PDA

View Full Version : command service and smitfraud removal help



yohohohowo
2007-05-23, 08:22
spybot cannot remove these 2 problems. i did the online virus scan. i could not find any kind of log file. but i copyied and pasted the results.

Scan Results: 36420 files scanned. 1 virus was detected.

File Infection Status Path
uq.exe Win32/Matcash.W cannot cure C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\


then i rebooted in safemode, ran spybot, and it seemed to get rid of the smitfraud problem. but i'm not sure. then i loaded windows regularly and ran hijackthis. here's my logfile.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:13:19 AM, on 5/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\SMANTE~1\winword.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Documents and Settings\Administrator\My Documents\?ymbols\?ttrib.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E2791816-D2D8-DC79-8A0B-FEADAFB072C7} - C:\WINDOWS\System32\penuf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\SMANTE~1\winword.exe" -vt ndrv
O4 - HKCU\..\Run: [Gqeip] "C:\Documents and Settings\Administrator\My Documents\?ymbols\?ttrib.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/180cdc5e0e02c93ad421/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmanager/installs/csd/https%253A%252F%252Fbillmanager.aol.com%252Fbillmanager/AutologinHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmV4Z2VuZXJhdGlvbiBMYWI\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6777 bytes


let me know what i need to do, and thank you in advance for your help.

-wojtek

Shaba
2007-05-26, 21:22
Hi yohohohowo

1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

yohohohowo
2007-05-27, 01:04
my computer's been acting very strangely in the past few days. my page file seems to max out quickly and programs stop loading unless i reboot. i've tried uninstalling a lot of programs i'm not using at all.

here's my new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:57:20 PM, on 5/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/180cdc5e0e02c93ad421/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmanager/installs/csd/https%253A%252F%252Fbillmanager.aol.com%252Fbillmanager/AutologinHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6121 bytes


--------------------------------------------------------------

and here is my combofix log

"Administrator" - 2007-05-26 17:48:50 Service Pack 1
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\Program Files\Common Files\Yazzle1275OinAdmin.exe"
"C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe"
"C:\WINDOWS\system32\alt.exe.exe"
"C:\WINDOWS\system32\pee.exe.exe"
"C:\WINDOWS\retadpu72.exe"
"C:\WINDOWS\system32\wnsapiisv32.exe"
"C:\18756003.exe"
"C:\WINDOWS\system32\svcp.csv"
"C:\WINDOWS\system32\winsub.xml"
"C:\WINDOWS\b136.exe"
"C:\WINDOWS\system32\wsnpoem\audio.dll"
"C:\WINDOWS\system32\wsnpoem\video.dll"
"C:\WINDOWS\system32\rpcc.dll"
"C:\WINDOWS\system32\ntos.exe"
C:\WINDOWS\system32\wsnpoem
"C:\WINDOWS\system32\wincom32.sys"
"C:\WINDOWS\system32\windev-36af-46e9.sys"
"C:\WINDOWS\system32\windev-peers.ini"

Purity Folders:

C:\WINDOWS\system32\CURITY~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\SSEMBL~1
C:\DOCUME~1\ADMINI~1\MYDOCU~1\YMBOLS~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\windev-36af-46e9


((((((((((((((((((((((((((((((( Files Created from 2007-04-26 to 2007-05-26 ))))))))))))))))))))))))))))))))))


2007-05-26 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-26 11:35 <DIR> d-------- C:\WINDOWS\system32\çasks
2007-05-26 03:15 133,654 --a------ C:\WINDOWS\system32\alt.exe
2007-05-23 00:31 <DIR> d-------- C:\hijackthis
2007-05-22 20:08 <DIR> d-------- C:\WINDOWS\LogFiles
2007-05-21 22:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 00:06 <DIR> d-------- C:\Program Files\CCleaner
2007-05-17 00:32 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-05-14 22:14 19,520 --a------ C:\WINDOWS\system32\E3e6v6t2.exe
2007-05-09 21:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera
2007-05-01 23:37 <DIR> d-------- C:\WINDOWS\wkwf
2007-05-01 23:37 <DIR> d-------- C:\Program Files\Common Files\wkwf
2007-05-01 23:22 <DIR> d--hs---- C:\WINDOWS\TmV4Z2VuZXJhdGlvbiBMYWI
2007-04-30 21:57 <DIR> d-------- C:\Program Files\eMusic Download Manager
2007-04-30 01:58 <DIR> d-------- C:\Program Files\AVSMedia
2007-04-30 01:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVSMedia
2007-04-30 01:33 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-30 01:33 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-04-30 01:33 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-04-30 01:33 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-30 00:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CoreCodec
2007-04-30 00:22 <DIR> d-------- C:\Program Files\Haali
2007-04-30 00:22 <DIR> d-------- C:\Program Files\CoreCodec


