View Full Version : I get popups and Trojans, AVG and S&B dn't remove them, or they reappear
Logfile of HijackThis v1.99.1
Scan saved at 10:47:30 a.m., on 9/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\linkprd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\??sks\j?vaw.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://au.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://au.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://au.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://au.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://au.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C1093E6A-80AD-895A-DD7C-F9ADDCCF77CB} - C:\WINDOWS\system32\igej.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\linkprd.exe /res
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Bphleb] "C:\Program Files\??sks\j?vaw.exe"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
miekiemoes
2007-06-09, 08:01
Hello,
* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Thx for your assistance,:heart:
Ran Combo Fix, it says it's found 'look2me', then does nothing for 4 minutes, then the desktop dissappears and an error window opens which reads: 'C:\WINDOWS\SYSTEM32\CMD.COM IS NOT A VALID WIN32 APPLICATION'
This window won't close when I click OK, I have to close the CMD PROMPT window, then I'm left with a blue screen with the mouse pointer active so I have to rebbot from the power button.
I've run COMBOFIX in both normal and safe modes.... but to no avail...
I look forward to your suggestions, BELIEVE ME!:sad:
miekiemoes
2007-06-10, 13:39
Hi,
Looks like you were dealing with the Alcan/Alcra worm previously as well which created a dummy cmd.com.
Please close combofix and the cmd.com window.
Then,
Perform next step first to fix what the Alcan/Alcra worm modified.
* Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: http://users.telenet.be/bluepatchy/miekiemoes/images/bfuicon.gif
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:
http://metallica.geekstogo.com/alcanshorty.bfu
Click Ok.
Then click execute in Brute Force Uninstaller.
Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.
Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program
Then try Combofix again. Please don't run Combofix in Windows safe mode, because it's not that effective there. Combofix should be run in Windows Normal mode..
Wow, r u single?:heart:
Here's the combo fix log, I'll post the hijackthis one in a minute!
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-11 0:10:30 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{700B6110-7FEC-4883-96A2-2606E9432D8B}]
@=""
[HKEY_CLASSES_ROOT\clsid\{700B6110-7FEC-4883-96A2-2606E9432D8B}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{700B6110-7FEC-4883-96A2-2606E9432D8B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{700B6110-7FEC-4883-96A2-2606E9432D8B}\InprocServer32]
@="C:\\WINDOWS\\system32\\wahtcpip.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{2810488D-4DBC-49F1-B7F2-5FF052090171}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\clsid\{2810488D-4DBC-49F1-B7F2-5FF052090171}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{2810488D-4DBC-49F1-B7F2-5FF052090171}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{2810488D-4DBC-49F1-B7F2-5FF052090171}\InprocServer32]
@="C:\\WINDOWS\\system32\\pVpgasvc.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{586EC2AA-63D0-4FA7-8DE1-3406304EEB16}]
@=""
[HKEY_CLASSES_ROOT\clsid\{586EC2AA-63D0-4FA7-8DE1-3406304EEB16}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{586EC2AA-63D0-4FA7-8DE1-3406304EEB16}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{586EC2AA-63D0-4FA7-8DE1-3406304EEB16}\InprocServer32]
@="C:\\WINDOWS\\system32\\dBdim700.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
C:\WINDOWS\system32\aqi2cqag.dll
C:\WINDOWS\system32\avptif.dll
C:\WINDOWS\system32\cVpesnpn.dll
C:\WINDOWS\system32\FV20ENU.DLL
C:\WINDOWS\system32\ii32_32.dll
C:\WINDOWS\system32\j42qlef51h2.dll
C:\WINDOWS\system32\jt8207loe.dll
C:\WINDOWS\system32\jtjo0713e.dll
C:\WINDOWS\system32\mktscax.dll
C:\WINDOWS\system32\mxlbui.dll
C:\WINDOWS\system32\nlmkcert.dll
C:\WINDOWS\system32\p64u0gh9e64.dll
C:\WINDOWS\system32\sts.dll
Granting SeDebugPrivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Guest\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\Guest\APPLIC~1\Dxcuknwrd.dll
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\78463DRY\www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\78463DRY\www.broadcaster.com\played_list.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\78463DRY\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Owner\APPLIC~1.\pppatc~1
C:\DOCUME~1\Owner\APPLIC~1.\racle~1
C:\DOCUME~1\Owner\APPLIC~1\Dxccwrd.dll
C:\DOCUME~1\Owner\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\Owner\APPLIC~1\Dxcuknwrd.dll
C:\Program Files\Common Files\{AC22A~1
C:\Program Files\Common Files\{AC22A~1\Update.exe
C:\Program Files\Common Files\{AC22A~2
C:\Program Files\Common Files\{AC22A~2\system.dll
C:\Program Files\Common Files\{AC22A~2\Update.exe
C:\Program Files\deluxecommunications
C:\Program Files\deluxecommunications\Dxc.exe
C:\Program Files\deluxecommunications\DxcBho.dll
C:\Program Files\deluxecommunications\DxcCore.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\sks~1
C:\Program Files\sks~1\j?vaw.exe
C:\Program Files\smante~1
C:\Program Files\tclock\tclock_install.exe
C:\Program Files\windows
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\T1
C:\WINDOWS\system32\T1\nic32.exe
C:\WINDOWS\system32\T2
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\asdll.exe
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\windows.exe
C:\WINDOWS\system32\wnstsiit32.exe
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_NM
-------\LEGACY_NPF
-------\core
-------\nm
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))
2007-06-11 00:09 <DIR> d-------- C:\bintheredunthat
2007-06-11 00:02 <DIR> d-------- C:\BFU
2007-06-10 21:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 19:29 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-06-09 18:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-09 15:34 2,044 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-08 23:48 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-06-08 23:48 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-06-08 23:48 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-06-08 23:48 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-06-08 23:48 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-06-08 23:48 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-06-08 23:48 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-06-08 23:48 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-06-08 22:03 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-08 22:03 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-08 22:03 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-08 22:03 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-08 22:03 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-08 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-08 20:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-08 11:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-08 11:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-08 10:11 <DIR> d-------- C:\SmitRem
