View Full Version : Help! Falkag / amaena popups & more!!
Hello,
My computer seems to be infected by who knows what and Spybot, Vet, Ad-aware & Defender all find things I remove them and then run scans again and they continually come up!
Pop ups I'm getting are:
http://a.as-eu.falkag.net/dat/dlv/aslframe.html?dat=659712&kid=321581&xl=0&yl=0&mod=111
http://www.amaena.com/securityworm5/?ax=1&ex=1&mpt=1167704191&aid=nm_ik_wav_kw1&lid=spy&affid=nm_862_3dbf8446970f11db847900167647fa98_f8cbe7c1+b10ddd89175f48e8a8aef3938e744bc0
http://www.drivecleaner.com/.freeware/download2.php?resize=1&ad=nm_ik_wav_r5_au_en_ed2_exit&link=&aff=nm_862_3dbf8446970f11db847900167647fa98_f8cbe7c1%20b10ddd89175f48e8a8aef3938e744bc0
I also keep getting a Windows Defender Warning showing 'ClickSpring.PuritySCAN and keep pressing remove all but that keeps coming up everytime I go to a new page. Also getting eTrust Vet Antivirus Infection Alert showing infections Win32/Clspring.FQ
My Internet Explorer seems to have been infected and i've tried installing Version 7 from the Microsoft site but halfway thru the install i get the blue screen then the computer resets itself.. the blue screen also appears sporatically for no apparent reason.
Any ideas on what i can do to fix all these problems? Any advice would be greatly appreciated.
Happy New Year too!
Fiona
:oops: Don't you hate it when people don't read the 'Read this first before posting' OK so I tried the Panda Online Scan but got the Blue Screen & computer shut down halfway thru - tried again with same result. I ran Spybot in safe mode then ran hijackthis and here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 2:37:49 PM, on 2/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\{F8CBE7C1-0639-1033-1118-04100620003d}\Update.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SMANTE~1\dexplore.exe
C:\Documents and Settings\Fiona\My Documents\??crosoft.NET\notepad.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.benq.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {7660E63C-77AF-7D50-8973-0A129242E7B1} - C:\WINDOWS\system32\nnlpmqt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7660E63C-77AF-7D50-8973-0A129242E7B1} - C:\WINDOWS\system32\nnlpmqt.dll
O2 - BHO: (no name) - {77133D97-4FC6-48FD-B0D7-C91EEE2E381D} - (no file)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\gidnahxa.dll
O2 - BHO: (no name) - {B8633B01-D612-4BE2-8C61-74C4F3B15AEE} - C:\WINDOWS\system32\vtssq.dll (file missing)
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38CBE~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38CBE~1\Bar888.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [{F8CBE7C1-0639-1033-1118-04100620003d}] "C:\Program Files\Common Files\{F8CBE7C1-0639-1033-1118-04100620003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{F8CBE7C1-0638-1033-1118-04100620003d}] "C:\Program Files\Common Files\{F8CBE7C1-0638-1033-1118-04100620003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\setup.dll
O4 - HKCU\..\Run: [Auru] "C:\WINDOWS\system32\SMANTE~1\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Ekr] C:\Documents and Settings\Fiona\My Documents\??crosoft.NET\notepad.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm930YYAU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
pskelley
2007-01-04, 22:42
Hello and welcome to the forum. Have you resolved your issues elsewhere? If not you need to be aware you have a pretty good mess here and it is going to take time and effort to clean it up. I will need for you to follow directions and post to ask if you do not understand something, though I will give you as plain of instructions as I possibly can. I also need to ask, since this junk will attract more, that you stay offline as much as possible until you are clean. If you wish to continue, start like this.
1) Return to C:\hijackthis\HijackThis.exe <<< point the mouse at the .exe and right click, then choose "rename". Call it Feemo.exe or whatever you wish.
2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
3) Thanks to sUBs and anyone who helped with this fix.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Make sure to restart the computer and post the combofix log and a new HJT log.
Thanks
As soon as you have those logs posted, follow the instructions in this link:
http://forums.security-central.us/showthread.php?t=3165
Make sure you update the program before you run it and delete or at least quarantine anything it locates. Post those scan results as soon as you have them. That is a start!
