Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Wont Stay On


  • This topic is locked This topic is locked
40 replies to this topic

#1 lisa_marie

lisa_marie

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 07 March 2007 - 04:01 AM

hi im very new at this and found this site with google
sorry if im not doing this correctly
my problem is when i start the computer it starts up then within a few seconds turns itself off
im only able to start the computer in safe mode

here is the Hijackthis thing...


Logfile of HijackThis v1.99.1
Scan saved at 7:22:15 PM, on 7/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - @p64306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - (ApJ - (no file)
O2 - BHO: (no name) - 8@p07962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - H%p88E20-4234-41B9-A9DB-982958C95FB1} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: PimpFish - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\Flashget.exe /min
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\{969451E7-44C6-409D-860C-E220661E96BA}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download FLV files in this page with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadFLV.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: PimpFish Grab movies on this page - C:\Program Files\PimpFish\GRABPAGEMOVIES.HTM
O8 - Extra context menu item: PimpFish Grab pictures on this page - C:\Program Files\PimpFish\GRABPAGEPICS.HTM
O8 - Extra context menu item: PimpFish Grab pictures this page links to - C:\Program Files\PimpFish\GRABPAGELINKS.HTM
O8 - Extra context menu item: PimpFish Grab Target File - C:\Program Files\PimpFish\GRABLINK.HTM
O8 - Extra context menu item: PimpFish Grab This Picture - C:\Program Files\PimpFish\GRABPIC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - http://amiuptodate.mcafee.com/vsc/bin/1,0,...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126424787609
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - (no file)
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DeskSiteCMA - Unknown owner - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:53 PM

Posted 07 March 2007 - 05:33 AM

Hi,

This is a very nasty log... and some entries in your log suspect that you are dealing with the pe386 rootkit as well which causes the BSOD in normal mode everytime.

Problem with this combination of infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Please perform next steps in the right order without missing any step.. I can't stress how important this is, because logs won't make sense afterwards.

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\system32\a3dxq.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - @p64306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - (ApJ - (no file)
O2 - BHO: (no name) - 8@p07962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - H%p88E20-4234-41B9-A9DB-982958C95FB1} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - (no file)
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). I need these logs later.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe, Click Start and Allow to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Then, * Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
I see your lspchain got corrupted as well. Since you are having XP SP2, we can restore it with a simple command.
Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.

Reboot your computer.

After reboot,

Post the following logs in your next reply:

* Log from SDfix
* Log from rustfix (C:\rustbfix\pelog.txt)
* C:\Avenger.xt
* DrWeb CureIt log
* New Hijackthislog

you may need more than one reply to post the logs since they won't fit in one reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lisa_marie

lisa_marie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 07 March 2007 - 08:46 AM

SDFix: Version 1.69

Run by HP_Administrator - Wed 07/03/2007 @ 23:49:21.46

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX
wincom32

Path:
"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271
\??\C:\WINDOWS\system32\wincom32.sys