2007-06-08 08:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-06 18:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-31 18:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 18:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 18:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-28 20:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-27 12:29 60,928 --a------ C:\WINDOWS\system32\igej.dll
2007-05-27 12:29 <DIR> d-------- C:\WINDOWS\system32\T3QaSQ
2007-05-26 09:01 <DIR> d-------- C:\Program Files\DC++
2007-05-25 22:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-25 22:44 2,301 --a------ C:\WINDOWS\mozver.dat
2007-05-25 15:34 <DIR> d-------- C:\Program Files\Google
2007-05-25 15:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-05-25 15:28 15,714,552 --a------ C:\Program Files\Google_Earth_BZXV.exe
2007-05-23 03:15 <DIR> d--hs---- C:\UWA7P
2007-05-23 03:14 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-23 03:14 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-05-23 03:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007
2007-05-23 03:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-23 02:26 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Free
2007-05-23 01:57 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-05-23 01:57 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-05-23 01:57 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-05-23 01:57 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-05-23 01:57 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-05-23 01:57 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-05-23 01:57 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-05-23 01:57 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-05-22 23:44 <DIR> d-------- C:\Program Files\QuickTime
2007-05-22 23:43 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-21 04:08 <DIR> d--hs---- C:\DOCUME~1\Owner\Complete
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Ableton
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ableton
2007-05-14 18:54 <DIR> d-------- C:\Program Files\Vodei
2007-05-13 13:48 42,333 --a------ C:\WINDOWS\system32\xrljvnocxl.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-10 12:14:05 -------- d-----w C:\Program Files\TClock
2007-06-09 04:28:07 -------- d-----w C:\Program Files\Easy Internet signup
2007-06-08 10:06:32 -------- d-----w C:\Program Files\DivX
2007-05-31 16:32:21 -------- d-----w C:\Program Files\Common Files\wwmf
2007-05-30 07:48:40 -------- d-----w C:\Program Files\ErrorSafe Free
2007-05-29 09:59:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 09:58:06 -------- d-----w C:\Program Files\Microsoft Works
2007-05-25 06:12:21 10,706 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-05-25 01:27:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-05-22 12:25:47 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-05-20 10:04:54 -------- d-----w C:\Program Files\Cooledit
2007-05-19 06:51:27 -------- d-----w C:\Program Files\VirtualDJ
2007-05-09 02:18:02 35,247 ----a-w C:\WINDOWS\system32\wlnwli.exe
2007-05-08 15:42:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\PCTurbo Pro Free
2007-05-08 15:16:10 151,320 ----a-w C:\DOCUME~1\Owner\APPLIC~1\pcturboproinstallerfree[2].exe
2007-05-08 01:39:28 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-05-06 06:43:04 -------- d-----w C:\Program Files\BitTorrent
2007-05-03 06:15:26 -------- d-----w C:\Program Files\WinPcap
2007-05-02 16:47:55 -------- d-----w C:\Program Files\Folder Lock
2007-05-01 10:58:00 -------- d-----w C:\Program Files\MSXML 4.0
2007-05-01 09:21:17 -------- d-----w C:\Program Files\MSN Messenger
2007-04-30 23:13:25 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-30 20:09:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:25 36,624 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 10:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 10:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 10:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 10:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 10:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 10:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 10:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 10:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 10:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 10:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 23:50:44 -------- d-----w C:\Program Files\City Interactive
2007-04-06 08:53:40 53,248 ----a-w C:\WINDOWS\system32\suppdll.dll
2007-04-06 08:53:40 35,363 ----a-w C:\WINDOWS\system32\windrvNT.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 00:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 00:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{C1093E6A-80AD-895A-DD7C-F9ADDCCF77CB}=C:\WINDOWS\system32\igej.dll [2007-05-22 01:59]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-31 23:19]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-08 22:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 04:24]
"Bphleb"="C:\Program Files\??sks\j?vaw.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Magnify"=
"RunNarrator"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\PRESAR~1\Presario\XPHWWRS4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
C:\\dfndrff_e21.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glxmhsq]
C:\Documents and Settings\Owner\Application Data\?ppPatch\c?rss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\ipwins\ipwins.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
C:\\kybrdff_e21.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"c:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ncn3e446]
RUNDLL32.EXE w28ef03e.dll,n 0053e4410000000a28ef03e
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
C:\\nwnmc_4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
"C:\PROGRA~1\SMANTE~1\taskmgr.exe" -vt yazr
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
C:\Program Files\outlook\outlook.exe /auto
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVModule]
C:\PROGRA~1\PRINTV~1\pvmodule.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
C:\Program Files\TClock\tclock_install.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog]
winlog.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wwmf]
C:\PROGRA~1\COMMON~1\wwmf\wwmfm.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-06-06 07:43:13 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-22 08:52:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1090486217.job
2004-11-04 00:36:16 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 00:18:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\WNBackup
C:\WINDOWS\ws2setup.log
C:\WINDOWS\wsdu.log
C:\WINDOWS\WSST_Screen_Saver.ini
C:\WINDOWS\wwmf
C:\WINDOWS\xobglu16.dll
C:\WINDOWS\xobglu32.dll
C:\WINDOWS\xpsp1hfm.log
C:\WINDOWS\yacs.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
**************************************************************************
Completion time: 2007-06-11 0:21:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-11 00:21
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 12:32:42 a.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C1093E6A-80AD-895A-DD7C-F9ADDCCF77CB} - C:\WINDOWS\system32\igej.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Bphleb] "C:\Program Files\??sks\j?vaw.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
miekiemoes
2007-06-10, 15:07
Hi,
What a mess... We still have a lot to delete here though..
