bodazephyr
2007-10-07, 23:30
I get 2 warning messages that i cant seem to get rid of. the first says "this operation has been cancelled due to restrictions in effect on this computer. please contact system administrator" fist off i AM the system admin secondly this happens when i try to open "add/remove programs or when i try to go into my computer properties or display properties. I downloaded the "fixpolicies" and can temporarilly get into thse things but when i restart it goes back to the restriction.
the second warning says "warning potential spyware operation. the computer is making unauthorized copies of your system and internet files. run full scan now to prevent unauthorized access to your files. click yes to download spyware remover."
i have tried adaware, liutilities spyeraser and spybot search and destroy all when in safe mode and they seem to find malware/trojans and delete them but they reappear when i restart every time so i can't find where it is re installing this malware/trojans from.
here is my hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 1:26:51 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\gv\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe"
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
Hi bodazephyr
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
bodazephyr
2007-10-14, 21:11
Thank you for the response, I really appreciate it.
ok here is the combofix log
ComboFix 07-10-12.4 - gv 2007-10-14 10:52:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.172 [GMT -7:00]
Running from: C:\Documents and Settings\gv\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\gv\Application Data\ECURIT~1
C:\Documents and Settings\gv\Application Data\macromedia\Flash Player\#SharedObjects\GLJVZRWH\www.broadcaster.com
C:\Documents and Settings\gv\Application Data\macromedia\Flash Player\#SharedObjects\GLJVZRWH\www.broadcaster.com\played_list.sol
C:\Documents and Settings\gv\Application Data\macromedia\Flash Player\#SharedObjects\GLJVZRWH\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\gv\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\gv\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\gv\Application Data\WNSXS~1
C:\Documents and Settings\gv\Application Data\YMBOLS~1
C:\Documents and Settings\gv\My Documents\CROSOF~1.NET
C:\Documents and Settings\gv\Start Menu\Programs\Startup\system.exe
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\mcroso~1
C:\WINDOWS\ecurit~1
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\ymbols~1
.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.
2007-10-14 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 10:33 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-07 22:36 <DIR> d-------- C:\Documents and Settings\gv\Application Data\Grisoft
2007-10-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-07 22:36 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-07 22:24 3,000 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-07 19:34 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-07 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 11:29 <DIR> d-------- C:\Program Files\PCPitstop
2007-10-07 03:20 <DIR> d-------- C:\Documents and Settings\gv\Application Data\Uniblue
2007-10-07 03:19 <DIR> d-------- C:\Program Files\Uniblue
2007-10-07 01:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-06 23:40 164 --a------ C:\install.dat
2007-10-06 21:31 <DIR> d-------- C:\Documents and Settings\gv\Application Data\WinPatrol
2007-10-06 21:27 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-06 20:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-06 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-06 20:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-06 20:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-06 20:14 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-02 13:03 35,840 -ra------ C:\WINDOWS\tsitra11.exe
2007-09-18 11:17 <DIR> d-------- C:\Documents and Settings\gv\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 06:38 --------- d-----w C:\Program Files\Netscape Internet Service
2007-10-08 06:38 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-10-08 06:38 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-07 06:43 --------- d-----w C:\Program Files\Java
2007-10-07 04:04 --------- d-----w C:\Program Files\CONEXANT
2007-10-07 03:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-07 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
2007-10-02 07:59 --------- d-----w C:\Program Files\Apple Software Update
2007-10-02 07:57 --------- d-----w C:\Program Files\iTunes
2007-10-02 07:56 --------- d-----w C:\Program Files\iPod
2007-09-23 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-18 18:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-14 09:21 1,042 ----a-w C:\Documents and Settings\gv\Application Data\wklnhst.dat
2007-09-07 09:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-05 23:48 --------- d-----w C:\Program Files\QuickTime
2007-09-03 05:08 --------- d-----w C:\Program Files\MySpace
2007-09-01 21:55 --------- d-----w C:\Documents and Settings\gv\Application Data\Apple Computer
2007-09-01 16:30 911,235 ----a-w C:\WINDOWS\Prison Tycoon 2 Uninstaller.exe
2007-09-01 16:25 --------- d-----w C:\Program Files\Prison Tycoon 2
2007-09-01 16:25 --------- d-----w C:\Program Files\Common Files\Thraex Software
2007-08-22 19:51 97,152 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-08-21 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-21 20:31 --------- d-----w C:\Program Files\Common Files\Apple
2007-08-21 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 22:31 --------- d-----w C:\Program Files\Netflix
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-08-16 00:29 --------- d-----w C:\Program Files\MSXML 4.0
2007-08-14 01:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 01:54 413,696 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2007-08-14 01:54 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
2007-08-14 01:54 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-14 01:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 01:54 156,160 ------w C:\WINDOWS\system32\dllcache\msls31.dll
2007-08-14 01:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 01:45 78,336 ------w C:\WINDOWS\system32\dllcache\ieencode.dll
2007-08-14 01:44 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-14 01:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 01:44 40,960 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll
2007-08-14 01:42 17,408 ------w C:\WINDOWS\system32\dllcache\corpol.dll
2007-08-14 01:39 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-14 01:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 01:39 71,680 ------w C:\WINDOWS\system32\dllcache\admparse.dll
2007-08-14 01:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 01:39 55,296 ------w C:\WINDOWS\system32\dllcache\iesetup.dll
2007-08-14 01:38 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-08-14 01:36 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-14 01:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 01:36 36,352 ------w C:\WINDOWS\system32\dllcache\imgutil.dll
2007-08-14 01:35 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-14 01:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 01:32 45,568 ------w C:\WINDOWS\system32\dllcache\mshta.exe
2007-08-14 01:18 60,416 ------w C:\WINDOWS\system32\dllcache\hmmapi.dll
2007-08-14 01:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-08-14 01:01 48,128 ------w C:\WINDOWS\system32\dllcache\mshtmler.dll
2007-08-03 16:19 107,134 ----a-w C:\WINDOWS\UninstallFirefox.exe
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 11:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 00:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-08 16:44]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 13:54]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-22 11:36]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 13:40]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-22 11:31]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 01:00 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-02 07:52:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-08 06:14:55 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-10-14 18:01:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-10-07 10:29:25 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 11:04:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-14 11:05:28
.
--- E O F ---
bodazephyr
2007-10-14, 21:13
...and here is the hijackthis log AFTER the combofix.
Logfile of HijackThis v1.99.1
Scan saved at 11:08:35 AM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gv\Desktop\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
Hi
Delete this:
C:\WINDOWS\tsitra11.exe
Empty Recycle Bin
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh hijackthis log
- kaspersky report
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.