also post a new hijackthis log.
How is your computer running now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 David Pearce

David Pearce
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 22 November 2006 - 07:02 PM

Hello Sam!!

I have done the scans as requested, and the results are below. In terms of asking how the computer runs now - it seems ok, although when I started it up again, the Firewall came up explaining that some other server was trying to act as my server and that it had stopped it.

Also, I notice still that the internet - pages have to be refreshed a few times before they load. Even this forum had to be.

Finally, I have MSN Messenger 6.2 on the computer and that always asks me if I want to download the latest version. I always click "no", because when I have tried to download it in the past, the computer won't let me.

Just to let you know - I have "Zonealarm pro" firewall on the computer as a free trial at the mo - is it a good firewall, and is it a good idea to purchase this??

Here are the results:

Killbox results:

Pocket Killbox version 2.0.0.881
Running on Windows XP as Owner(Administrator)
was started @ Wednesday, November 22, 2006, 11:34 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\olecnf.exe


# 2 [Delete on Reboot]
Path = C:\ox32.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\pfplgprx.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\pfplgnfo.dll


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\pfplgflt.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\kps001.sys


I Rebooted @ 11:37:57 PM
Killbox Closed(Exit) @ 11:38:41 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Owner(Administrator)
was started @ Wednesday, November 22, 2006, 11:48 PM

-----------------------------------------------------------------------------------------------------
Hijackthis scan result:

Logfile of HijackThis v1.99.1
Scan saved at 23:50:39, on 22/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0d\aoltray.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125437944562
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINDOWS\System32\wgareg.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users