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\igej.dll
C:\WINDOWS\system32\xrljvnocxl.exe
C:\DOCUME~1\Owner\APPLIC~1\pcturboproinstallerfree[2].exe
C:\WINDOWS\system32\wlnwli.exe
Folder::
C:\bintheredunthat
C:\BFU
C:\SmitRem
C:\UWA7P
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\Program Files\Common Files\DriveCleaner Free
C:\Program Files\TClock
C:\Program Files\Common Files\wwmf
C:\Program Files\ErrorSafe Free
C:\DOCUME~1\Owner\APPLIC~1\PCTurbo Pro Free
C:\WINDOWS\system32\T3QaSQ
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1093E6A-80AD-895A-DD7C-F9ADDCCF77CB}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"=-
"Bphleb"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glxmhsq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ncn3e446]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVModule]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wwmf]
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
:heart:
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-11 1:29:41 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\BFU
C:\BFU\alcanshorty.bfu
C:\BFU\BFU.exe
C:\BFU\bfu.zip
C:\bintheredunthat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat
C:\DOCUME~1\Owner\APPLIC~1\PCTurbo Pro Free
C:\DOCUME~1\Owner\APPLIC~1\PCTurbo Pro Free\Logs\update.log
C:\DOCUME~1\Owner\APPLIC~1\pcturboproinstallerfree[2].exe
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\avtasks.dat
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\CookieList.dat
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\history.db
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat
C:\Program Files\Common Files\DriveCleaner Free
C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\Program Files\Common Files\wwmf
C:\Program Files\Common Files\wwmf\wwmfa.lck
C:\Program Files\Common Files\wwmf\wwmfd\class-barrel
C:\Program Files\Common Files\wwmf\wwmfd\vocabulary
C:\Program Files\Common Files\wwmf\wwmfd\wwmfc.dll
C:\Program Files\Common Files\wwmf\wwmfl.lck
C:\Program Files\Common Files\wwmf\wwmfm.lck
C:\Program Files\ErrorSafe Free
C:\Program Files\ErrorSafe Free\activate.dat
C:\Program Files\ErrorSafe Free\appupdate.dat
C:\Program Files\ErrorSafe Free\bnlink.dat
C:\Program Files\ErrorSafe Free\DataBase.sav
C:\Program Files\ErrorSafe Free\errors.log
C:\Program Files\ErrorSafe Free\errorsafe.xml
C:\Program Files\ErrorSafe Free\ers.url
C:\Program Files\ErrorSafe Free\flash.ini
C:\Program Files\ErrorSafe Free\FRec.dll
C:\Program Files\ErrorSafe Free\FWraper.dll
C:\Program Files\ErrorSafe Free\FxCore.dll
C:\Program Files\ErrorSafe Free\InstHelp.exe
C:\Program Files\ErrorSafe Free\lapv.dat
C:\Program Files\ErrorSafe Free\license.rtf
C:\Program Files\ErrorSafe Free\lock.dat
C:\Program Files\ErrorSafe Free\MMFx.dll
C:\Program Files\ErrorSafe Free\Program.sav
C:\Program Files\ErrorSafe Free\pv.dat
C:\Program Files\ErrorSafe Free\sr.log
C:\Program Files\ErrorSafe Free\support.url
C:\Program Files\ErrorSafe Free\trace.log
C:\Program Files\ErrorSafe Free\UERS.dmp
C:\Program Files\ErrorSafe Free\unins000.dat
C:\Program Files\ErrorSafe Free\unins000.exe
C:\Program Files\ErrorSafe Free\update.log
C:\Program Files\ErrorSafe Free\updater.dat
C:\Program Files\ErrorSafe Free\wsres.sys
C:\Program Files\TClock
C:\Program Files\TClock\tcdll.tclock
C:\Program Files\TClock\tclock.exe
C:\Program Files\TClock\tclock.ini
C:\SmitRem
C:\SmitRem\delfiles.cmd
C:\SmitRem\Process.exe
C:\SmitRem\pv.exe
C:\SmitRem\RunThis.bat
C:\SmitRem\smitRem.exe
C:\SmitRem\swreg.exe
C:\UWA7P
C:\WINDOWS\system32\igej.dll
C:\WINDOWS\system32\T3QaSQ
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\wlnwli.exe
C:\WINDOWS\system32\xrljvnocxl.exe
((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))
2007-06-11 00:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-11 00:22 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-10 21:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 19:29 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-06-09 18:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-08 23:48 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-06-08 23:48 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-06-08 23:48 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-06-08 23:48 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-06-08 23:48 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-06-08 23:48 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-06-08 23:48 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-06-08 23:48 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-06-08 22:03 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-08 22:03 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-08 22:03 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-08 22:03 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-08 22:03 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-08 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-08 20:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-08 11:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-08 11:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-08 08:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-06 18:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-31 18:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 18:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 18:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-28 20:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-26 09:01 <DIR> d-------- C:\Program Files\DC++
2007-05-25 22:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-25 22:44 2,301 --a------ C:\WINDOWS\mozver.dat
2007-05-25 15:34 <DIR> d-------- C:\Program Files\Google
2007-05-25 15:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-05-25 15:28 15,714,552 --a------ C:\Program Files\Google_Earth_BZXV.exe
2007-05-23 03:14 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-23 01:57 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-05-23 01:57 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-05-23 01:57 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-05-23 01:57 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-05-23 01:57 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-05-23 01:57 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-05-23 01:57 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-05-23 01:57 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-05-22 23:44 <DIR> d-------- C:\Program Files\QuickTime
2007-05-22 23:43 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-21 04:08 <DIR> d--hs---- C:\DOCUME~1\Owner\Complete
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Ableton
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ableton
2007-05-14 18:54 <DIR> d-------- C:\Program Files\Vodei
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-09 04:28:07 -------- d-----w C:\Program Files\Easy Internet signup
2007-06-08 10:06:32 -------- d-----w C:\Program Files\DivX
2007-05-29 09:59:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 09:58:06 -------- d-----w C:\Program Files\Microsoft Works
