Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer's Real Slow And Has Popups! =[


  • This topic is locked This topic is locked
14 replies to this topic

#1 Rkikumy

Rkikumy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 18 March 2007 - 03:47 PM

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:45:26 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchosts.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\smss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\{04E92E4E-09BB-1033-0716-030224200001}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll
O2 - BHO: (no name) - {534D9A29-779B-6F46-9049-5C07E3D1E298} - C:\WINDOWS\System32\uyga.dll (file missing)
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6EB1C9C1-2327-68AE-7562-0EB2181B859D} - C:\WINDOWS\System32\bebyh.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34E92~1\Bar888.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34E92~1\Bar888.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Rfozbocr] C:\Documents and Settings\Owner\My Documents\??sks\?ervices.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Policies\Explorer\Run: [{04E92E4E-09BB-1033-0716-030224200001}] "C:\Program Files\Common Files\{04E92E4E-09BB-1033-0716-030224200001}\Update.exe" te-110-12-0000132
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{04E92E4E-09BB-1033-0716-030224200001}] "C:\Program Files\Common Files\{04E92E4E-09BB-1033-0716-030224200001}\Update.exe" te-110-12-0000132 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{04E92E4E-09BB-1033-0716-030224200001}] "C:\Program Files\Common Files\{04E92E4E-09BB-1033-0716-030224200001}\Update.exe" te-110-12-0000132 (User 'Default user')
O4 - .DEFAULT User Startup: Compaq Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWljaGFlbCBEZUd1em1hbiBEZUd1em1hbg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11551 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 18 March 2007 - 04:52 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
I'm afraid I have some bad news concerning your computer: one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You are using TrendMicro's HijackThis which is still in the testing process at the moment, so there may be some problems with it. Therefore, please download version 1.99.1 of HijackThis from the following link:
HJT v1.99.1
Then post back a new log,
Thanks
Charles

Edited by rookie147, 18 March 2007 - 04:54 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Rkikumy

Rkikumy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 18 March 2007 - 05:01 PM

Thank you Charles, but this is the only computer I have, can I still clean it while on this computer?



Logfile of HijackThis v1.99.1
Scan saved at 5:58:43 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchosts.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\smss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\{04E92E4E-09BB-1033-0716-030224200001}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.094\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll
O2 - BHO: (no name) - {534D9A29-779B-6F46-9049-5C07E3D1E298} - C:\WINDOWS\System32\uyga.dll (file missing)
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6EB1C9C1-2327-68AE-7562-0EB2181B859D} - C:\WINDOWS\System32\bebyh.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34E92~1\Bar888.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34E92~1\Bar888.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Rfozbocr] C:\Documents and Settings\Owner\My Documents\??sks\?ervices.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000132 (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWljaGFlbCBEZUd1em1hbiBEZUd1em1hbg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 19 March 2007 - 04:40 PM

Hello again,

Thank you Charles, but this is the only computer I have, can I still clean it while on this computer?

Yes you can still clean it while on the infected PC, I would just recommend cutting down using the internet unless you have to, because there is a danger associated with the infections you have. The choice is, however, up to you, I just want to try and give you an indication as to what is the safest thing to do... :thumbsup:
Please move HijackThis to a permanent folder. Anywhere is fine, other than your Desktop or a temporary folder. If it is in one of these locations, there is a risk that you may accidentally delete the backups; which may be needed if we fix something we're not meant to.
If you use Windows XP it may be that you just double clicked on the HijackThis.exe file, but this only extracts the file to a temporary folder. If you right click on it and select Extract, you can choose a folder to place it in.

How to make a permanent folder:
Click Start | My Computer | Local Disk (C: ) | Program Files.
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\Program Files\HijackThis.
Now get your HijackThis.exe file and place it in your folder.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Please download delcmdservice (by Marckie), and save it to your Desktop.
Unzip the content to your Desktop (a folder named "delcmdservice")
Double-click on the "delcmdservice" folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

Please include the ComboFix log, along with a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Rkikumy

Rkikumy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 19 March 2007 - 06:45 PM

Ahh gotcha!

