View Full Version : Need help plz!
holyspecter
2007-11-01, 06:10
I have this 2 malwares spybot found!
Command Service and Network Monitor which I can't remove with the "fix selected problems" button!!
:sad:
BTW I'm typing this on my laptop, cuz on my computer when I open IE it opens a lot of pop ups.
The HJT file which I'm moving with USB is
Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Web Buying\v1.8.5\webbuying.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\SFVJTk9ORyBFTkc\command.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SFVJTk9ORyBFTkc\command.exe
Plz help
holyspecter
2007-11-01, 06:20
Ahhh It's not only 2 it's 3! and gave 1 wrong one, my apologies...
Command Service, Smitfraud-C.CoreService, and Virtumonde
holyspecter
2007-11-02, 01:40
Ahhh! This is a second thread I'm posting, because some strange stuff happened the day I posted the first thread where I couldn't get rid of Command Service, then I woke up the next morning and ran S&D and it gave me a new file called something like... LLS (command search and the other one wasn't found) Fixed it and then opened IE and there was something I hadn't seen called "Security Toolbar 7.1"
New HJT log (Sorry >.<)
Logfile of HijackThis v1.99.1
Scan saved at 6:39:05 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {0de3c16c-a6a5-cd59-6484-bdb34a4ffdd4} - {4ddff4a4-3bdb-4846-95dc-5a6ac61c3ed0} - C:\WINDOWS\system32\bmekfyri.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\opnolkj.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\jewiinpb.dll
O2 - BHO: (no name) - {BBABD837-4E17-413A-9082-D8F0BEE56B18} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jewiinpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [a0423165] rundll32.exe "C:\WINDOWS\system32\uduqinno.dll",b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jewiinpb - C:\WINDOWS\SYSTEM32\jewiinpb.dll
O20 - Winlogon Notify: opnolkj - C:\WINDOWS\SYSTEM32\opnolkj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Hello holyspecter
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen
Reply to this thread only please and do not start any new topics or your posts will be all over the forum and we wont be able to keep track of you.
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.
* Click here (http://noahdfear.geekstogo.com/FindAWF.exe) to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
holyspecter
2007-11-02, 17:42
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 2007-11-02
The current time is: 10:37:17.29
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
2003-02-11 21:02 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
2005-09-20 19:33 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\WINDOWS\SMINST\BAK
2004-04-14 15:43 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
2007-10-25 00:59 179 hpsysdrv.DAT
1998-05-07 18:04 52,736 hpsysdrv.exe
2 File(s) 52,915 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
2005-11-03 16:22 77,824 hkcmd.exe
2003-08-21 05:15 483,328 hphmon05.exe
2005-11-03 16:26 118,784 igfxpers.exe
2005-11-03 16:25 98,304 igfxtray.exe
2002-10-16 17:57 81,920 ps2.exe
5 File(s) 860,160 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
2003-12-22 17:38 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\HP\{45B61~1\BAK
2003-08-21 05:23 49,152 hphupd05.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
2006-03-07 12:49 180,269 realsched.exe
1 File(s) 180,269 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
28172 Oct 2 2007 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
28172 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Sep 20 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
28172 Oct 2 2007 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
233472 Apr 14 2004 "C:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
233472 Apr 14 2004 "D:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
188 Oct 2 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
179 Oct 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
28172 Oct 2 2007 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\hkcmd.exe"
118784 Apr 20 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\igfxtray.exe"
155648 Apr 20 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
28172 Oct 2 2007 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
28172 Oct 2 2007 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
28172 Oct 2 2007 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
28172 Oct 2 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
end of report
Hello Again,
Your also infected with the Vundo trojan, we will do that after we clean this up.
Double-click FindAWF.exe to start the tool.
* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
holyspecter
2007-11-03, 02:38
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: 2007-11-02
The current time is: 19:30:28.54
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
2003-02-11 21:02 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
2005-09-20 19:33 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\WINDOWS\SMINST\BAK
2004-04-14 15:43 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
2007-10-25 00:59 179 hpsysdrv.DAT
1998-05-07 18:04 52,736 hpsysdrv.exe
2 File(s) 52,915 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
2005-11-03 16:22 77,824 hkcmd.exe
2003-08-21 05:15 483,328 hphmon05.exe
2005-11-03 16:26 118,784 igfxpers.exe
2005-11-03 16:25 98,304 igfxtray.exe
2002-10-16 17:57 81,920 ps2.exe
5 File(s) 860,160 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
2003-12-22 17:38 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\HP\{45B61~1\BAK
2003-08-21 05:23 49,152 hphupd05.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
2006-03-07 12:49 180,269 realsched.exe
1 File(s) 180,269 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
98304 Sep 20 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Sep 20 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
233472 Apr 14 2004 "C:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
233472 Apr 14 2004 "D:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
179 Oct 25 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
179 Oct 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\hkcmd.exe"
118784 Apr 20 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Apr 20 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
end of report
Did all that
Moving along,
Double-click FindAWF.exe to start the tool.
* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
C:\hp\KBD\KBD.EXE\bak
C:\Program Files\QuickTime\qttask.exe\bak
C:\WINDOWS\SMINST\RECGUARD.EXE\bak
C:\WINDOWS\system\hpsysdrv.DAT\bak
C:\WINDOWS\system\hpsysdrv.exe\bak
C:\WINDOWS\system32\hkcmd.exe\bak
C:\WINDOWS\system32\hphmon05.exe\bak
C:\WINDOWS\system32\igfxpers.exe\bak
C:\WINDOWS\system32\igfxtray.exe\bak
C:\WINDOWS\system32\ps2.exe\bak
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe\bak
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe\bak
C:\Program Files\Common Files\Real\Update_OB\realsched.exe\bak
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.
Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Internet Explorer is needed to run this properly.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
I need to see the AWF log, the Vundo log and a New HJT log please
holyspecter
2007-11-03, 06:33
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: 2007-11-02
The current time is: 23:28:32.90
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
2003-02-11 21:02 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
2005-09-20 19:33 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\WINDOWS\SMINST\BAK
2004-04-14 15:43 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
2007-10-25 00:59 179 hpsysdrv.DAT
1998-05-07 18:04 52,736 hpsysdrv.exe
2 File(s) 52,915 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
2005-11-03 16:22 77,824 hkcmd.exe
2003-08-21 05:15 483,328 hphmon05.exe
2005-11-03 16:26 118,784 igfxpers.exe
2005-11-03 16:25 98,304 igfxtray.exe
2002-10-16 17:57 81,920 ps2.exe
5 File(s) 860,160 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
2003-12-22 17:38 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\HP\{45B61~1\BAK
2003-08-21 05:23 49,152 hphupd05.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
2006-03-07 12:49 180,269 realsched.exe
1 File(s) 180,269 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
98304 Sep 20 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Sep 20 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
233472 Apr 14 2004 "C:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
233472 Apr 14 2004 "D:\hp\patches\43WW3OWN\files\UP\Recguard.exe"
179 Nov 2 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
179 Oct 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\hkcmd.exe"
118784 Apr 20 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Apr 20 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
end of report
Also, do this trojans I have log info I type?
holyspecter
2007-11-03, 06:43
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 23:36:32 2007-11-02
Listing files found while scanning....
C:\windows\system32\icvpnkar.dll
C:\WINDOWS\system32\jewiinpb.dll
C:\windows\system32\opnolkj.dll
Beginning removal...
Attempting to delete C:\windows\system32\icvpnkar.dll
C:\windows\system32\icvpnkar.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jewiinpb.dll
C:\WINDOWS\system32\jewiinpb.dll Has been deleted!
Attempting to delete C:\windows\system32\opnolkj.dll
C:\windows\system32\opnolkj.dll Could not be deleted.
Performing Repairs to the registry.
Done!
holyspecter
2007-11-03, 06:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:43, on 2007-11-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [a0423165] rundll32.exe "C:\WINDOWS\system32\uduqinno.dll",b
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
--
End of file - 6508 bytes
And HJT log and WoW! I think the VundoFix got rid of the "Security Toolbar 7.1" ^_^
I dont believe what you had would record keystrokes, but you never know.
SpyNoMore <-- Is listed on the Rogue AntiSpyware list so its your call to keep it or not, you can remove it via the Add Remove Programs in the Control Panel.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [a0423165] rundll32.exe "C:\WINDOWS\system32\uduqinno.dll",b
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\QuickTime\bak
C:\windows\system32\opnolkj.dll
C:\WINDOWS\system32\uduqinno.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it into your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Combofix log and a New HJT log please
holyspecter
2007-11-03, 17:57
The OTMoveIt log
C:\Program Files\QuickTime\bak moved successfully.
DllUnregisterServer procedure not found in C:\windows\system32\opnolkj.dll
C:\windows\system32\opnolkj.dll NOT unregistered.
C:\windows\system32\opnolkj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\uduqinno.dll
C:\WINDOWS\system32\uduqinno.dll NOT unregistered.
C:\WINDOWS\system32\uduqinno.dll moved successfully.