2007-05-25 06:12:21 10,706 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-05-25 01:27:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-05-22 12:25:47 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-05-20 10:04:54 -------- d-----w C:\Program Files\Cooledit
2007-05-19 06:51:27 -------- d-----w C:\Program Files\VirtualDJ
2007-05-08 01:39:28 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-05-06 06:43:04 -------- d-----w C:\Program Files\BitTorrent
2007-05-03 06:15:26 -------- d-----w C:\Program Files\WinPcap
2007-05-02 16:47:55 -------- d-----w C:\Program Files\Folder Lock
2007-05-01 10:58:00 -------- d-----w C:\Program Files\MSXML 4.0
2007-05-01 09:21:17 -------- d-----w C:\Program Files\MSN Messenger
2007-04-30 23:13:25 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-30 20:09:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:25 36,624 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 10:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 10:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 10:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 10:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 10:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 10:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 10:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 10:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 10:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 10:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 23:50:44 -------- d-----w C:\Program Files\City Interactive
2007-04-06 08:53:40 53,248 ----a-w C:\WINDOWS\system32\suppdll.dll
2007-04-06 08:53:40 35,363 ----a-w C:\WINDOWS\system32\windrvNT.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 00:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 00:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-31 23:19]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-08 22:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 04:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Magnify"=
"RunNarrator"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\PRESAR~1\Presario\XPHWWRS4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"c:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-06-06 07:43:13 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-22 08:52:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1090486217.job
2004-11-04 00:36:16 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 01:33:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\WNBackup
C:\WINDOWS\ws2setup.log
C:\WINDOWS\wsdu.log
C:\WINDOWS\WSST_Screen_Saver.ini
C:\WINDOWS\wwmf
C:\WINDOWS\xobglu16.dll
C:\WINDOWS\xobglu32.dll
C:\WINDOWS\xpsp1hfm.log
C:\WINDOWS\yacs.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
scan completed successfully
hidden files: 24
**************************************************************************
Completion time: 2007-06-11 1:34:14
C:\ComboFix-quarantined-files.txt ... 2007-06-11 01:33
C:\ComboFix2.txt ... 2007-06-11 00:21
--- E O F ---
miekiemoes
2007-06-10, 15:40
Hi,
Delete next folder: C:\Qoobox
* Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Under Browsing History, click "Delete".
Click "Delete Files", "Delete cookies" and "Delete history"
Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu..
Click the Clear now button below.. A new window will popup what to clear.
Select all and click the Clear button again.
Click OK to close the Options window
* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.
I still want you to do an additional scan though, because there will be a lot of leftovers still present - especially since you are already dealing with some malware for at least 1 year :fear:
Do next please..
Please download, install, and update AVG Anti-Spyware (http://www.ewido.net/en/download/)
Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close AVG Anti-Spyware and reboot!!
Post the contents of the AVG Anti-Spyware log you saved in your next reply together with a new HijackThislog.
:angel:
Logfile of HijackThis v1.99.1
Scan saved at 1:39:36 a.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
miekiemoes
2007-06-10, 15:42
See my previous post :)
I just tried to follow ur instructions but Internet Options does'nt appear to be laid out as u said
There is no 'browsing history'> 'delete' in general tab and under 'privacy tab' there is no 'clear now'
:oops:
I'm lost at the internet options part and I'm embarrased too!
miekiemoes
2007-06-10, 16:48
Ah, I see, you don't have Internet Explorer 7 installed.
Here are the instructions for IE6: http://www.microsoft.com/windows/ie/ie6/using/howto/customizing/clearcache.mspx
:bigthumb:
I think I got it all done BUT, AVG didn't save a report, or at least I can't find it! I did follow ALL your instructions, I promise I did! Do I need to run ANOTHER full AVG scan or is this hijackthis log going to be enough! While I have you, I do want to do as much as possible to eradicate this problem and prevent it from reoccuring... I let my flatmates use a guest account for emails... is there a way I can stop them from hitting porn sites by restricting the guest account somehow to max security?
Logfile of HijackThis v1.99.1
Scan saved at 3:21:45 a.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
:heart:
Thanks to you:angel:
My PC is already running heeeeeeeaps better, the popups have gone to!!
I would marry someone as helpful and intelligent as you are;)
AVG did find about 20 things, they are all now in quarintine... including a couple of nasty looking Trojans > Rootkits and high risk, plus a bunch of tracking cookies.:fear:
AVG says it found 84 problems but only 42 are quarintined, unless it deleted some, which I think it did
miekiemoes
2007-06-10, 18:30
Hi,
Just let AVG delete everything it is finding. That's also why I asked to perform a scan with it, because many leftovers would still be present.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZB
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs: Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now..
Hi,
Everything seems to run much better. Avg isn't finding as much crap as it was. I do seem to have picked something else up:sad:
I have banned all use of this PC except by myself until these issues are resolved.
Now in the system tray I have a little red sheild that alternates to a question mark and gives a system warning for spyware... suprise, suprise...
It links to 'spycrush'.com and spybot, avg, combofix don't fix it!! grrrr!
Here is my latest Hijack Log after having followed all your steps including updating Java
Logfile of HijackThis v1.99.1
Scan saved at 4:34:51 p.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {DF4E7A0C-E233-4906-B4C1-A404356541FF} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Also, everytime reboot my windows firewall turns itself off on restart.
:fear:I was just reading some other threads and one of your team has mentioned that installing service pack 2 while infected is a BAD IDEA!!.. SHIT!!
All that crap that you discovered on my PC was preventing windows updates from being D/L'ed, hence my system being so far behind.