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 17:12:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 15:19:33 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-26 07:26:49 -------- d-----w C:\Program Files\QuickTime
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Messenger
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Shrink
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-26 07:26:32 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0a
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0
2007-05-24 21:53:16 -------- d-----w C:\Program Files\utorrent
2007-05-20 18:27:43 -------- d-----w C:\Program Files\Google
2007-05-08 01:16:44 2,922 ----a-w C:\WINDOWS\mozver.dat
2007-04-26 00:33:58 -------- d-----w C:\Program Files\McAfee.com
2007-04-21 00:50:00 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-04-20 17:02:12 -------- d-----w C:\Program Files\The Rosetta Stone
2007-04-20 13:16:00 -------- d-----w C:\Program Files\DivX
2007-04-19 22:49:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-04-19 22:33:11 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-19 22:33:11 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-04-17 23:29:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-17 12:23:44 -------- d-----w C:\Program Files\WordBiz
2007-04-17 03:42:54 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-15 22:01:03 -------- d-----w C:\Program Files\Creative
2007-04-15 17:40:49 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-04-15 01:55:12 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-04-14 22:03:53 -------- d-----w C:\Program Files\Ahead
2007-04-14 22:01:24 -------- d-----w C:\Program Files\Common Files\Nero
2007-04-14 21:59:39 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-10 23:25:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\PxCpyI64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
2007-03-26 22:06:48 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\TmV4Z2VuZXJhdGlvbiBMYWI\nApbtZpRtrL1x35Sv21gsqK.vbs


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 22:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-30 12:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-21 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 12:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-17 08:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=


Contents of the 'Scheduled Tasks' folder
2007-05-25 04:00:30 C:\WINDOWS\tasks\At1.job
2007-05-26 13:00:31 C:\WINDOWS\tasks\At10.job
2007-05-26 14:00:33 C:\WINDOWS\tasks\At11.job
2007-05-26 15:00:31 C:\WINDOWS\tasks\At12.job
2007-05-26 16:13:28 C:\WINDOWS\tasks\At13.job
2007-05-26 17:01:29 C:\WINDOWS\tasks\At14.job
2007-05-26 18:00:31 C:\WINDOWS\tasks\At15.job
2007-05-26 19:00:30 C:\WINDOWS\tasks\At16.job
2007-05-26 20:00:33 C:\WINDOWS\tasks\At17.job
2007-05-26 21:00:31 C:\WINDOWS\tasks\At18.job
2007-05-25 22:00:30 C:\WINDOWS\tasks\At19.job
2007-05-25 05:00:30 C:\WINDOWS\tasks\At2.job
2007-05-25 23:00:30 C:\WINDOWS\tasks\At20.job
2007-05-26 00:00:31 C:\WINDOWS\tasks\At21.job
2007-05-26 01:01:24 C:\WINDOWS\tasks\At22.job
2007-05-25 02:00:30 C:\WINDOWS\tasks\At23.job
2007-05-26 03:00:30 C:\WINDOWS\tasks\At24.job
2007-05-25 06:00:30 C:\WINDOWS\tasks\At3.job
2007-05-25 07:00:30 C:\WINDOWS\tasks\At4.job
2007-05-26 08:00:31 C:\WINDOWS\tasks\At5.job
2007-05-26 09:00:31 C:\WINDOWS\tasks\At6.job
2007-05-26 10:00:31 C:\WINDOWS\tasks\At7.job
2007-05-26 11:00:31 C:\WINDOWS\tasks\At8.job
2007-05-26 12:00:31 C:\WINDOWS\tasks\At9.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 17:53:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-26 17:54:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-26 17:54

--- E O F ---


i also tried downloading Service Pack 2 today. but my system froze up.

thanks again,
wojtek

Shaba
2007-05-27, 12:02
Hi

Please don't attempt installing service pack 2 until you're clean.