Client IP-IPX Deleted
wincom32 Deleted



Restoring Windows Registry Entries
Restoring Default Hosts File

************************* Rustock.b-fix -- By ejvindh *************************
Wed 07/03/2007 22:01:46.17

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mist90enus.tmp\Apps\MBK;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mist90enus.tmp\Apps\MPF;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mist90enus.tmp\Apps\MPS;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mist90enus.tmp\Apps\MSAD;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mist90enus.tmp\Apps\MSC;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mist90enus.tmp\Apps\MSK;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\vspt10enus.tmp\Apps\MPF;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\vspt10enus.tmp\Apps\MSAD;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\vspt10enus.tmp\Apps\MSC;Probably BACKDOOR.Trojan;Incurable.Moved.;
COH32.exe;C:\Program Files\Common Files\Symantec Shared\COH;Probably MULDROP.Trojan;Incurable.Moved.;
Bar888.dll;C:\Program Files\Common Files\{3636B759-0D49-1033-0331-05012605003d};Adware.Lucky;Incurable.Moved.;
UnInstall.exe;C:\Program Files\Common Files\{3636B759-0D49-1033-0331-05012605003d};Adware.Lucky;Incurable.Moved.;
buddy.exe;C:\Program Files\Download Plugin\DlPlugin-Moz;Trojan.Swizzor;Deleted.;
_desktop.ini;C:\Program Files\ImTOO\FLV Converter 3;Win32.HLLW.Gavir.ini;Deleted.;
_desktop.ini;C:\Program Files\ImTOO\FLV Converter 3\lang;Win32.HLLW.Gavir.ini;Deleted.;
_desktop.ini;C:\Program Files\ImTOO\FLV Converter 3\skin\Default;Win32.HLLW.Gavir.ini;Deleted.;
A0320201.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.44;Deleted.;
A0320202.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0320203.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0320204.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.MulDrop.5742;Deleted.;
A0320205.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.DownLoader.15909;Deleted.;
A0320206.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.38;Deleted.;
A0320207.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.DownLoader.14813;Deleted.;
A0320208.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.DownLoader.19260;Deleted.;
A0320210.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0320212.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.38;Deleted.;
A0320213.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0320214.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0320215.dll;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Win32.Dref;Deleted.;
A0320217.sys;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;BackDoor.Groan;Deleted.;
A0320218.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.DownLoader.15909;Deleted.;
A0320219.dll;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Adware.Lucky;Incurable.Moved.;
A0320220.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Adware.Lucky;Incurable.Moved.;
A0320221.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.DownLoader.15909;Deleted.;
A0320222.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.DownLoader.15909;Deleted.;
A0320223.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0321180.dll;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.DownLoader.19108;Deleted.;
A0322189.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0322211.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.44;Deleted.;
A0322212.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.MulDrop.5742;Deleted.;
A0322213.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0324210.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.44;Deleted.;
A0325220.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Adware.Spysheriff;Incurable.Moved.;
A0329106.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.38;Deleted.;
A0329107.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0329108.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP805;Trojan.Packed.45;Deleted.;
A0330162.sys;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP806;BackDoor.Groan;Deleted.;
A0347533.dll;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807;Trojan.DownLoader.19108;Deleted.;
A0349543.dll;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807;Win32.Dref;Deleted.;
A0349544.sys;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807;BackDoor.Groan;Deleted.;
A0349552.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807;Tool.Prockill;Incurable.Moved.;
A0349560.exe;C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807;Trojan.Swizzor;Deleted.;
pp.exe;C:\WINDOWS;Trojan.Packed.45;Deleted.;
adirka.exe;C:\WINDOWS\system32;Trojan.Packed.45;Deleted.;
bryqr32.dll;C:\WINDOWS\system32;Trojan.DownLoader.18377;Deleted.;
dlh9jkd1q1.exe;C:\WINDOWS\system32;Trojan.DownLoader.15909;Deleted.;
dlh9jkd1q2.exe;C:\WINDOWS\system32;Trojan.Packed.45;Deleted.;
dlh9jkd1q5.exe;C:\WINDOWS\system32;Trojan.DownLoader.15909;Deleted.;
dlh9jkd1q6.exe;C:\WINDOWS\system32;Trojan.Packed.45;Deleted.;
dlh9jkd1q7.exe;C:\WINDOWS\system32;Trojan.Packed.45;Deleted.;
dxwhwn.sys;C:\WINDOWS\system32;Trojan.EmailSpy;Deleted.;
ma.exe.exe;C:\WINDOWS\system32;Trojan.Packed.45;Deleted.;
orxgcq32.dll;C:\WINDOWS\system32;Trojan.DownLoader.18377;Deleted.;
pp.exe.exe;C:\WINDOWS\system32;Trojan.Packed.45;Deleted.;
qvx5gamet2.exe;C:\WINDOWS\system32;Trojan.DownLoader.15909;Deleted.;
qvxga6met3.exe;C:\WINDOWS\system32;Trojan.DownLoader.15909;Deleted.;
qvxga7met4.exe;C:\WINDOWS\system32;Trojan.DownLoader.15909;Deleted.;
rsvp32_2.dll435;C:\WINDOWS\system32;Win32.Dref;Deleted.;
stup1.exe;C:\WINDOWS\system32;Trojan.DownLoader.10440;Deleted.;
vexg3am1et3.exe;C:\WINDOWS\system32;Trojan.DownLoader.19108;Deleted.;
vexg4am1et2.exe;C:\WINDOWS\system32;Trojan.Packed.45;Deleted.;
vexg6ame4.exe;C:\WINDOWS\system32;Trojan.DownLoader.14813;Deleted.;
vexga3me2.exe;C:\WINDOWS\system32;Trojan.MulDrop.5742;Deleted.;
vexga4m1et4.exe;C:\WINDOWS\system32;Trojan.Packed.38;Deleted.;
vexga4me1.exe;C:\WINDOWS\system32;Probably BACKDOOR.Trojan;Incurable.Moved.;
vexga5me3.exe;C:\WINDOWS\system32;Trojan.DownLoader.15909;Deleted.;
vexga8me6.exe;C:\WINDOWS\system32;Trojan.DownLoader.19260;Deleted.;
xfihr.sys;C:\WINDOWS\system32;Trojan.EmailSpy;Deleted.;
zu.exe.exe;C:\WINDOWS\system32;Trojan.Packed.45;Deleted.;
videotype.vbs;D:\I386\Apps\APP19909\dodont;Probably SCRIPT.Virus;Incurable.Moved.;