Upon removal of some of this spyware, the first thing my windows did was update itself, with lots of updates including SP2...
I get the feeling my troubles are not nearly over and I just ask for you to keep this in mind as you so kindly guide me towards the peacefulness of a clean PC.
I would also like to say that I have never, ever ended up with my PC in such a bad state of infection... is Spybot S&D + AVG free Edition enough to keep my PC safe once you have helped me clean it?:red:
Should I remove it?:fear:
c:\sccfg.sys,Hidden File
:fear::fear::fear:
miekiemoes
2007-06-11, 07:36
Hi,
Have you been trying to download and install a codec to watch a video? Because that's how you got infected..
Do next please..
* Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)
* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.
* Doubleclick SmitFraudFix to start the tool.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
(Warning : running option #2 will set your desktop background blank again. But you can reapply your desktop background again afterwards
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process.
Post the log from smitfraudfix in your next reply together with a new hijackthislog.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
c:\sccfg.sys is a part of FolderLock.
I'm sure it's my flatmates hitting the porn sites, can I do anything to stop them d/l'ing? or is it easier just to not let them use the PC? I really need to let them check their emails THATS ALL!!
Doin the smitfraud thing now, do u want a hijack log after that?
I guess you are starting to hate me by now!:red:
Ran SmitfraudFix, that stooopid little system warning is still in the task bar 'Spycrush'. Here's the latest Hijack log anyways...
Logfile of HijackThis v1.99.1
Scan saved at 6:00:45 p.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {DF4E7A0C-E233-4906-B4C1-A404356541FF} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
miekiemoes
2007-06-11, 08:05
I am sorry to hear that it's because of your flatmates that this computer gets infected all the time. Best what you can do here is talk to them, explain the dangers of the internet and create another useraccount with restricted rights and passwordprotect your useraccount.
Because, as you said, they mainly want to read their mails.
Read here about useraccounts and how to create them:
http://www.microsoft.com/windowsxp/using/setup/winxp/accounts.mspx
But we have to get rid of malware first, so perform my steps and yes, post a new HijackThislog afterwards as resquested :)
Edit - never mind I see you already posted the logs. Gimme a minute to analyze them.
miekiemoes
2007-06-11, 08:07
Do you have the log from Smitfraudfix? because that log is important..
It's on your C:\ with the name rapport.txt
Also, check and fix next entry in HijackThis:
O3 - Toolbar: Protection Bar - {DF4E7A0C-E233-4906-B4C1-A404356541FF} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
This because I do NOT recommend p2p programs starting up with Windows.
I didn't update smitfraudfix last time before the scan:red:
But I did this time and it seems to have healed that scum spyware in the task bar... here's the log
SmitFraudFix v2.195
Scan done at 19:54:43.25, Mon 11/06/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6f396a67-f473-48c9-9950-636ce17e584e}"="hellenophile"
[HKEY_CLASSES_ROOT\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e}\InProcServer32]
@="C:\WINDOWS\system32\yesgnhr.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e}\InProcServer32]
@="C:\WINDOWS\system32\yesgnhr.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\yesgnhr.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\yesgnhr.dll -> Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer=202.74.207.10,202.74.207.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer=202.74.207.10,202.74.207.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer=202.74.207.10,202.74.207.100
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Do you think this PC might be nearly clean? I don't have any idea but you seem to be very schooled up so I guess you will know... also, do you think I had or have anything really bad like these 'backdoor trojans' I've heard about...the ones where you can never really trust your PC again unless you reformatt?
......and, why does the firewall turn off and the pc tells me I have no antivirus when AVG shows in the system tray?:heart:
:)I just sent a big thankyou to yourself and this site for all your patience and helpfullness.... I think the whole world should know how awesome you are..(and the site). I want to donate but I obviously want to make sure my PC is safe and protected before I type in my C/C numbers!!
And I told them they have to buy you a coffee, or, hot chocolate or whatever k?:bigthumb:
miekiemoes
2007-06-11, 10:46
Hi,
Can you also post a new HijackThislog please?
Concerning your Security center complaining about your Antivirus, make sure it's up to date (Your AVG).
Also, I recommend you install a desktop Firewall instead of using the Windows Firewall, because the Windows Firewall is not powerful enough.
Take a look at this link for the firewalls I recommend: http://users.telenet.be/bluepatchy/miekiemoes/Links.html#Firewalls
You were dealing with A LOT of infections including backdoors - for which you feared.
That's why I suggest you change all your passwords.
Also, I am a bit disappointed that you already had AVG Antivirus installed and it actually didn't find/removed that much, because when I look at the Combofix log - it still deleted a LOT of malware afterwards.
There's still another thing I would like to check though.;
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply as well...
In all fairness, I didn't install AVG untill AFTER I started to have problems:red:
miekiemoes
2007-06-11, 11:35
Then it looks like you never scanned with it previously after you got infected, because as i already said, it's hard to believe that AVG didn't delete so many malware present...
Ok, I'm not sure whats going on anymore...is all this working or is it likely I'll have to reformatt? Here are the latest logs you need.