Hey there.. thought i might have a huge problem here so here we go! OK I renamed hijackthis.exe to feemo.exe. With AVG I d/l that in an attempt to fix this problem but never really used it... as it was the free version didn't give me the option to deactivate resident shield so I uninstalled the program as I have VET.
Here are my logs, appreciate your help :)
Fiona - 07-01-08 20:02:42.48 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Fiona\My Documents"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\{F8CBE7C1-0638-1033-1118-04100620003d}
C:\Program Files\Common Files\{38CBE7C1-0639-1033-1118-04100620003d}
C:\Program Files\Common Files\{F8CBE7C1-0639-1033-1118-04100620003d}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Fiona\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Fiona\My Documents\CROSOF~1.NET\notepad.exe
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\dexplore.exe
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\S?mantec
((((((((((((((((((((((((((((((( Files Created from 2006-12-08 to 2007-01-08 ))))))))))))))))))))))))))))))))))
2007-01-02 13:46 <DIR> d-------- C:\hijackthis
2007-01-02 13:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-02 13:17 <DIR> d-------- C:\007da66ddd89a5e392
2007-01-02 12:42 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-29 21:37 <DIR> d-------- C:\fafff9897ac5c98edfb668
2006-12-29 21:29 <DIR> d-------- C:\{10000001-0000-0000-0962-0A190027901B}
2006-12-29 21:29 <DIR> d-------- C:\{00003A34-0000-0000-4AE2-1453FF4CC3DB}
2006-12-29 20:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-12-29 18:16 <DIR> d-------- C:\ad530409a701414e0d680bd19e18
2006-12-29 17:22 57,856 --a------ C:\WINDOWS\system32\nnlpmqt.dll
2006-12-29 17:22 <DIR> d-------- C:\Program Files\Outerinfo
2006-12-29 16:50 <DIR> d-------- C:\Program Files\Ipwindows
2006-12-29 16:20 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-12-29 16:02 <DIR> d-------- C:\VundoFix Backups
2006-12-29 15:26 <DIR> d-------- C:\b08fbcbc3b9ac1d3dc
2006-12-29 14:57 22,541 ---hs---- C:\WINDOWS\system32\mljkjkj.dll
2006-12-29 13:39 <DIR> d-------- C:\b2784fab85c506a9075b98
2006-12-29 12:58 72,704 --a------ C:\WINDOWS\system32\drvfer.dll
2006-12-29 12:58 22,541 ---hs---- C:\WINDOWS\system32\rqrsqol.dll
2006-12-29 10:33 72,704 --a------ C:\WINDOWS\system32\drvtuj.dll
2006-12-29 10:33 22,541 ---hs---- C:\WINDOWS\system32\awtrrqp.dll
2006-12-29 10:32 <DIR> d-------- C:\e8e925309986e7b4ca
2006-12-29 10:06 <DIR> d-------- C:\a09e99407d0fbcb338
2006-12-29 10:00 <DIR> d-------- C:\0cb0a2c3cb88e5dcb3077d3a19
2006-12-28 22:21 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-28 22:18 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-28 22:15 <DIR> d-------- C:\bfd2688386319c1f5d3470bdec055017
2006-12-28 22:11 22,541 ---hs---- C:\WINDOWS\system32\hggfebb.dll
2006-12-28 19:00 88,340 --a------ C:\WINDOWS\system32\bmdlohco.exe
2006-12-28 19:00 81,684 --a------ C:\WINDOWS\system32\xnchwirv.dll
2006-12-28 19:00 44,060 --a------ C:\WINDOWS\system32\gidnahxa.dll
2006-12-28 18:54 72,704 --a------ C:\WINDOWS\system32\drvxeb.dll
2006-12-28 18:53 22,541 ---hs---- C:\WINDOWS\system32\efcbxwv.dll
2006-12-28 18:17 <DIR> d-------- C:\Documents and Settings\Fiona\Application Data\funkitron
2006-12-28 17:48 <DIR> d-------- C:\Program Files\Shockwave.com
2006-12-20 15:29 28,672 --a------ C:\WINDOWS\system32\f3PSSavr.scr
2006-12-18 14:44 <DIR> d-------- C:\Documents and Settings\Fiona\Application Data\Leadertech
2006-12-16 15:46 <DIR> d-------- C:\Program Files\MySpace
2006-12-16 15:46 <DIR> d-------- C:\Documents and Settings\Fiona\Application Data\MySpace
2006-12-15 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2006-12-08 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2006-12-08 19:06 <DIR> d-------- C:\Program Files\iWin.com
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
Rootkit driver pe386 is present. A rootkit scan is required
2007-01-08 20:04 -------- d-a------ C:\Program Files\Common Files
2007-01-02 13:49 -------- d-------- C:\Program Files\Windows Defender
2007-01-02 13:48 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-02 13:48 -------- d-------- C:\Program Files\MSN Messenger
2007-01-02 13:48 -------- d-------- C:\Program Files\Internet Explorer
2006-12-28 22:49 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-18 14:44 -------- d-------- C:\Documents and Settings\Fiona\Application Data\Adobe
2006-12-14 19:09 -------- d-------- C:\Program Files\Outlook Express
2006-12-14 19:09 -------- d-------- C:\Program Files\Common Files\System
2006-12-14 17:04 -------- d-------- C:\Documents and Settings\Fiona\Application Data\LimeWire
2006-12-10 19:01 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-04 21:26 -------- d---s---- C:\Documents and Settings\Fiona\Application Data\Microsoft
2006-12-02 18:31 -------- d-------- C:\Documents and Settings\Fiona\Application Data\Image Zone Express
2006-12-02 18:28 -------- d-------- C:\Program Files\HP