Logfile of HijackThis v1.99.1
Scan saved at 12:42:12 AM, on 8/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: PimpFish - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\Flashget.exe /min
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\{969451E7-44C6-409D-860C-E220661E96BA}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download FLV files in this page with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadFLV.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: PimpFish Grab movies on this page - C:\Program Files\PimpFish\GRABPAGEMOVIES.HTM
O8 - Extra context menu item: PimpFish Grab pictures on this page - C:\Program Files\PimpFish\GRABPAGEPICS.HTM
O8 - Extra context menu item: PimpFish Grab pictures this page links to - C:\Program Files\PimpFish\GRABPAGELINKS.HTM
O8 - Extra context menu item: PimpFish Grab Target File - C:\Program Files\PimpFish\GRABLINK.HTM
O8 - Extra context menu item: PimpFish Grab This Picture - C:\Program Files\PimpFish\GRABPIC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - http://amiuptodate.mcafee.com/vsc/bin/1,0,...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126424787609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DeskSiteCMA - Unknown owner - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#4 lisa_marie

lisa_marie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 07 March 2007 - 09:20 AM

sorry i messed up the first part before

SDFix: Version 1.69

Run by HP_Administrator - Thu 08/03/2007 @ 0:16:37.48

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX
wincom32





Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\unsvchosts.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------




Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\Administrator\Favorites\MSN.com.url
C:\Documents and Settings\Default User\Favorites\MSN.com.url
C:\Documents and Settings\eMule_Secure\Favorites\MSN.com.url
C:\Documents and Settings\Guest\Favorites\MSN.com.url
C:\Documents and Settings\Guest.LISA\Favorites\MSN.com.url
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\h.i.m._666_@hotmail.com\Sharing Folders\leonardomcleodo@hotmail.com\Thumbs.db
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\lisa_m_fer@hotmail.com\Sharing Folders\dark_koncept@hotmail.com\Thumbs.db
C:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
C:\Program Files\eRightSoft\SUPER\cygwin1.dll
C:\Program Files\eRightSoft\SUPER\cygz.dll
C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll
C:\Program Files\Replay Converter\cygz.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\yv12vfw.dll
C:\Program Files\eRightSoft\SUPER\Setup.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\system32\x.264.exe
C:\Documents and Settings\Administrator\NTUSER.DAT.COPY.TMP.LOG
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Guest.LISA\NTUSER.DAT.COPY.TMP.LOG

Add/Remove Programs List:

Absolute Video to Audio Converter 2.7.9
Acala DVD Ripper 2.5.2
Adobe Shockwave Player
Agere Systems PCI Soft Modem
ALSoft Video Converter v1.3 (Apr-10-2006)
River Past Animated GIF Booster Pack
Plus! MP3 Audio Converter LE
River Past Audio Capture
River Past Audio Converter
River Past Audio Converter Pro
Otto
Updates from HP
Blaze Media Pro
CCleaner (remove only)
CloneCD
Codec Pack - All In 1 6.0.3.0
Microsoft Windows XP Video Decoder Checkup Utility
DivX Content Uploader
River Past DVD QuickRip
DVD Ripper 4
DVD Shrink 3.2
DVD to VCD AVI DivX Converter v3.2 (build 069)
Easy DVD Creator 1.1.0
eMule
Flash to Video Encoder Pro
FlashGet(Jetcar) 1.81
FLV Converter 3
FLV to AVI Converter
FLV Player 1.3.3
Free Mp3 Wma Converter V 1.4.0
GetFLV Pro 2.25
Help and Support Additions
HijackThis 1.99.1
HP Image Zone 4.7
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
River Past Image Sequence Booster Pack
PC-Doctor for Windows
SmartSound Quicktracks Plugin
KBD
LimeWire PRO 4.12.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Microsoft Money
River Past MOV Booster Pack
Mozilla Firefox (2.0.0.2)
River Past MPEG-4 Booster Pack
Media Library Management Wizard
Microsoft Compression Client Pack 1.0 for Windows XP
ninemsn Toolbar
ninemsn Internet Software
MySpaceIM
Microsoft National Language Support Downlevel APIs
NoAdware v5.0
NVIDIA Drivers
Direct Show Ogg Vorbis Filter (remove only)
Panda ActiveScan
PimpFish
Python 2.2.3
Python 2.2 pywin32 extensions (build 203)
RealPlayer
Riva FLV Encoder 2.0
Riva FLV Player
RM Converter 3
RM Converter 3.28
RM to MP3 Converter 1.21
Shockwave
Macromedia Flash Player 8
Spybot - Search & Destroy 1.4
StreamDown Version 5.9
SUPER c Version 2007.bld.21 (Jan 4, 2007)
Norton Internet Security (Symantec Corporation)
River Past Talkative
Total Video Converter 3.02
Ultra Flash Video FLV Converter 1.7.2
Ultra QuickTime Converter 1.0.2
Unlocker 1.8.5
URL Snooper v2.14.02
ęTorrent
River Past Video Cleaner Pro
Video Converter 3
River Past Video Perspective
River Past Video Slice
Video to Audio Converter 3
VideoLAN VLC media player 0.8.6
Windows Imaging Component
WinAVI Video Capture 2.0
WinPcap 3.1
WinRAR archiver
WM Recorder 11.2
Windows Media Bonus Pack for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.2 final uninstall
Microsoft Encarta Encyclopedia Standard 2005
PC-Doctor for Windows
Scan
MTV Overdrive for Media Center
ScannerCopy
HP Product Assistant
Fax
AutoUpdate
InstantShare
Copy
Sothink SWF to Video Converter
TrayApp
cp_dwShrek2Albums1
cp_dwSharkTaleAlbums1
Unload
InterVideo WinDVD Creator
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10
HP PSC & OfficeJet 4.7
cp_dwSharkTaleCards1
CueTour
ProductContext
Nero 7 Premium
PSPrinters06
Microsoft Works
Readme
iTunes
Windows Communication Foundation
SmartSound Quicktracks Plugin
Adober Photoshopr Album Starter Edition 3.0
HP Photosmart Cameras 4.0
QuickTime
CP_PLSBusinessFlyers
PanoStandAlone
Windows Genuine Advantage v1.3.0254.0
CreativeProjects
PhotoGallery
HP Software Update
AiO_Scan
Sonic Express Labeler
Destinations
HP Tunes
InterVideo WinDVD Creator
BufferChm
Microsoft .NET Framework 2.0
MSXML 4.0 SP2 Parser and SDK
cp_dwShrek2Cards1
CameraDrivers
HPSystemDiagnostics
DivX Codec
HPIZplus450
Windows Workflow Foundation
SkinsHP1
AiOSoftware
QFolder
DivX Player
DocProc
HP Image Zone for Media Center PC
Visual J# .NET Redistributable Package
InterVideo WinDVD Player
Sonic RecordNow!
Sonic Encoders
QuickProjects
Microsoft .NET Framework 3.0
PrintScreen
Apple Software Update
CP_AtenaShokunin1Config
Photosmart 320,370,7400,8100,8400 Series
Adobe Reader 7.0.9
Adobe Reader 7.0.5 Language Support
DivX Converter
SDP Downloader
DivX Web Player
MSRedist
Director
Windows Presentation Foundation
ConvertXtoDVD 2.1.8.193
BigPond Broadband Cable Login
InterVideo DiscLabel
Dr Watson for Microsoft Windows OneCare Live v1.1.1067.14
Blaze Media Pro
Microsoft .NET Framework 1.1
WebReg
DocumentViewer
HP Image Zone Plus 4.5.3
Panda Antivirus 2007
HpSdpAppCoreApp
LS_HSI
HP Deskjet Preloaded Printer Drivers
Sothink Flash Video Encoder
CreativeProjectsTemplates