"Owner" - 07-03-19 19:10:19 Service Pack 1
ComboFix 07-03-20 - Running from: "C:\Program Files\AIM"

/wow section not completed - STAGE #6D
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\winsysupd101.dat
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\DOCUME~1\ADMINI~1\APPLIC~1\Sskknwrd.dll
C:\DOCUME~1\ADMINI~1\APPLIC~1\Sskuknwrd.dll
C:\DOCUME~1\DEFAUL~1\APPLIC~1\Sskknwrd.dll
C:\DOCUME~1\DEFAUL~1\APPLIC~1\Sskuknwrd.dll
C:\Program Files\dns\affid.dat
C:\Program Files\dns\regexp.dat
C:\Program Files\dns\regexpDate.dat
C:\Program Files\dns\Thumbs.db
C:\Program Files\dns\uid.dat
C:\Program Files\dns\urls.dat
C:\Program Files\dns\version.txt
C:\Program Files\dns\x.bmp
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\ipwins\pop2C9.tmp
C:\Program Files\ipwins\pop8C.tmp
C:\Program Files\ipwins\popA3.tmp
C:\Program Files\ipwins\popD5.tmp
C:\Program Files\ipwins\popDF.tmp
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\DOCUME~1\Owner\APPLIC~1.\install.dat
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\WINDOWS\system32\unsvchosts.exe
C:\secure32.html
C:\WINDOWS\httpconf.dat
C:\WINDOWS\new_drv.sys
C:\WINDOWS\smss.exe
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\Program Files\Common Files\{04E92~2
C:\WINDOWS\inet20005
C:\Program Files\Common Files\inetget2
C:\Program Files\Common Files\inetget2
C:\Program Files\dns
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwins
C:\Program Files\ipwins\bak
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\{34E92~1
C:\WINDOWS\9129837.exe
C:\Program Files\Common Files\{04E92~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Owner
C:\qoobox\purity\DOCUME~1\Owner\APPLIC~1
C:\qoobox\purity\DOCUME~1\Owner\MYDOCU~1
C:\qoobox\purity\DOCUME~1\Owner\APPLIC~1\ASEMBL~1
C:\qoobox\purity\DOCUME~1\Owner\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\Owner\APPLIC~1\PPATCH~1
C:\qoobox\purity\DOCUME~1\Owner\APPLIC~1\PPPATC~2
C:\qoobox\purity\DOCUME~1\Owner\APPLIC~1\SSTEM~1
C:\qoobox\purity\DOCUME~1\Owner\MYDOCU~1\DOBE~1
C:\qoobox\purity\DOCUME~1\Owner\MYDOCU~1\FNTS~1
C:\qoobox\purity\DOCUME~1\Owner\MYDOCU~1\from.txt
C:\qoobox\purity\DOCUME~1\Owner\MYDOCU~1\MANTEC~1
C:\qoobox\purity\DOCUME~1\Owner\MYDOCU~1\SKS~1
C:\qoobox\purity\DOCUME~1\Owner\MYDOCU~1\SKS~2
C:\qoobox\purity\DOCUME~1\Owner\MYDOCU~1\SSTEM3~1
C:\qoobox\purity\Program Files\Common Files\FNTS~1
C:\qoobox\purity\Program Files\Common Files\ICROSO~1.NET
C:\qoobox\purity\Program Files\Common Files\RACLE~1
C:\qoobox\purity\Program Files\Common Files\SSEMBL~1
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1
C:\qoobox\purity\Program Files\Common Files\SSTEM~1
C:\qoobox\purity\Program Files\Common Files\STEM~1
C:\qoobox\purity\Program Files\Common Files\WNSXS~1
C:\qoobox\purity\Program Files\Common Files\YMBOLS~1
C:\qoobox\purity\WINDOWS\MANTEC~1
C:\qoobox\purity\WINDOWS\PPATCH~1
C:\qoobox\purity\WINDOWS\PPPATC~1
C:\qoobox\purity\WINDOWS\WNSXS~1
C:\qoobox\purity\WINDOWS\system32\SSTEM3~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-19 to 2007-03-19 ))))))))))))))))))))))))))))))))))