2006-12-02 18:28 -------- d-------- C:\Program Files\Common Files\HP
2006-11-28 22:21 -------- d-------- C:\Program Files\OSD
2006-11-28 22:18 -------- d-------- C:\Program Files\Common Files\Teleca Shared
2006-11-27 18:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-21 19:58 8 --a------ C:\Documents and Settings\Fiona\Application Data\NMM-MetaData.db
2006-11-20 03:02 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-17 23:08 -------- d-------- C:\Program Files\Java
2006-11-12 09:21 -------- d-------- C:\Documents and Settings\Fiona\Application Data\DivX
2006-11-10 22:41 -------- d-------- C:\Documents and Settings\Fiona\Application Data\Mozilla
2006-11-10 22:10 -------- d-------- C:\Program Files\DivX
2006-11-10 21:53 -------- d-------- C:\Program Files\Windows Media Player
2006-11-10 21:53 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-11-08 15:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-02 18:07 29744 --a------ C:\Documents and Settings\Fiona\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
2006-11-02 17:59 2080 --a------ C:\Documents and Settings\Fiona\Application Data\HPSU_48BitScanUpdate.log
2006-11-02 17:57 36498 --a------ C:\Documents and Settings\Fiona\Application Data\Update_HP_RedboxHprblog_HPSU.log
2006-11-02 17:55 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2006-10-19 23:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 22:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 22:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 22:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 22:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 22:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 22:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 22:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 22:47 757248 --a------ C:\WINDOWS\system32\wmadmod.dll
2006-10-18 22:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 22:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 22:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 22:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 22:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 22:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 22:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 22:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 22:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 22:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 22:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 22:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 22:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 22:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 22:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 22:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 22:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 22:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 22:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 22:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 22:47 284160 --a------ C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 22:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 22:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 22:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 22:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 22:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 22:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 22:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 22:47 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-10-18 22:47 212992 --a------ C:\WINDOWS\system32\mfplat.dll
2006-10-18 22:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 22:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 22:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 22:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 22:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 22:47 166912 --a------ C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 22:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 22:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 22:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 22:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 22:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 22:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 22:47 133632 --a------ C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 22:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 22:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 22:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 22:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 22:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 22:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 21:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 21:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 21:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-13 22:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 22:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 22:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-09 19:51 130048 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"startkey"="C:\\WINDOWS\\system32\\setup.dll"