Please download delcmdservice (by Marckie), and save it to your Desktop.
http://users.telenet.be/marcvn/tools/delcmdservice.zip

Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Delete these:

C:\WINDOWS\system32\çasks
C:\WINDOWS\system32\alt.exe
C:\WINDOWS\system32\E3e6v6t2.exe
C:\WINDOWS\wkwf
C:\Program Files\Common Files\wkwf
C:\WINDOWS\TmV4Z2VuZXJhdGlvbiBMYWI

Empty Recycle Bin

Re-run combofix.

Post:

- a fresh HijackThis log
- combofix report

yohohohowo
2007-05-27, 18:05
i could not find this file to delete.

C:\WINDOWS\system32\çasks

the only thing resembling it was the tasks folder, but i wasn't going to just delete those assuming you made a typo. also when i ran the delreg.bat file. it was over in about .25 sec. i want to make sure that was normal.

here's my new hijackthis.log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:58:18 AM, on 5/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/180cdc5e0e02c93ad421/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmanager/installs/csd/https%253A%252F%252Fbillmanager.aol.com%252Fbillmanager/AutologinHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6089 bytes




And here is my new combofix.txt


"Administrator" - 2007-05-27 10:49:12 Service Pack 1
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\wincom32.ini"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINCOM32


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-26 17:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-26 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-26 11:35 <DIR> d-------- C:\WINDOWS\system32\çasks
2007-05-23 00:31 <DIR> d-------- C:\hijackthis
2007-05-22 20:08 <DIR> d-------- C:\WINDOWS\LogFiles
2007-05-21 22:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 00:06 <DIR> d-------- C:\Program Files\CCleaner
2007-05-17 00:32 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-05-09 21:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera
2007-05-01 23:37 <DIR> d-------- C:\Program Files\Common Files\wkwf
2007-04-30 21:57 <DIR> d-------- C:\Program Files\eMusic Download Manager
2007-04-30 01:58 <DIR> d-------- C:\Program Files\AVSMedia
2007-04-30 01:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVSMedia
2007-04-30 01:33 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-30 01:33 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-04-30 01:33 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-04-30 01:33 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-30 00:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CoreCodec
2007-04-30 00:22 <DIR> d-------- C:\Program Files\Haali
2007-04-30 00:22 <DIR> d-------- C:\Program Files\CoreCodec


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 17:12:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 15:19:33 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-26 07:26:49 -------- d-----w C:\Program Files\QuickTime
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Messenger
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Shrink
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-26 07:26:32 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0a
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0
2007-05-24 21:53:16 -------- d-----w C:\Program Files\utorrent
2007-05-20 18:27:43 -------- d-----w C:\Program Files\Google
2007-05-08 01:16:44 2,922 ----a-w C:\WINDOWS\mozver.dat
2007-04-26 00:33:58 -------- d-----w C:\Program Files\McAfee.com
2007-04-21 00:50:00 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-04-20 17:02:12 -------- d-----w C:\Program Files\The Rosetta Stone
2007-04-20 13:16:00 -------- d-----w C:\Program Files\DivX
2007-04-19 22:49:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-04-19 22:33:11 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-19 22:33:11 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-04-17 23:29:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-17 12:23:44 -------- d-----w C:\Program Files\WordBiz
2007-04-17 03:42:54 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-15 22:01:03 -------- d-----w C:\Program Files\Creative
2007-04-15 17:40:49 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-04-15 01:55:12 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-04-14 22:03:53 -------- d-----w C:\Program Files\Ahead
2007-04-14 22:01:24 -------- d-----w C:\Program Files\Common Files\Nero
2007-04-14 21:59:39 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-10 23:25:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\PxCpyI64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 22:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-30 12:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-21 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 12:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-17 08:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=