Finished

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:53 PM

Posted 07 March 2007 - 10:23 AM

Hi,

I assume you still can't boot into normal mode?
As far as I can see, the pe386 rootkit was not present.
Another main cause why you're not able to boot into normal mode and get BSODS all the time is also the fact that you have two security suites installed.
Norton Internet Security and Panda Antivirus.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems, BSODS and a serious system slowdown.
So we have to eliminate this as well, otherwise we will never be able to troubleshoot your issue properly. Malware was involved here, but we have to eliminate every other cause as well.

So, from software > add/remove programs uninstall next:

Panda Antivirus 2007
Norton Internet Security (Symantec Corporation)

To fully remove Norton AntiVirus, you should go here and download the files and print the instructions for removal, and follow them after uninstalling NAV:
How to uninstall Norton AntiVirus 2003/2004/2005/2006/2007 (note: this removes ALL Norton 2003/2004/2005/2006/2007 products from your computer)
How to uninstall Norton AntiVirus 2000/2001/2002

Also read this article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton:
http://basconotw.mvps.org/SymRem.htm

If you're having problems with Uninstalling Panda, read next instructions:
http://www.pandasoftware.com/com/Support/c...=2&id=23210

As long as both are present, problems will remain. That's why it is important you uninstall both. It doesn't make much sense if you only uninstall one and keep the other one, because they may both be corrupted.
Once you're able to boot back into normal mode again afterwards, then you can reinstall an antivirus again. But before you do that, I want to see a Hijackthislog first.

So, uninstall both scanners and reboot afterwards.
Then try to get into normal mode and post a new Hijackthislog from Normal mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:53 PM

Posted 07 March 2007 - 10:51 AM

Also,

Delete next files:

C:\Documents and Settings\Administrator\Favorites\MSN.com.url
C:\Documents and Settings\Default User\Favorites\MSN.com.url
C:\Documents and Settings\eMule_Secure\Favorites\MSN.com.url
C:\Documents and Settings\Guest\Favorites\MSN.com.url
C:\Documents and Settings\Guest.LISA\Favorites\MSN.com.url

because I don't like the fact that they are having hidden attributes.
The other files SDFix flagged with hidden attributes is related with your SUPER c Version 2007.bld.21 (Jan 4, 2007) by eRightSoft.
They are ok.

As a sidenote - I see you're not afraid of visiting cracksites-using illegal software. Because from the logs I can see/recognise that you actually installed some plugins that appear on cracksites to get access to te cracks. They install the malware on your system.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :thumbsup:
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Don't forget to change your passwords afterwards, once we are done with this thread, because they are known. Don't change them now, because as long as the malware is still present, it will gather the changed passwords as well.