"Auru"="\"C:\\WINDOWS\\system32\\SMANTE~1\\dexplore.exe\" -vt yazb"
"Ekr"="C:\\Documents and Settings\\Fiona\\My Documents\\??crosoft.NET\\notepad.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"QMusic2"="\"C:\\Program Files\\BenQ\\QMusic2\\QMAgent.exe\""
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"PRONoMgr.exe"="c:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Vet Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Vet Antivirus\\CAVRID.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"{F8CBE7C1-0639-1033-1118-04100620003d}"="\"C:\\Program Files\\Common Files\\{F8CBE7C1-0639-1033-1118-04100620003d}\\Update.exe\" mc-110-12-0000272"
"{F8CBE7C1-0638-1033-1118-04100620003d}"="\"C:\\Program Files\\Common Files\\{F8CBE7C1-0638-1033-1118-04100620003d}\\Update.exe\" mc-110-12-0000272"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: 07-01-08 20:05:39.92
C:\ComboFix.txt ... 07-01-08 20:05
And here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:08:27 PM, on 8/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\feemo.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.benq.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {7660E63C-77AF-7D50-8973-0A129242E7B1} - C:\WINDOWS\system32\nnlpmqt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7660E63C-77AF-7D50-8973-0A129242E7B1} - C:\WINDOWS\system32\nnlpmqt.dll
O2 - BHO: (no name) - {77133D97-4FC6-48FD-B0D7-C91EEE2E381D} - (no file)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\gidnahxa.dll
O2 - BHO: (no name) - {B8633B01-D612-4BE2-8C61-74C4F3B15AEE} - C:\WINDOWS\system32\vtssq.dll (file missing)
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38CBE~1\Bar888.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38CBE~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [{F8CBE7C1-0639-1033-1118-04100620003d}] "C:\Program Files\Common Files\{F8CBE7C1-0639-1033-1118-04100620003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{F8CBE7C1-0638-1033-1118-04100620003d}] "C:\Program Files\Common Files\{F8CBE7C1-0638-1033-1118-04100620003d}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\setup.dll
O4 - HKCU\..\Run: [Auru] "C:\WINDOWS\system32\SMANTE~1\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Ekr] C:\Documents and Settings\Fiona\My Documents\??crosoft.NET\notepad.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm930YYAU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
pskelley
2007-01-08, 13:23
Thanks for returning your information. Is it possible the trial period ended on AVG Anti-Spyware? The instructions for deactivating the Resident Shield are the same ones I use all of the time and this is the first time I have been told this. Take a look here:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
If you have not, would you see if you can download that program again, these are the instructions I posted for you:
As soon as you have those logs posted, follow the instructions in this link:
http://forums.security-central.us/showthread.php?t=3165
Make sure you update the program before you run it and delete or at least quarantine anything it locates. Post those scan results as soon as you have them. That is a start!
I would like to see the results of that scan and what it removes, post it as soon as you have it!
Hey there.. thought i might have a huge problem here so here we go!
You do have a very badly infected computer and we have a lot of work to do and a long way to go. You also have a rootkit infection as shown in the combofix log:
Rootkit driver pe386 is present. A rootkit scan is required
It is very important that you read and follow all directions carefully. You may wish to print the instructions. Some fixes may remove stuff and it will not be in the HJT fix, just do not miss any.
I need to say the information from the AVG Anti-Spyware scan and the results of what it could remove were needed prior to proceeding here, so we are both at a disadvantage. Please post that scan result as soon as you have it.
Follow the instructions in the posted order, please take your time, work only when you will not be distracted and follow the directions carefully.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
4) Start > Control Panel > Add Remove Programs and uninstall PuritySCAN By OIN, OIN, OuterInfo, Bar888 or any other program you know does not belong there. If you are unsure let me know and I will look.
Thanks to andymanchesta and anyone else who helped with the fix.
5) Download
SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
(save the reports until we finish)
6) Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found,
you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while,
and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.