Contents of the 'Scheduled Tasks' folder
2007-05-25 04:00:30 C:\WINDOWS\tasks\At1.job
2007-05-26 13:00:31 C:\WINDOWS\tasks\At10.job
2007-05-26 14:00:33 C:\WINDOWS\tasks\At11.job
2007-05-26 15:00:31 C:\WINDOWS\tasks\At12.job
2007-05-26 16:13:28 C:\WINDOWS\tasks\At13.job
2007-05-26 17:01:29 C:\WINDOWS\tasks\At14.job
2007-05-26 18:00:31 C:\WINDOWS\tasks\At15.job
2007-05-26 19:00:30 C:\WINDOWS\tasks\At16.job
2007-05-26 20:00:33 C:\WINDOWS\tasks\At17.job
2007-05-26 21:00:31 C:\WINDOWS\tasks\At18.job
2007-05-26 22:01:23 C:\WINDOWS\tasks\At19.job
2007-05-25 05:00:30 C:\WINDOWS\tasks\At2.job
2007-05-26 23:00:30 C:\WINDOWS\tasks\At20.job
2007-05-27 00:00:30 C:\WINDOWS\tasks\At21.job
2007-05-26 01:01:24 C:\WINDOWS\tasks\At22.job
2007-05-27 02:00:30 C:\WINDOWS\tasks\At23.job
2007-05-27 03:00:30 C:\WINDOWS\tasks\At24.job
2007-05-27 06:00:30 C:\WINDOWS\tasks\At3.job
2007-05-25 07:00:30 C:\WINDOWS\tasks\At4.job
2007-05-26 08:00:31 C:\WINDOWS\tasks\At5.job
2007-05-27 09:00:30 C:\WINDOWS\tasks\At6.job
2007-05-26 10:00:31 C:\WINDOWS\tasks\At7.job
2007-05-26 11:00:31 C:\WINDOWS\tasks\At8.job
2007-05-26 12:00:31 C:\WINDOWS\tasks\At9.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 10:54:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-05-27 10:55:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 10:55
C:\ComboFix2.txt ... 2007-05-26 17:54

--- E O F ---


also. is there a way to get rid of AOL and anything resembling it.

Shaba
2007-05-27, 18:09
Hi

Yes, that bat shouldn't take long.

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/180cdc5e...p/RdxIE601.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab

Close all windows including browser and press fix checked.

Copy text below to Notepad and save it as remfolders.bat (save it as all files, *.*)

@ECHO OFF
attrib -r -h C:\WINDOWS\system32\çasks\*.*
del /a /f /q C:\WINDOWS\system32\çasks\*.*
RD /s /q "C:\WINDOWS\system32\çasks"
attrib -r -h C:\Program Files\Common Files\wkwf\*.*
del /a /f /q C:\Program Files\Common Files\wkwf\*.*
RD /s /q "C:\Program Files\Common Files\wkwf"

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG

Doubleclick remfolders.bat; black dos windows will flash, that's normal.

(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)

Re-run combofix

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.gif

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Post:

- a fresh HijackThis log
- combofix report
- uninstall list

yohohohowo
2007-05-27, 19:34
new hijackthis.log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:31:27 PM, on 5/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmanager/installs/csd/https%253A%252F%252Fbillmanager.aol.com%252Fbillmanager/AutologinHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5760 bytes



------------------------------------
new combofix.txt


"Administrator" - 2007-05-27 11:53:05 Service Pack 1
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-26 17:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-26 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-23 00:31 <DIR> d-------- C:\hijackthis
2007-05-22 20:08 <DIR> d-------- C:\WINDOWS\LogFiles
2007-05-21 22:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 00:06 <DIR> d-------- C:\Program Files\CCleaner
2007-05-17 00:32 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-05-09 21:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera
2007-04-30 21:57 <DIR> d-------- C:\Program Files\eMusic Download Manager
2007-04-30 01:58 <DIR> d-------- C:\Program Files\AVSMedia
2007-04-30 01:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVSMedia
2007-04-30 01:33 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-30 01:33 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-04-30 01:33 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-04-30 01:33 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-30 00:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CoreCodec
2007-04-30 00:22 <DIR> d-------- C:\Program Files\Haali
2007-04-30 00:22 <DIR> d-------- C:\Program Files\CoreCodec