2007-03-19 19:09 <DIR> d-------- C:\Program Files\Hijack this
2007-03-19 18:01 60,928 --a------ C:\WINDOWS\system32\hqxjsg.dll
2007-03-19 18:01 2 --a------ C:\WINDOWS\system32\wnsapitr32.exe
2007-03-19 18:01 <DIR> d-------- C:\Program Files\ądobe
2007-03-18 12:37 23,552 --a------ C:\WINDOWS\system32\wmimgr32.dll
2007-03-16 23:31 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-16 10:33 117,248 --a------ C:\WINDOWS\monterreyb_unknown.exe
2007-03-15 22:06 24,192 --a------ C:\DOCUME~1\Owner\usbsermptxp.sys
2007-03-15 22:06 22,768 --a------ C:\DOCUME~1\Owner\usbsermpt.sys
2007-03-15 21:58 <DIR> d-------- C:\Program Files\Avanquest update
2007-03-15 21:58 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-03-15 21:56 24,192 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-03-14 23:00 96,768 --a------ C:\WINDOWS\system32\monterreyb_unknown.exe
2007-03-14 23:00 153,088 --a------ C:\WINDOWS\system32\driverb.dll
2007-03-14 19:40 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\acccore
2007-03-08 10:35 <DIR> d-------- C:\WINDOWS\system32\drv32dta
2007-03-08 10:27 0 --a------ C:\WINDOWS\ipt.exe
2007-03-08 09:33 <DIR> d-------- C:\Program Files\Enterbrain
2007-03-07 17:24 <DIR> d-------- C:\Program Files\Common Files\Enterbrain
2007-03-07 16:49 56 -r-hs---- C:\WINDOWS\system32\FBDF76A975.sys
2007-03-07 16:49 1,682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-03 21:07 69 --a-s---- C:\WINDOWS\url1.bat
2007-02-28 23:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-02-28 23:17 <DIR> d-------- C:\Program Files\Blaze Media Pro
2007-02-28 23:15 1,386,496 --a------ C:\WINDOWS\system32\MSVBVM60.DLL
2007-02-28 23:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-02-27 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-02-25 18:05 <DIR> d-------- C:\Program Files\Sierra Online
2007-02-25 18:04 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-02-25 18:04 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-02-25 18:04 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-02-25 18:04 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-02-25 18:04 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-02-25 18:04 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-02-25 18:03 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-02-25 17:59 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-02-25 17:59 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-02-25 17:59 63,768 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-02-25 17:59 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-02-25 17:59 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-02-25 17:59 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2007-02-25 17:59 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-02-25 17:59 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2007-02-25 17:59 32,768 --a------ C:\WINDOWS\system32\dpnhpast.dll
2007-02-25 17:59 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2007-02-25 17:59 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2007-02-25 17:59 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-02-25 17:59 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2007-02-25 17:59 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-02-25 17:59 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-02-25 17:59 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-02-25 17:59 132,608 --a------ C:\WINDOWS\system32\devenum.dll
2007-02-25 17:59 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2007-02-25 17:59 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2007-02-25 17:59 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-02-25 17:59 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-02-25 17:59 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2007-02-25 17:59 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2007-02-25 17:59 1,703,936 --a------ C:\WINDOWS\system32\d3d9.dll
2007-02-25 17:59 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-02-25 17:59 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2007-02-25 17:59 1,189,888 --a------ C:\WINDOWS\system32\dx8vb.dll
2007-02-25 17:58 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-02-25 17:58 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-02-25 17:58 381,952 --a------ C:\WINDOWS\system32\dsound.dll
2007-02-25 17:58 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2007-02-25 17:58 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2007-02-25 15:14 <DIR> d-------- C:\eAthena
2007-02-23 08:15 <DIR> d-------- C:\WINDOWS\ąppPatch
2007-02-21 22:30 104,448 --a------ C:\WINDOWS\UnGins.exe
2007-02-19 00:26 <DIR> d-------- C:\Program Files\Gravity