Edited by miekiemoes, 07 March 2007 - 10:57 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 lisa_marie

lisa_marie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 07 March 2007 - 11:35 AM

im unable to remove those 2 anti virus programs while in safe mode
and also with the crack thing, i dont no to much about computers have not had this one very long only about a year
so i let someone help me with it so i could copy my dvds and such, i guess they must had put those illegal software things on here, i had the same problems with my old computer. i wont be letting anyone touch this computer in the future, also what is a good virus protection program because i have no idea.
thankyou for all your help

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:53 PM

Posted 07 March 2007 - 11:56 AM

Hi Lisa marie,

I am sorry to hear that someone else is responsible for this, using your computer to download illegal software, so your computer gets terribly infected instead . :thumbsup:

If I may be honest here - the fact that you say that you don't know much about computers - and it got terribly infected/compromised now - I guess cleaning this up manually and restoring the damage it already caused will be a lot of work, since advanced steps should be done as well.
But I cannot guarantee afterwards that your computer will be clean afterwards, because you are dealing with some very nasty ones here. Also, I cannot guarantee that the damage it already caused can always be repaired.
We can give it a try, however, in your case, I guess the best action to take is to backup your important data (pictures etc) and burn them on cd and format and reinstall Windows. Then you can be sure that your computer is clean again and no errors will appear.
You can read detailed instructions+screenshots here how to format and reinstall Windows:
http://www.winsupersite.com/showcase/windowsxp_sg_clean.asp

However, I you rather wish to clean this up manually without a format, I will guide you as well, but as I already said, I cannot guarantee we will successfully succeed in this.

Anyway, if you want to proceed with this manually, we really have to get rid of Norton and Panda first. Yes, it's possible the uninstall won't work from safe mode, but Using the Norton Removal tool and Panda removal tool should work from Windows safe mode:

Norton Removal Tool:
http://service1.symantec.com/SUPPORT/share...v_lvl=&seg=

Panda removal Tool: UNINST_v1012.exe
http://www.pandasoftware.com/com/Support/c...=2&id=23210

also what is a good virus protection program because i have no idea

There are a lot good ones out there. This all depends what you exactly want. Take a look in my signature under Antivirusscanners for the ones I recommend. You will find some free ones there as well.
Keep in mind, only install ONE antivirus. Never install an antivirus when you already have one installed.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:53 PM

Posted 07 March 2007 - 12:10 PM

By the way....

i wont be letting anyone touch this computer in the future

For future reference, You can prevent this by setting passwords. So they have to enter a password to access the computer.
Or you can do this via the Bios and set a bios password, so everytime you start up your computer, it will ask for a password and then it will proceed to load.
Or you can do this by passwordprotecting your account and other accounts.
To set a biospassword, read here: http://www.lockdown.co.uk/?pg=biospsw&s=articles (keep in mind, not all computers (bios) have this option.
To passwordprotect useraccounts, read here: http://security.utexas.edu/personal/window...P_and_2000.html

Anyway, above tips are for future reference once this computer is up and running again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 lisa_marie

lisa_marie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 07 March 2007 - 01:04 PM

normal mode stayed on for a few minutes so i was able to remove both norton and panda
i think a fan or something inside the computer box thing not sure whats it called but that sounds really loud and thats when the computer shuts itself down
is there anything i can do to fix it?
thanks again for all this help, im glad its kind of fixed now after stressing for the last 10 hours.

#11 lisa_marie

lisa_marie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 07 March 2007 - 01:05 PM

here is a new hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 5:03:27 AM, on 8/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\Flashget.exe /min
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\{969451E7-44C6-409D-860C-E220661E96BA}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - http://amiuptodate.mcafee.com/vsc/bin/1,0,...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126424787609
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab
O20 - Winlogon Notify: avldr - avldr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: DeskSiteCMA - Unknown owner - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#12 lisa_marie

lisa_marie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 07 March 2007 - 01:08 PM

also i would prefer not to have remove everything from my computer on to cds like pictures and stuff

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:53 PM

Posted 07 March 2007 - 03:00 PM

Hi,

Good you were able to remove Norton and Panda now and now able to start your computer in normal mode. There are just some leftovers present in the registry we have to remove..