Logfile of HijackThis v1.99.1
Scan saved at 9:18:27 p.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
:bigthumb:
06/11/07 22:11:33 [Info]: BlackLight Engine 1.0.61 initialized
06/11/07 22:11:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/11/07 22:11:33 [Note]: 7019 4
06/11/07 22:11:33 [Note]: 7005 0
06/11/07 22:11:37 [Note]: 7006 0
06/11/07 22:11:37 [Note]: 7011 3188
06/11/07 22:11:37 [Note]: 7026 0
06/11/07 22:11:37 [Note]: 7026 0
06/11/07 22:11:38 [Note]: FSRAW library version 1.7.1021
06/11/07 22:11:40 [Info]: Hidden file: c:\sccfg.sys
06/11/07 22:11:40 [Note]: 10002 1
06/11/07 22:11:42 [Note]: 7006 0
06/11/07 22:11:42 [Note]: 7011 3188
06/11/07 22:11:42 [Note]: 7026 0
06/11/07 22:11:42 [Note]: 7026 0
06/11/07 22:11:44 [Note]: FSRAW library version 1.7.1021
06/11/07 22:11:44 [Info]: Hidden file: c:\sccfg.sys
06/11/07 22:11:44 [Note]: 10002 1
06/11/07 22:37:41 [Note]: 7007 0
:cool:
miekiemoes
2007-06-11, 12:57
Hi,
No need to reformat. The malware you were dealing with were not that nasty and we could deal with it without any problems. But I always recommend to change passwords after being infected.
Your logs look ok again.
As I already explained previously, the hidden file c:\sccfg.sys is related with FolderLock, so don't worry about that one. :)
How are things now?
Everything seems to be running good. :crowned:
What harm can someone do with the passwords for my email and logins? I don't bank online all though I have used my credit card once not to long ago to order some records/vinyl online... should I call the bank and change that?
Do you think my PC is now safe and is AVG Free + Spybot enough to keep me safe? I went to the link you gave me for firewalls and downloaded one, I clicked 'run' on the d/l prompt but I never got an install prompt, so, I guess I might need to redo that, do you think?
AND..............Thanks so much, it is so good to know there are people like you in the world who don't EXPECT a C/C number.:angel:
I'm doin a scan with AVG trial and its picked up a few things but they look like legitimate entries.
Would you like to look at logs from any particular scan programmes before I let you go to be sure... or do you think I am safe... you are the expert so I will trust what you say:heart:
Thanks again, Sincerely, David
miekiemoes
2007-06-11, 14:04
What harm can someone do with the passwords for my email and logins?well, if they could gather your username and password, they can just change your password so you won't have access to it anymore.
I don't bank online all though I have used my credit card once not to long ago to order some records/vinyl online... should I call the bank and change that?You should be ok here.
I went to the link you gave me for firewalls and downloaded one, I clicked 'run' on the d/l prompt but I never got an install promptI don't know which one you tried to download, but I always save the installer on my desktop and then run it from there...
I'm doin a scan with AVG trial and its picked up a few things but they look like legitimate entries.Yes, let me know what it is finding...
It found these and says action taken (deleted)
TrackingCookie.Addynamix
TrackingCookie.Casalmedia
TrackingCookie.Doubleclick
TrackingCookie.Fastclick
TrackingCookie.2o7
TrackingCookie.Msn
TrackingCookie.Tribalfusion
Do you think I'm good to go... If u like, you can add me in msn, I would like to learn more from you:angel: You have been really, really awesome
Dj_Ruckus01 AT hotmail.com:red:
miekiemoes
2007-06-11, 16:24
Hi,
Please don't worry about tracking cookies. You'll always get them and they will always return. This just depends what sites you visit.
Everyone has them. They are even present on the MSN startpage, Yahoo startpage...
You may also want to read next:
http://www.spywareinfo.com/articles/cookies/
http://www.mvps.org/winhelp2002/cookies.htm
If you want to manage your cookies you can use next programs:
For Internet explorer: CookieWall (http://www.analogx.com/contents/download/network/cookie.htm)
For Firefox: CookieSafe (https://addons.mozilla.org/en-US/firefox/addon/2497)
Keep in mind that you're not supposed to block every cookie, because some cookies are required.
Most people don't use an additional cookie manager, because it may be annoying in some cases to manually filter all cookies in the beginning, so they clean their cookies once in a while via the "clean cookies" option in their browser settings.
I've "munged" your mailaddress, because it's a bad idea to post mailaddresses in public. This since spambots may harvest your address and send you spam - unless you like spam :P
Thank you for the msn offer, but I don't use instant messengers anymore, this since I don't have the time for it anyway (too busy with helping people and analyzing malware :) )
Yes, your system should be ok now. Glad I could help. :)
Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).
Happy Surfing again!
miekiemoes
2007-06-11, 16:37
You're welcome :bigthumb:
I have been following your links and registered with bleeping computerss
...Fantastic!!:bigthumb:
I ran the PC Optimizer, and now it wants PAYMENT!! grr
But it did do something I wanted to happen... it says it can remove programmes that aren't installed properly... I am having difficulty removing about 3 or 4 programmes as they are missing files or something.... you want to help me with that or should i bark up someone elses tree for a change?:D:
miekiemoes
2007-06-11, 19:05
I guess you installed the PC Optimizer thing. In my link, I was actually referring to the online analysis. :)
Anyway, what programs do you want to remove?
;)
-Max Pain- only wants to run the install when I try to remove it.
-Jump Start Learning ABC- won't remove
-MAX FX TOOlS- can go if it is part of Max Payne to:bigthumb:
Thats about it, they just annoy me 'cause they r a waste of space
miekiemoes
2007-06-11, 20:01
Hi,
It could be possible that the programs are already removed previously, just leaving some entries and files behind after uninstalling. Some games actually leave the installer file still present as well as the registry entry under add/remove programs, which explains, why you want to uninstall Max pain (while maybe already removed previously), that it tries to install itself again.
So let's take a look first if these programs are still fully installed or not.. so do next:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
In there, you'll find the three programs you want to uninstall.
Do NOT click the "remove this entry" button! Only when I say so! :)
First, select the entry "Max Pain" and copy and paste what's inside the "uninstall command" field in your next reply.
Do the same for "Jump Start Learning ABC" and "MAX FX TOOlS"
So I need 3 uninstall commands in your next reply.
:p:
ABC Learning
C:\WINDOWS\IsUninst.exe -fC:\KA\JSLG_ABC\DeIsL2.isu
Max Payne
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39930321-4C58-4B8B-BCBF-342698C9801D}\setup.exe"
Max Tools (is this part of Max Payne?)