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-19 19:32 -------- d-------- C:\Program Files\greetings workshop
2007-03-19 19:31 23552 --a------ C:\WINDOWS\system32\wmimgr32.dll
2007-03-19 19:09 -------- d-------- C:\Program Files\hijack this
2007-03-19 19:08 -------- d-------- C:\Program Files\cartoon network
2007-03-19 18:01 2 --a------ C:\WINDOWS\system32\wnsapitr32.exe
2007-03-19 18:01 -------- d-------- C:\Program Files\ądobe
2007-03-19 13:30 60928 --a------ C:\WINDOWS\system32\hqxjsg.dll
2007-03-17 00:10 96768 --a------ C:\WINDOWS\system32\monterreyb_unknown.exe
2007-03-16 23:41 153088 --a------ C:\WINDOWS\system32\driverb.dll
2007-03-16 23:36 -------- d-------- C:\Program Files\itunes
2007-03-16 23:36 -------- d-------- C:\Program Files\ipod
2007-03-16 23:34 -------- d-------- C:\Program Files\quicktime
2007-03-16 23:31 -------- d-------- C:\Program Files\apple software update
2007-03-16 14:40 117248 --a------ C:\WINDOWS\monterreyb_unknown.exe
2007-03-15 21:58 -------- d--h----- C:\Program Files\installshield installation information
2007-03-15 21:58 -------- d-------- C:\Program Files\avanquest update
2007-03-15 21:58 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\installshield
2007-03-08 10:27 0 --a------ C:\WINDOWS\ipt.exe
2007-03-08 10:26 65536 --a------ C:\command.exe
2007-03-08 09:35 1682 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-03-08 09:33 -------- d-------- C:\Program Files\enterbrain
2007-03-07 17:25 56 -r-hs---- C:\WINDOWS\system32\fbdf76a975.sys
2007-03-06 19:09 -------- d-------- C:\Program Files\warcraft iii
2007-03-03 21:09 69 --a-s---- C:\WINDOWS\url1.bat
2007-03-01 00:31 -------- d-------- C:\Program Files\blaze media pro
2007-02-25 18:05 -------- d-------- C:\Program Files\sierra online
2007-02-25 17:27 -------- d-------- C:\Program Files\gravity
2007-02-08 10:49 668672 --a------ C:\WINDOWS\system32\adjmmseng.dll
2007-01-28 14:25 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\motive
2007-01-28 01:13 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\winrar
2007-01-28 00:57 -------- d-------- C:\Program Files\irfanview
2007-01-25 08:46 1077248 --a------ C:\WINDOWS\system32\nmsdvdx.dll
2007-01-25 08:45 1101824 --a------ C:\WINDOWS\system32\nmsdvdxu.dll
2007-01-25 03:52 65536 --a------ C:\WINDOWS\system32\nmsaccess.exe
2007-01-22 17:50 69683 --a------ C:\WINDOWS\war3unin.dat
2007-01-22 08:46 -------- d-------- C:\Program Files\Common Files\nullsoft
2007-01-22 08:45 335 --a------ C:\WINDOWS\nsreg.dat
2007-01-08 16:08 2829 --a------ C:\WINDOWS\war3unin.pif
2007-01-08 16:08 159744 --a------ C:\WINDOWS\war3unin.exe
2006-12-26 10:39 967 --a------ C:\WINDOWS\scxeunin.pif
2006-12-26 10:39 93184 --a------ C:\WINDOWS\scxeunin.exe
2006-12-26 10:39 7419 --a------ C:\WINDOWS\scxeunin.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Notn"="\"C:\\DOCUME~1\\Owner\\APPLIC~1\\PPPATC~1\\wowexec.exe\" -vt ndrv"
"Rfozbocr"="C:\\Documents and Settings\\Owner\\My Documents\\??sks\\?ervices.exe"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"AlcxMonitor"="ALCXMNTR.EXE"
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-19 19:40:33




------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:43:09 PM, on 3/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijack this\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11E8DD13-6CA5-7D26-A14F-1CE34D9EAA98} - C:\WINDOWS\System32\hqxjsg.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll
O2 - BHO: (no name) - {534D9A29-779B-6F46-9049-5C07E3D1E298} - C:\WINDOWS\System32\uyga.dll (file missing)
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Rfozbocr] C:\Documents and Settings\Owner\My Documents\??sks\?ervices.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: Compaq Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9602 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 20 March 2007 - 11:41 AM