To do this,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O20 - Winlogon Notify: avldr - avldr.dll (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Panda Software Controller - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then go to start > run and copy and paste next commands in the field:

sc delete "McDetect.exe" hit enter

sc delete "Panda Software Controller" hit enter

also i would prefer not to have remove everything from my computer on to cds like pictures and stuff

No, we won't remove anything. This was only in case when you decided to format and reinstall Windows, that you had to backup your music, pictures etc and burn them on cd. Actually, it won't hurt to backup pictures/music etc anyway though - I also burn them on cd. This, so I can never loose it and when something happens to my computer and it won't boot anymore.

i think a fan or something inside the computer box thing not sure whats it called but that sounds really loud and thats when the computer shuts itself down

I cannot tell what sound this exactly is, but you can hear the processor making noise, 100% cpu when your computer needs a lot of resources. Especially when your system has less than 512MB of ram. In your case, this could be because of the combination when malware is present+more than one Antivirus causing your CPU to "overheat" and that's why it shuts down. The fact that it runs fine in safe mode is because your Antivirus and other processes+malware (not all), do not run in safe mode, so there's less cpu stress.

However, since it shuts down when there's a lot of stress on the cpu, then this is a problem with the temperature, dirt - dust between the cpu fan and other fans, so make sure they are spinning freely and there is a good airflow through the computer. It may be better to let someone else look at that if you're not sure where to look.

Does your computer stay on longer now in Windows normal mode after we removed the extra scanners?

In anyway, I recommend you to install an Antivirus again to prevent malware. As I already said in a previous post, there are some great Free Antivirusscanners as well which don't need that much resources.
A great free one is Avira: http://www.free-av.com/

Once you installed an Antivirus again, scan with it and let it remove any leftover.

Also, if you want to improve speed/system performance after malware removal, take a look here.

And as a final check after you performed above (apart from checking your fans), do next:

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply together with a new Hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 lisa_marie

lisa_marie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 08 March 2007 - 11:29 AM

the computer is not turning off anymore while in normal mode
here is the new logs

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 09, 2007 3:20:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/03/2007
Kaspersky Anti-Virus database records: 262974
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 95795
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:42:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_372684633_24248320_10730 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_372684633_4587520_10686 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE7.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE8.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{48CB7459-0D37-4BCD-84DB-7FA8DDE3739A}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{B2AF07AB-2221-4FA1-8D32-24A4EC306207}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF23D6.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF23EC.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCF47.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-03-08.23-52-47.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\L0000006.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807\A0349572.sys Infected: SpamTool.Win32.Agent.s skipped
C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807\A0349587.sys Infected: SpamTool.Win32.Agent.s skipped
C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP811\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9E832CA1-5FF5-448B-BB3E-2EE4CA734C0D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A3D43AF1-2B47-4FC4-ABFE-B19974AABB3C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP811\change.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 3:25:02 AM, on 9/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\{969451E7-44C6-409D-860C-E220661E96BA}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - http://amiuptodate.mcafee.com/vsc/bin/1,0,...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126424787609
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - http://download.mcafee.com/molbin/shared/M...0,2/mcmysec.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...881/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: DeskSiteCMA - Unknown owner - C:\Program Files\DeskSite\binex\DeskSiteCMA.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:53 PM

Posted 08 March 2007 - 11:47 AM

Hi Lisa Marie,

the computer is not turning off anymore while in normal mode

Great to hear! :thumbsup:

Your Hijackthislog looks clean again. The only files that Kaspersky found as infected were next:

C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807\A0349572.sys Infected: SpamTool.Win32.Agent.s skipped
C:\System Volume Information\_restore{E8CA88CF-4AA0-4D57-AC95-FACE3294BD41}\RP807\A0349587.sys Infected: SpamTool.Win32.Agent.s skipped

They are in your System Restore points, which means that they are not active anymore.
To delete them from your System Restore points, Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).

How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :flowers:

Good you installed Avira - it's a great scanner and for free.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users