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7299E7F8-6921-4588-9A83-9BB7B867706F}\setup.exe"
:D:
You are truly an angel sent from heaven to bless this little PC of mine:angel:
I am loving your work and am learning as you go, which I love to do!!
It has been a long and winding road and I :fear: that I must sleep!
It's 6:54am and I start work in an hour and a half, so, I will just lye there for a while I think (or I'll never wake up).
I have read all the links and helpful things you have given me. I am now firewalled and Spyware protected to the max!!:laugh:
I can't wait to get home and find your reply!!
Forever in your debt, David:heart:
Have a nice day/night!
miekiemoes
2007-06-11, 21:00
Ok, some questions first... About ABC Learning.
Does this file still exist? C:\WINDOWS\IsUninst.exe
Does this folder still exist? C:\KA\JSLG_ABC
About Max Payne, when you want to remove it via add/remove programs, as far as I can see, it does indeed launch the setup.exe (install).
In that setup screen, does it has the option to remove?
yes, the Max Tools like like it's indeed a part of Max payne.
Is there still a folder called Max payne present in your C:\Program Files folder?
If so, can you check if there are mainly leftovers in there, or if the main program is still fully installed there. In that case, the game executable should be present there as well.
Edit -- ok, have a nice sleep :)
:present:
ABC
Yup... I found the 'IsUninst'... I moved it to desktop... I hope thats ok :red:
I windows searched the ABC file you were looking for and it gave me what looks like a folder named 'JSLG_ABC' which is located in 'C:\KA'
It also came up with what look like 2 different icon exe. files both named 'JSLG_ABC' in 'C:\KA\JSLG_ABC'
Also what looks like a thumbs file named 'JSLG_ABC' in 'C:\KA\JSLG_ABC'
Lastely it found 'JSL_ABC.key' in 'C:\KA\JSLG_ABC'
AS for Max Payne.... it definately doesn't give me the option to UNinstall in add/remove....only install
Yes, both Max Payne and Max Tools are in program files and they seem to be completely intact (with all files inc exe.)
Is it that you need the disk to uninstall (a bright idea I just had):eek:
Unfortunately I have no disk anymore:red:
I'm thinking you're not just a pretty face!:heart:
Yes.. I htink I know what to do!!:laugh:
But I'll wait for you to tell me or I'll look like a MUPPET!!:fear:
miekiemoes
2007-06-12, 07:15
The JSLG_ABC looks like it was already removed, just leftovers in that folder.
So, for that, you can delete the folder manually: C:\KA\JSLG_ABC
For the Max Payne folder - you can - or reinstall it and then uninstall it - or just delete the May Payne folder manually.
To get rid of their uninstall entries in add/remove,
Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Uninstall Manager"
Click on the entry you wish to delete (ABC Learning, Max Tools & Max payne)
Click on Delete this entry
Click "Yes"
Do NOT do this for any other entries there!
I just did a defrag and now internet is r-e-a-l-l-y s-l-o-w
and... another problem I should have mentioned earlier...
when i click start and go to 'all programs' it takes about a minute for the programs list to appear!
This lag is also in all of the menus in 'start' 'all programs'
Also, on start up it takes the task bar a little bit long to appear and also it takes a while for all the icons on desktop to appear.
When I open 'control panel' it takes to long for the icons to appear.. and takes way to long for the list to populate when I open 'add/remove programs'
It was because of this lag that I ran the defrag... but that seems to have slowed my internet down somehow.
But programs open as quick as they should and so do the windows when I open folders.:sad:
P.S. I will follow your prior instructions now, I was waiting for the defrag to finish.
miekiemoes
2007-06-12, 17:16
Have you been using the cleanup utility in XP? I mean cleaning the internet cache, cleaning the temp folders, cookies, recycle bin etc etc.. Because that's normal behavior after you performed that cleanup.
This since prefetch folder was emptied as well and your internet cache was emptied. So right after that, when you open certain programs and browse certain pages - it will load a bit slower in the beginning.
This will improve again.
However, you are talking about a minute here - so not sure what programs you have been installing in between - running in the background which may cause a system slowdown.
Can you post a new HijackThislog please?
Also, keep in mind, You do have Folder Lock installed. It is known that it may cause an extra slowdown....
Sorry I keep bothering you, the PC had a horrible crash, but it seems to be fine now...if you do have the patience could you possibly run me through some more scans to be sure? I would really appreciate it!!
Hey guyz!!:D:
MIEKIEMOES has been bloody AWESOME!!:angel:...in fact, these forums are FANTASTIC!!:wink::
I'm not sure if MIEKIEMOES is finally sick of my patheticness:red: or if she just hasn't been online but, I think she managed to fix everything which is cool, however, I had a horrible crash where everything lagged up before it finally froze and that has me a little worried, eveything does seem to be fine now BUT, is it possible for someone to run me through some final scanz so I can be sure...call me paranoid:scratch:
Hey thanks again and BIGUPS to MIEKIEMOES!!
P.S. I will be donating, I have your address:bigthumb:
I see I missed one of your posts,,,, sorry..... I will post a new Hijack Log now and then won't post another reply 'till you answer,:lip: thankyou:red:
I turned everything off including firewall before I ran this scan, just in case.
My PC seems to be running brilliantly now, thx so much :bigthumb:
Logfile of HijackThis v1.99.1
Scan saved at 5:15:41 p.m., on 13/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRS4\plugin\bin\PCHButton.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Also, about removing those programmes, shoul I jsut delete the folders from 'Program Files'?
miekiemoes
2007-06-13, 09:09
Hi,
Everything looks OK here.
Everytime when I look at a new HijackThislog, I see things has been changed in it. Now it looks like you enabled everything via msconfig which was disabled before, but it looks like some related programs are missing. Which means, you already uninstalled them before.