7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
(next toolbar is damaged, downloadit again once we finish if you use it)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {7660E63C-77AF-7D50-8973-0A129242E7B1} - C:\WINDOWS\system32\nnlpmqt.dll
O2 - BHO: (no name) - {7660E63C-77AF-7D50-8973-0A129242E7B1} - C:\WINDOWS\system32\nnlpmqt.dll
O2 - BHO: (no name) - {77133D97-4FC6-48FD-B0D7-C91EEE2E381D} - (no file)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\gidnahxa.dll
O2 - BHO: (no name) - {B8633B01-D612-4BE2-8C61-74C4F3B15AEE} - C:\WINDOWS\system32\vtssq.dll (file missing)
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38CBE~1\Bar888.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38CBE~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [{F8CBE7C1-0639-1033-1118-04100620003d}] "C:\Program Files\Common Files\{F8CBE7C1-0639-1033-1118-04100620003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{F8CBE7C1-0638-1033-1118-04100620003d}] "C:\Program Files\Common Files\{F8CBE7C1-0638-1033-1118-04100620003d}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\setup.dll
O4 - HKCU\..\Run: [Auru] "C:\WINDOWS\system32\SMANTE~1\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Ekr] C:\Documents and Settings\Fiona\My Documents\??crosoft.NET\notepad.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm930YYAU
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post: The Report.txt from SDFix, the content of these logfiles of rustbfix.exe and a new HJT log.
Please include any comments you think will help.
Thanks...Phil
Hi there,
I did download AVG again but when I tried running the scans I kept getting the blue screen shut down.. I have just been able to run a successful scan and will post the logs in a few hours when I can connect the laptop back up to the internet so stay tuned!
Thanks
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:19:41 AM 9/01/2007
+ Scan result:
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP327\A0017475.dll -> Adware.MaxSearch : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061711.dll -> Adware.MaxSearch : No action taken.
C:\WINDOWS\system32\nnlpmqt.dll -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP327\A0017465.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP363\A0040621.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP363\A0040623.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP363\A0040626.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP363\A0040628.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061705.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061713.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP334\A0021479.exe -> Adware.WinAntiVirus : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP334\A0021477.exe -> Downloader.Agent.bca : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061701.exe -> Downloader.PurityScan.dy : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP334\A0021476.exe -> Downloader.Small.edu : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP318\A0012497.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : No action taken.
C:\WINDOWS\system32\drvfer.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : No action taken.
C:\WINDOWS\system32\drvtuj.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : No action taken.
C:\WINDOWS\system32\drvxeb.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@msnservices.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@newsinteractive.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@as-eu.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@as-us.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@login.tracking101[2].txt -> TrackingCookie.Tracking101 : No action taken.
C:\Documents and Settings\Fiona\Cookies\fiona@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP334\A0021478.exe -> Trojan.Small : No action taken.
::Report end
Hi Phil,
I've followed your instructions and have posted all reports below... as for step 7 when I checked the R1 etc.. there were 2 items not in the list - these were:
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\setup.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
Look forward to your next instructions - thanks!!
REPORT.TXT FROM SDFIX...
SDFix: Version 1.57
Wed 10/01/2007 - 11:51:51.75
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode
Service Check:
Service Name:
COM+ Messages
File Path:
"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272
COM+ Messages Deleted
Starting Registry Repairs
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two - Normal Mode
Checking Files:
--------------
Removing any Files Found...
Alternate Stream Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Rootkit PE386 Found!
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\DOCUME~1\\Fiona\\LOCALS~1\\Temp\\win45.tmp.exe"="C:\\DOCUME~1\\Fiona\\LOCALS~1\\Temp\\win45.tmp.exe:*:Enabled:win45.tmp"
"C:\\WINDOWS\\TEMP\\win39.tmp.exe"="C:\\WINDOWS\\TEMP\\win39.tmp.exe:*:Enabled:win39.tmp"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\TEMP\\win48C.tmp.exe"="C:\\WINDOWS\\TEMP\\win48C.tmp.exe:*:Enabled:win48C.tmp"
"C:\\WINDOWS\\TEMP\\win50B.tmp.exe"="C:\\WINDOWS\\TEMP\\win50B.tmp.exe:*:Enabled:win50B.tmp"
"C:\\WINDOWS\\TEMP\\win525.tmp.exe"="C:\\WINDOWS\\TEMP\\win525.tmp.exe:*:Enabled:win525.tmp"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Remaining files with hidden attributes:
C:\COMMAND.COM
C:\NTDETECT.COM
C:\WINDOWS\system32\awtrrqp.dll
C:\WINDOWS\system32\efcbxwv.dll
C:\WINDOWS\system32\hggfebb.dll
C:\WINDOWS\system32\mljkjkj.dll
C:\WINDOWS\system32\rqrsqol.dll
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\QooBox\Purity\Documents and Settings\Fiona\My Documents\CROSOF~1.NET\notepad.exe
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\dexplore.exe
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP316\A0010471.exe
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP327\A0017425.exe
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061701.exe
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061702.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp
Finished
-----------------------------------------------------------------
-----------------------------------------------------------------
PEGLOG.TXT & AVENGER.TXT (RUSTBFIX.EXE LOGS)
************************* Rustock.b-fix -- By ejvindh *************************
Wed 10/01/2007 12:00:22.06
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69670
Total size: 69670 bytes.