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 17:12:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 15:19:33 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-26 07:26:49 -------- d-----w C:\Program Files\QuickTime
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Messenger
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Shrink
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-26 07:26:32 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0a
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0
2007-05-24 21:53:16 -------- d-----w C:\Program Files\utorrent
2007-05-20 18:27:43 -------- d-----w C:\Program Files\Google
2007-05-08 01:16:44 2,922 ----a-w C:\WINDOWS\mozver.dat
2007-04-26 00:33:58 -------- d-----w C:\Program Files\McAfee.com
2007-04-21 00:50:00 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-04-20 17:02:12 -------- d-----w C:\Program Files\The Rosetta Stone
2007-04-20 13:16:00 -------- d-----w C:\Program Files\DivX
2007-04-19 22:49:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-04-19 22:33:11 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-19 22:33:11 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-04-17 23:29:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-17 12:23:44 -------- d-----w C:\Program Files\WordBiz
2007-04-17 03:42:54 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-15 22:01:03 -------- d-----w C:\Program Files\Creative
2007-04-15 17:40:49 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-04-15 01:55:12 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-04-14 22:03:53 -------- d-----w C:\Program Files\Ahead
2007-04-14 22:01:24 -------- d-----w C:\Program Files\Common Files\Nero
2007-04-14 21:59:39 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-10 23:25:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\PxCpyI64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 22:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-30 12:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-21 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 12:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-17 08:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=


Contents of the 'Scheduled Tasks' folder
2007-05-25 04:00:30 C:\WINDOWS\tasks\At1.job
2007-05-26 13:00:31 C:\WINDOWS\tasks\At10.job
2007-05-26 14:00:33 C:\WINDOWS\tasks\At11.job
2007-05-27 15:00:00 C:\WINDOWS\tasks\At12.job
2007-05-26 16:13:28 C:\WINDOWS\tasks\At13.job
2007-05-26 17:01:29 C:\WINDOWS\tasks\At14.job
2007-05-26 18:00:31 C:\WINDOWS\tasks\At15.job
2007-05-26 19:00:30 C:\WINDOWS\tasks\At16.job
2007-05-26 20:00:33 C:\WINDOWS\tasks\At17.job
2007-05-26 21:00:31 C:\WINDOWS\tasks\At18.job
2007-05-26 22:01:23 C:\WINDOWS\tasks\At19.job
2007-05-25 05:00:30 C:\WINDOWS\tasks\At2.job
2007-05-26 23:00:30 C:\WINDOWS\tasks\At20.job
2007-05-27 00:00:30 C:\WINDOWS\tasks\At21.job
2007-05-26 01:01:24 C:\WINDOWS\tasks\At22.job
2007-05-27 02:00:30 C:\WINDOWS\tasks\At23.job
2007-05-27 03:00:30 C:\WINDOWS\tasks\At24.job
2007-05-27 06:00:30 C:\WINDOWS\tasks\At3.job
2007-05-25 07:00:30 C:\WINDOWS\tasks\At4.job
2007-05-26 08:00:31 C:\WINDOWS\tasks\At5.job
2007-05-27 09:00:30 C:\WINDOWS\tasks\At6.job
2007-05-26 10:00:31 C:\WINDOWS\tasks\At7.job
2007-05-26 11:00:31 C:\WINDOWS\tasks\At8.job
2007-05-26 12:00:31 C:\WINDOWS\tasks\At9.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 11:54:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-05-27 11:55:15
C:\ComboFix-quarantined-files.txt ... 2007-05-27 11:54
C:\ComboFix2.txt ... 2007-05-27 10:55
C:\ComboFix3.txt ... 2007-05-26 17:54

--- E O F ---


-------------------------------

uninstall list


Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS2
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
AOL Uninstaller
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI Multimedia Center 8.1.0.0
Broadcom 440x 10/100 Integrated Controller
CCleaner (remove only)
Creative Jukebox Driver
DAO
Dell ResourceCD
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Full Tilt Poker
Google Toolbar for Internet Explorer
HijackThis 2.0.0
HydraVision
Intel(R) Extreme Graphics Driver
Java 2 Runtime Environment, SE v1.4.2_04
Microsoft Data Access Components KB870669
MSN Music Assistant
Nero Suite
QuickBooks Pro Edition 2004
QuickTime
RealPlayer
Sony Picture Utility
Sony USB Driver
Sound Blaster Live!
Spybot - Search & Destroy 1.4
The Rosetta Stone
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix (SP2) Q819696
WinRAR archiver
WordBiz version 1.8
Yahoo! Address AutoComplete
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger

Shaba
2007-05-27, 19:56
Hi

Uninstall this via add/remove programs:

AOL Uninstaller (that will uninstall all AOL stuff)

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

yohohohowo
2007-05-27, 21:52
here's my new hijackthis.log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:51:01 PM, on 5/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmanager/installs/csd/https%253A%252F%252Fbillmanager.aol.com%252Fbillmanager/AutologinHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5860 bytes





and here's the kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 27, 2007 2:49:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/05/2007
Kaspersky Anti-Virus database records: 330575
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 39494
Number of viruses found: 13
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 00:27:04

Infected Object Name / Virus Name / Last Action
C:\62.tmp Infected: Packed.Win32.Tibs.y skipped
C:\65.tmp Infected: Trojan-Spy.Win32.Bancos.aam skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\xz.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\xz.exe NSIS: infected - 1 skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe Infected: Virus.Win32.Grum.a skipped
C:\QooBox\Quarantine\C\18756003.exe.vir Infected: Trojan-Downloader.Win32.Agent.bmg skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1275OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\retadpu72.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\alt.exe.exe.vir Infected: Packed.Win32.Tibs.y skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pee.exe.exe.vir Infected: Packed.Win32.Tibs.y skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rpcc.dll.vir Infected: Trojan-Proxy.Win32.Dlena.cq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wincom32.sys.vir Infected: Packed.Win32.Tibs.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\windev-36af-46e9.sys.vir Infected: Packed.Win32.Tibs.ab skipped
C:\WINDOWS\b103.exe/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\WINDOWS\b103.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b103.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b103.exe NSIS: infected - 3 skipped
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba
2007-05-28, 09:08
Hi

Empty this folder:

C:\QooBox\Quarantine

Delete these:

C:\62.tmp
C:\65.tmp
C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\xz.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

yohohohowo
2007-05-28, 11:24
new hijackthis log

ogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:20:36 AM, on 5/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmanager/installs/csd/https%253A%252F%252Fbillmanager.aol.com%252Fbillmanager/AutologinHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5623 bytes




and a new kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 28, 2007 4:19:17 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/05/2007
Kaspersky Anti-Virus database records: 330755
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 38054
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:26:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007052820070529\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe Infected: Virus.Win32.Grum.a skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



it seems to have found a virus in the google toolbar program. should i get rid of this program? or is it generally safe once my computer is clean? also thank you so much for all your help so far. my computer seems to be performing 100 times better already.

Shaba
2007-05-28, 17:16
Hi

Yes, you should uninstall google toolbar and delete this folder:

C:\Program Files\Google

Other than that, any problems left?

yohohohowo
2007-05-28, 19:33
i ran spybot again, and it showed Smitfraud C. which it fixed no problem. can i go ahead and install sp2? or is there anything else i need to do. here's a new hijackthis log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:32:58 PM, on 5/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmanager/installs/csd/https%253A%252F%252Fbillmanager.aol.com%252Fbillmanager/AutologinHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5069 bytes

Shaba
2007-05-28, 19:41
Hi

Well next step is to install antivirus and firewall:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
2) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Comodo (http://www.personalfirewall.comodo.com/)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

After that, please post a fresh HijackThis log.

yohohohowo
2007-05-28, 21:05
i installed avg and it ran clean . then i installed the comodo firewall. when i looked under the activity log. it seems to be denying about 10 things every few seconds. it says
severity-medium
Reporter-network moniter
Description- Inbound policy violation (access Denied, IP= and they're all different ips)

i just want to know if this is normal.

here's my new hijackthislog

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:53:09 PM, on 5/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmanager/installs/csd/https%253A%252F%252Fbillmanager.aol.com%252Fbillmanager/AutologinHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6269 bytes

Shaba
2007-05-29, 09:05
Hi

Yes, that should be normal if you aren't eg. behind NAT.

Other than that, any problems?

yohohohowo
2007-05-29, 15:49
i think i'm good..... thank you for your help.

Shaba
2007-05-29, 17:30
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 1 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install also Service Pack 2.


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

Shaba
2007-06-03, 12:48
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.