Sorry to be akward, but you posted the log using HijackThis v2.0.0 BETA, so please do another scan using the old version of HJT and post the log it creates. Make sure that you remove the newest version, as we will not be using it. :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Rkikumy

Rkikumy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 20 March 2007 - 04:30 PM

Sorry bout that

Logfile of HijackThis v1.99.1
Scan saved at 5:28:17 PM, on 3/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14ED8816-6CF3-7D72-F04F-1CE34D9EAACE} - C:\WINDOWS\System32\tbdqec.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll
O2 - BHO: (no name) - {534D9A29-779B-6F46-9049-5C07E3D1E298} - C:\WINDOWS\System32\uyga.dll (file missing)
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Rfozbocr] C:\Documents and Settings\Owner\My Documents\??sks\?ervices.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 23 March 2007 - 01:11 PM

Hey again,
Firstly, I apologise for the delay in getting back to you; I've been having some major problems with my internet connection so I've not been around much.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Please move HijackThis to a permanent folder. Anywhere is fine, other than your Desktop or a temporary folder. If it is in one of these locations, there is a risk that you may accidentally delete the backups; which may be needed if we fix something we're not meant to.
If you use Windows XP it may be that you just double clicked on the HijackThis.exe file, but this only extracts the file to a temporary folder. If you right click on it and select Extract, you can choose a folder to place it in.

How to make a permanent folder:
Click Start | My Computer | Local Disk (C: ) | Program Files.
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\Program Files\HijackThis.
Now get your HijackThis.exe file and place it in your folder.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the Desktop but do not run it.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
O2 - BHO: (no name) - {14ED8816-6CF3-7D72-F04F-1CE34D9EAACE} - C:\WINDOWS\System32\tbdqec.dll
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll
O2 - BHO: (no name) - {534D9A29-779B-6F46-9049-5C07E3D1E298} - C:\WINDOWS\System32\uyga.dll (file missing)
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Rfozbocr] C:\Documents and Settings\Owner\My Documents\??sks\?ervices.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O20 - AppInit_DLLs:


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Notn"=-
"Rfozbocr"=-
"IpWins"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AlcxMonitor"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Next, please find and delete the following files (if present):

C:\WINDOWS\system32\hqxjsg.dll
C:\WINDOWS\system32\wnsapitr32.exe
C:\WINDOWS\system32\wmimgr32.dll
C:\WINDOWS\monterreyb_unknown.exe
C:\WINDOWS\system32\monterreyb_unknown.exe
C:\WINDOWS\system32\driverb.dll
C:\WINDOWS\system32\drv32dta
C:\WINDOWS\url1.bat
C:\WINDOWS\UnGins.exe
C:\WINDOWS\system32\wmimgr32.dll
C:\WINDOWS\system32\adjmmseng.dll
C:\WINDOWS\System32\tbdqec.dll

And delete the following folders:

C:\Program Files\ądobe
C:\WINDOWS\ąppPatch
C:\Program Files\Ipwindows
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
C:\Documents and Settings\Owner\My Documents\??sks <--This folder's name will look like "Tasks"
C:\Documents and Settings\Owner\Application Data\PPPATC~1 <--This folder's name begins with PPPATC

Paste the following bold part into the Suspicious File Packer window:
C:\command.exe
C:\WINDOWS\ipt.exe

Allow SFP to pack the file. This will generate a CAB archive on your Desktop.

Reboot into Normal Mode again.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Please include a new HijackThis log in your next reply.
Thanks,
Charles

Edited by rookie147, 23 March 2007 - 01:13 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Rkikumy

Rkikumy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 23 March 2007 - 02:22 PM

Done.

btw, the AppPatch, was that supposed to be a folder? I found it in owner, and inside the apppatch folder was PPPATC~1
and i couldn't find the ??sk thing. the thing that looked like task but there was a few i couldn't find.