Attempting to remove ADS...
system32: deleted 69670 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************************* End of Logfile ********************************
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jqwtconb
*******************
Script file located at: \??\C:\pfusudyw.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
-----------------------------------------------------------------
-----------------------------------------------------------------
HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 12:15:57 PM, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\feemo.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.benq.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
pskelley
2007-01-10, 12:59
Run AVG Anti-Spyware again and this time choose delete or a least quarantine, post the scan results.
C:\Program Files\Java\jre1.5.0_09\ <<< Update your Java program.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\WINDOWS\system32\SearchIndexer.exe
searchindexer.exe is a service belonging to Windows Vista
You running Vista on this computer also?
I don't need to see another HJT log, just the AVG AS scan results. Update Java, supply the information I reqested and let me know how the computer is running.
Thanks
Hi Phil,
I updated Java & ran another AVG scan & deleted the objects found.
What is Windows Vista? I'm not intentionally running it as I've never heard of it so let me know what you think I should do..
As for how the computer is running, I'm only using it to correspond with you and for the fixes and the major thing is that it hasn't done the blue screen shut down since yesterday's fixes and overall seems fine.
How are we looking? Are we nearly there? Or is that wishful thinking?!?! :rolleyes:
Here are the AVG scan results:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:29:54 AM 11/01/2007
+ Scan result:
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP327\A0017475.dll -> Adware.MaxSearch : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061711.dll -> Adware.MaxSearch : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP390\A0063827.dll -> Adware.PurityScan : Cleaned.
C:\hijackthis\backups\backup-20070110-121136-120.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP327\A0017465.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP363\A0040621.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP363\A0040623.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP363\A0040626.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP363\A0040628.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061705.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061713.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP334\A0021479.exe -> Adware.WinAntiVirus : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP334\A0021477.exe -> Downloader.Agent.bca : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP386\A0061701.exe -> Downloader.PurityScan.dy : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP334\A0021476.exe -> Downloader.Small.edu : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP318\A0012497.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned.
C:\WINDOWS\system32\drvfer.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned.
C:\WINDOWS\system32\drvtuj.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned.
C:\WINDOWS\system32\drvxeb.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned.
C:\Documents and Settings\Fiona\Cookies\fiona@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Fiona\Cookies\fiona@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\System Volume Information\_restore{9765B21E-CD21-40A7-A497-781AAA26CABF}\RP334\A0021478.exe -> Trojan.Small : Cleaned.
::Report end
Thanks!
pskelley
2007-01-11, 03:54
OK and thanks for the followup. This item:
C:\WINDOWS\system32\SearchIndexer.exe is scanning as:
http://www.processlibrary.com/directory/files/searchindexer/
http://www.liutilities.com/products/wintaskspro/processlibrary/searchindexer/
If you don't know why it is on you computer, check it with: http://virusscan.jotti.org/
If it scans as a safe file, don't worry about it.
Everything is looking good, if you are back to notmal, you are good to go. You can remove the tools we downloaded for the fixes. You can keep ATF-Cleaner if you wish. Here is a tutorial for it's use:
http://forums.security-central.us/showthread.php?t=1925
Let's clean the System Restore files like this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.