So, let's have another look and post a log from Combofix, so it will show what is really missing or not, so we can actually remove these startup entries instead of disabling them.
Also, as you asked,
Also, about removing those programmes, shoul I jsut delete the folders from 'Program Files'?You can delete the Max Payne folder and the JSLG_ABC folder.
Extra note, if you don't really use Google desktop search, I also suggest you uninstall it - this because it's known to cause a serious system slowdown.
ComboFix 07-06-13.3 - C:\Documents and Settings\Owner\Desktop\ComboFix\ComboFix.exe
"Owner" - 2007-06-13 22:47:20 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))
2007-06-13 20:12 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-12 09:45 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Comodo
2007-06-12 06:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-06-12 06:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-12 06:27 <DIR> d-------- C:\Program Files\Comodo
2007-06-12 06:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-12 04:43 <DIR> d-------- C:\Program Files\PCPitstop
2007-06-11 19:54 1,824 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-11 15:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-11 05:09 <DIR> d-------- C:\Program Files\SpyCrush 3.2
2007-06-11 04:34 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-11 02:16 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-11 00:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-10 21:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 19:29 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-06-09 18:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-08 23:48 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-06-08 23:48 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-06-08 23:48 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-06-08 23:48 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-06-08 23:48 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-06-08 23:48 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-06-08 23:48 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-06-08 23:48 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-06-08 22:03 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-08 22:03 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-08 22:03 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-08 22:03 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-08 22:03 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-08 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-08 20:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-08 08:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-31 18:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 18:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 18:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-28 20:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-26 09:01 <DIR> d-------- C:\Program Files\DC++
2007-05-25 22:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-25 22:44 2,301 --a------ C:\WINDOWS\mozver.dat
2007-05-25 15:34 <DIR> d-------- C:\Program Files\Google
2007-05-25 15:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-05-25 15:28 15,714,552 --a------ C:\Program Files\Google_Earth_BZXV.exe
2007-05-23 03:14 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-23 01:57 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-05-23 01:57 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-05-23 01:57 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-05-23 01:57 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-05-23 01:57 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-05-23 01:57 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-05-23 01:57 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-05-22 23:44 <DIR> d-------- C:\Program Files\QuickTime
2007-05-22 23:43 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-21 04:08 <DIR> d--hs---- C:\DOCUME~1\Owner\Complete
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Ableton
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ableton
2007-05-14 18:54 <DIR> d-------- C:\Program Files\Vodei
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-13 10:34:24 -------- d-----w C:\Program Files\EA Games
2007-06-09 04:28:07 -------- d-----w C:\Program Files\Easy Internet signup
2007-06-08 10:06:32 -------- d-----w C:\Program Files\DivX
2007-05-29 09:59:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 09:58:06 -------- d-----w C:\Program Files\Microsoft Works
2007-05-25 06:12:21 10,706 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-05-25 01:27:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-05-22 12:25:47 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-05-20 10:04:54 -------- d-----w C:\Program Files\Cooledit
2007-05-19 06:51:27 -------- d-----w C:\Program Files\VirtualDJ
2007-05-08 01:39:28 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-05-06 06:43:04 -------- d-----w C:\Program Files\BitTorrent
2007-05-03 06:15:26 -------- d-----w C:\Program Files\WinPcap
2007-05-02 16:47:55 -------- d-----w C:\Program Files\Folder Lock
2007-05-01 10:58:00 -------- d-----w C:\Program Files\MSXML 4.0
2007-05-01 09:21:17 -------- d-----w C:\Program Files\MSN Messenger
2007-04-30 23:13:25 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-30 20:09:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:25 36,624 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 10:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 10:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 10:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 10:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 10:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 10:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 10:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 10:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 10:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 10:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-06 08:53:40 53,248 ----a-w C:\WINDOWS\system32\suppdll.dll
2007-04-06 08:53:40 35,363 ----a-w C:\WINDOWS\system32\windrvNT.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 00:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 00:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-31 00:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" []
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-12 06:27]
"VTTimer"="VTTimer.exe" [2004-10-22 10:53 C:\WINDOWS\system32\VTTimer.exe]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-23 14:01]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 04:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"RecordNow!"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\mnyexpr.exe" []
"Acme.PCHButton"="C:\PROGRA~1\PRESAR~1\Presario\XPHWWRS4\plugin\bin\PCHButton.exe" [2004-04-08 21:51]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Magnify"=
"RunNarrator"=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-31 00:29]
Contents of the 'Scheduled Tasks' folder
2007-05-22 08:52:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1090486217.job
2004-11-04 00:36:16 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 22:50:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\WNBackup
C:\WINDOWS\ws2setup.log
C:\WINDOWS\wsdu.log
C:\WINDOWS\WSST_Screen_Saver.ini
C:\WINDOWS\wwmf
C:\WINDOWS\xobglu16.dll
C:\WINDOWS\xobglu32.dll
C:\WINDOWS\xpsp1hfm.log
C:\WINDOWS\yacs.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
scan completed successfully
hidden files: 24
**************************************************************************
Completion time: 2007-06-13 22:51:19
--- E O F ---
THX for sticking with me on this.:D:
miekiemoes
2007-06-13, 13:15
Hi,
Delete next folder:
C:\Program Files\SpyCrush 3.2
check and fix next orphaned entries in Hijackthis:
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
don't worry about the "hidden files" part in your Combofix log, that's because of the Folder Lock.
The rest looks ok. :)
No need to post new logs, I know after performing above, the entries will be gone in Hijackthis.
Please do not tinker anymore with settings etc.. this to prevent you break more instead of fixing :D:
miekiemoes
2007-06-13, 13:50
You're most welcome :)
miekiemoes
2007-06-13, 13:50
Since this issue appears resolved ... this Topic is archived.
Everyone else please begin a New Topic.