Logfile of HijackThis v1.99.1
Scan saved at 3:19:57 PM, on 3/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {47E9D840-6DFA-7F2A-F04F-1CE34D9EAF99} - C:\WINDOWS\System32\lkcygaup.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 23 March 2007 - 03:12 PM

Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Rkikumy

Rkikumy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 23 March 2007 - 11:14 PM

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 81,920 KBD.EXE
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006 02:45 PM 299,008 iTunesHelper.exe
1 File(s) 299,008 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/06/2006 07:21 AM 176,128 qttask.exe
1 File(s) 176,128 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 11:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 06:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/29/2002 07:00 AM 13,312 ctfmon.exe
04/07/2003 09:07 AM 114,688 hkcmd.exe
07/09/2001 04:50 AM 155,648 NeroCheck.exe
07/31/2002 10:28 PM 81,920 ps2.exe
4 File(s) 365,568 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/02/2003 04:11 PM 54,296 ccApp.exe
12/02/2003 04:11 PM 58,392 ccRegVfy.exe
2 File(s) 112,688 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

12/08/2005 12:55 PM 3,117,056 ypager.exe
1 File(s) 3,117,056 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

07/24/2003 04:36 AM 172,032 realsched.exe
1 File(s) 172,032 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

02/13/2003 10:01 AM 176,128 sgtray.exe
1 File(s) 176,128 bytes

Directory of C:\PROGRA~1\SONYER~1\MOBILE2\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\BAK

05/07/1998 03:04 PM 53,760 flatbed.exe
1 File(s) 53,760 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

81920 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
67112 Aug 1 2006 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
257088 Mar 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
299008 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 16 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
116288 Mar 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
303104 Feb 16 2007 "C:\Program Files\QuickTime\qttask.exe"
176128 Apr 6 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
13312 Aug 29 2002 "C:\WINDOWS\system32\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\system32\bak\ctfmon.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
135168 Apr 7 2003 "C:\hp\drivers\video\Intel\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
102400 Jul 31 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Jul 31 2002 "C:\WINDOWS\system32\bak\ps2.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
3117056 Dec 8 2005 "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
172032 Jul 24 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
176128 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
53760 May 7 1998 "C:\WINDOWS\twain_32\paprport\3100b\bak\flatbed.exe"


end of report

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 26 March 2007 - 02:06 PM

Hey there,
Copy and paste the following text into Notepad:
@echo off
if exist "C:\HP\KBD\KBD.EXE" 
del /q "C:\HP\KBD\KBD.EXE"
copy "C:\HP\KBD\BAK\KBD.EXE" "C:\HP\KBD"
if exist "C:\Program Files\AIM\aim.exe" 
del /q "C:\Program Files\AIM\aim.exe"
copy "C:\Program Files\AIM\BAK\aim.exe" "C:\Program Files\AIM"
if exist "C:\Program Files\ITUNES\iTunesHelper.exe" 
del /q "C:\Program Files\ITUNES\iTunesHelper.exe"
copy "C:\Program Files\ITUNES\bak\iTunesHelper.exe" "C:\Program Files\ITUNES"
if exist "C:\Program Files\quicktime\qttask.exe" 
del /q "C:\Program Files\quicktime\qttask.exe"
copy "C:\Program Files\quicktime\BAK\qttask.exe" "C:\Program Files\quicktime"
if exist "C:\WINDOWS\SMINST\RECGUARD.EXE" 
del /q "C:\WINDOWS\SMINST\RECGUARD.EXE"
copy "C:\WINDOWS\SMINST\BAK\RECGUARD.EXE" "C:\WINDOWS\SMINST"
if exist "C:\WINDOWS\SYSTEM\hpsysdrv.exe" 
del /q "C:\WINDOWS\SYSTEM\hpsysdrv.exe"
copy "C:\WINDOWS\SYSTEM\BAK\hpsysdrv.exe" "C:\WINDOWS\SYSTEM"
if exist "C:\WINDOWS\SYSTEM32\ctfmon.exe" 
del /q "C:\WINDOWS\SYSTEM32\ctfmon.exe"
copy "C:\WINDOWS\SYSTEM32\BAK\ctfmon.exe" "C:\WINDOWS\SYSTEM32"
if exist "C:\WINDOWS\SYSTEM32\hkcmd.exe" 
del /q "C:\WINDOWS\SYSTEM32\hkcmd.exe"
copy "C:\WINDOWS\SYSTEM32\BAK\hkcmd.exe" "C:\WINDOWS\SYSTEM32"
if exist "C:\WINDOWS\SYSTEM32\NeroCheck.exe" 
del /q "C:\WINDOWS\SYSTEM32\NeroCheck.exe"
copy "C:\WINDOWS\SYSTEM32\BAK\NeroCheck.exe" "C:\WINDOWS\SYSTEM32"
if exist "C:\WINDOWS\SYSTEM32\ps2.exe" 
del /q "C:\WINDOWS\SYSTEM32\ps2.exe"
copy "C:\WINDOWS\SYSTEM32\BAK\ps2.exe" "C:\WINDOWS\SYSTEM32"
if exist "C:\Program Files\Common Files\symantec\ccApp.exe" 
del /q "C:\Program Files\Common Files\symantec\ccApp.exe"
copy "C:\Program Files\Common Files\symantec\BAK\ccApp.exe" "C:\Program Files\Common Files\symantec"
if exist "C:\Program Files\Common Files\symantec\ccRegVfy.exe" 
del /q "C:\Program Files\Common Files\symantec\ccRegVfy.exe"
copy "C:\Program Files\Common Files\symantec\BAK\ccRegVfy.exe" "C:\Program Files\Common Files\symantec"
if exist "C:\Program Files\YAHOO!\messenger\ypager.exe" 
del /q "C:\Program Files\YAHOO!\messenger\ypager.exe"
copy "C:\Program Files\YAHOO!\messenger\BAK\ypager.exe" "C:\Program Files\YAHOO!\messenger"
if exist "C:\Program Files\Common Files\REAL\UPDATE~1\realsched.exe" 
del /q "C:\Program Files\Common Files\REAL\UPDATE~1\realsched.exe"
copy "C:\Program Files\Common Files\REAL\UPDATE~1\BAK\realsched.exe" "C:\Program Files\Common Files\REAL\UPDATE~1"
if exist "C:\Program Files\Common Files\SONIC\UPDATE~1\sgtray.exe" 
del /q "C:\Program Files\Common Files\SONIC\UPDATE~1\sgtray.exe"
copy "C:\Program Files\Common Files\SONIC\UPDATE~1\BAK\sgtray.exe" "C:\Program Files\Common Files\SONIC\UPDATE~1"
if exist "C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\flatbed.exe" 
del /q "C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\flatbed.exe"
copy "C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\BAK\flatbed.exe" "C:\WINDOWS\TWAIN_32\PAPRPORT\3100B"
exit
Save this as "awf.bat" Choose to save as *all files and place it on your Desktop. Don't run it yet

Reboot into Safe Mode. This is crucial - if you are not in Safe Mode the batch file will not work!

Double-click awf.bat.

Reboot back into Normal Mode again, and post me back a new findAWF log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Rkikumy

Rkikumy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 28 March 2007 - 08:58 AM

When i did open the .bat program it jus opened the command prompt and closed will quick.iono if its supposed to do that but i did an awf scan anyway.


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 81,920 KBD.EXE
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006 02:45 PM 299,008 iTunesHelper.exe
1 File(s) 299,008 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/06/2006 07:21 AM 176,128 qttask.exe
1 File(s) 176,128 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 11:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 06:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/29/2002 07:00 AM 13,312 ctfmon.exe
04/07/2003 09:07 AM 114,688 hkcmd.exe
07/09/2001 04:50 AM 155,648 NeroCheck.exe
07/31/2002 10:28 PM 81,920 ps2.exe
4 File(s) 365,568 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/02/2003 04:11 PM 54,296 ccApp.exe
12/02/2003 04:11 PM 58,392 ccRegVfy.exe
2 File(s) 112,688 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

12/08/2005 12:55 PM 3,117,056 ypager.exe
1 File(s) 3,117,056 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

07/24/2003 04:36 AM 172,032 realsched.exe
1 File(s) 172,032 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

02/13/2003 10:01 AM 176,128 sgtray.exe
1 File(s) 176,128 bytes

Directory of C:\PROGRA~1\SONYER~1\MOBILE2\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\BAK

05/07/1998 03:04 PM 53,760 flatbed.exe
1 File(s) 53,760 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

81920 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
67112 Aug 1 2006 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
257088 Mar 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
299008 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 16 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
116288 Mar 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
303104 Feb 16 2007 "C:\Program Files\QuickTime\qttask.exe"
176128 Apr 6 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
13312 Aug 29 2002 "C:\WINDOWS\system32\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\system32\bak\ctfmon.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
135168 Apr 7 2003 "C:\hp\drivers\video\Intel\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
102400 Jul 31 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Jul 31 2002 "C:\WINDOWS\system32\bak\ps2.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
3117056 Dec 8 2005 "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
172032 Jul 24 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
176128 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
53760 May 7 1998 "C:\WINDOWS\twain_32\paprport\3100b\bak\flatbed.exe"


end of report

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 29 March 2007 - 04:00 PM

Hello again,
We'll try this the manual way then.
Reboot into Safe Mode.
  • Navigate to the following folder: C:\HP\KBD
    In there, you'll find the bad KBD.EXE. Delete that file.
    Then you'll see a Bak folder present in there, containing the good KBD.EXE file. Copy that file back into the C:\HP\KBD folder.
  • Navigate to the following folder: C:\Program Files\AIM
    In there, you'll find the bad aim.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good aim.exe file. Copy that file back into the C:\Program Files\AIM folder.
  • Navigate to the following folder: C:\Program Files\ITUNES
    In there, you'll find the bad iTunesHelper.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good iTunesHelper.exe file. Copy that file back into the C:\Program Files\ITUNES folder.
  • Navigate to the following folder: C:\WINDOWS\SMINST
    In there, you'll find the bad RECGUARD.EXE. Delete that file.
    Then you'll see a Bak folder present in there, containing the good RECGUARD.EXE file. Copy that file back into the C:\WINDOWS\SMINST folder.
  • Navigate to the following folder: C:\Program Files\quicktime
    In there, you'll find the bad qttask.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good qttask.exe file. Copy that file back into the C:\Program Files\quicktime folder.
  • Navigate to the following folder: C:\WINDOWS\SYSTEM
    In there, you'll find the bad hpsysdrv.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good hpsysdrv.exe file. Copy that file back into the C:\WINDOWS\SYSTEM folder.
  • Navigate to the following folder: C:\WINDOWS\SMINST
    In there, you'll find the bad RECGUARD.EXE. Delete that file.
    Then you'll see a Bak folder present in there, containing the good RECGUARD.EXE file. Copy that file back into the C:\WINDOWS\SMINST folder.
  • Navigate to the following folder: C:\WINDOWS\SYSTEM32
    In there, you'll find the bad ctfmon.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good ctfmon.exe file. Copy that file back into the C:\WINDOWS\SYSTEM32 folder.
    Stay in the System32 folder, and repeat those steps for the following files:
    • hkcmd.exe
    • NeroCheck.exe
    • ps2.exe
  • Navigate to the following folder: C:\Program Files\Common Files\symantec
    In there, you'll find the bad ccApp.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good ccApp.exe file. Copy that file back into the C:\Program Files\Common Files\symantec folder.
    Stay in that folder, and repeat for this files:
    • ccRegVfy.exe
  • Navigate to the following folder: C:\Program Files\YAHOO!\messenger
    In there, you'll find the bad ypager.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good ypager.exe file. Copy that file back into the C:\Program Files\YAHOO!\messenger folder.
  • Navigate to the following folder: C:\WINDOWS\TWAIN_32\PAPRPORT\3100B
    In there, you'll find the bad flatbed.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good flatbed.exe file. Copy that file back into the C:\WINDOWS\TWAIN_32\PAPRPORT\3100B folder.
  • Navigate to the following folder: C:\Program Files\Common Files\Real\Update_OB
    In there, you'll find the bad realsched.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good realsched.exe file. Copy that file back into the C:\Program Files\Common Files\Real\Update_OB folder.
  • Navigate to the following folder: C:\Program Files\Common Files\Sonic\Update Manager
    In there, you'll find the bad sgtray.exe. Delete that file.
    Then you'll see a Bak folder present in there, containing the good sgtray.exe file. Copy that file back into the C:\Program Files\Common Files\Sonic\Update Manager folder.
Then reboot into Normal Mode again and post back with a new FindAWF log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 06 April 2007 - 11:33 AM

Due to lack of feedback, this topic is now closed.

If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users