Created on 11-03-2007 10:53:14
holyspecter
2007-11-03, 18:16
Ahhh! Security Toolbar 7.1 is back with all the pop-ups and the "warning in taskbar"
Also the warning came back while ComboFix was running and after it reboot it gave me "Exeption Processing Message c0000013 Parameters 75b6bf9c 75b6bf9c"
and the CF log is 27,000 chars long
The HJT log is
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:13 AM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\tuamsqtp.dll
O2 - BHO: {18c74d71-2ec0-4dcb-4324-847fd9768e0b} - {b0e8679d-f748-4234-bcd4-0ce217d47c81} - C:\WINDOWS\system32\ptmadlxo.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tuamsqtp.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: tuamsqtp - C:\WINDOWS\SYSTEM32\tuamsqtp.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
--
End of file - 7124 bytes
holyspecter
2007-11-03, 18:33
BTW I didn't find the SpyNoMore program in the add/remove programs... Looked for it in C: and nothing either
Your still infected with Vundo, this is what we need to do.
Run Combofix again, just let it run, dont touch nothing until it produces a log, break the log in half and use 2 different posts if you have to .
The thieves that have written Vundo have written it to evade a HJT scan and by renaming it those entries will show up on your log/
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
Take as many replies as you need but I need to see the entire Combofix log and a new HJT log renamed please.
holyspecter
2007-11-04, 01:35
ComboFix 07-11-01.1 - Owner 2007-11-03 18:23:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.227 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\tuamsqtp.dllbox
.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.
2007-11-03 10:56 340,032 --a------ C:\WINDOWS\system32\ylljuyjb.dll
2007-11-03 10:56 340,032 --a------ C:\WINDOWS\system32\tuamsqtp.dll
2007-11-03 10:53 81,472 --a------ C:\WINDOWS\system32\ptmadlxo.dll
2007-11-03 10:47 87,616 --a------ C:\WINDOWS\system32\ueoxvtdo.dll
2007-11-02 23:38 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-02 23:36 <DIR> d-------- C:\VundoFix Backups
2007-11-02 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-01 18:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 18:13 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-01 12:54 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-01 12:54 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-01 00:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 00:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-01 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-31 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2007-10-31 22:01 <DIR> d--hs---- C:\WINDOWS\SFVJTk9ORyBFTkc
2007-10-31 22:01 35,840 --a------ C:\WINDOWS\mrofinu572.exe
2007-10-31 22:01 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-10-31 22:00 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-31 22:00 <DIR> d-------- C:\Temp\mZOr
2007-10-31 22:00 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 15:53 --------- d-----w C:\Program Files\QuickTime
2007-11-03 02:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 00:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-02 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-27 02:59 --------- d-----w C:\Program Files\World of Warcraft
2007-09-28 00:56 --------- d-----w C:\Program Files\Starcraft
2007-09-21 19:59 --------- d-----w C:\Program Files\AviSynth 2.5
2007-09-09 15:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2006-11-01 00:20 43,664 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 22:24:26 472 --sha-r C:\WINDOWS\SFVJTk9ORyBFTkc\mIpLn46ilV1In4w.vbs
2004-09-01 18:58:00 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\bak\KBD.EXE
----a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\KBD.EXE
----a-w 180,269 2006-03-07 17:49:05 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 180,269 2006-03-07 17:49:05 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
-c--a-w 241,664 2003-12-22 22:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 241,664 2003-12-22 22:38:42 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
-c--a-w 49,152 2003-08-21 10:23:08 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe
----a-w 49,152 2003-08-21 10:23:08 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
-c--a-w 233,472 2004-04-14 20:43:46 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 233,472 2004-04-14 20:43:46 C:\WINDOWS\SMINST\RECGUARD.EXE
----a-w 179 2007-10-25 05:59:30 C:\WINDOWS\system\bak\hpsysdrv.DAT
----a-w 181 2007-11-03 23:27:31 C:\WINDOWS\system\hpsysdrv.DAT
-c--a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\hpsysdrv.exe
----a-w 77,824 2005-11-03 21:22:36 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 77,824 2005-11-03 21:22:36 C:\WINDOWS\system32\hkcmd.exe
----a-w 483,328 2003-08-21 10:15:48 C:\WINDOWS\system32\bak\hphmon05.exe
----a-w 483,328 2003-08-21 10:15:48 C:\WINDOWS\system32\hphmon05.exe
----a-w 118,784 2005-11-03 21:26:30 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 118,784 2005-11-03 21:26:30 C:\WINDOWS\system32\igfxpers.exe
----a-w 98,304 2005-11-03 21:25:48 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 98,304 2005-11-03 21:25:48 C:\WINDOWS\system32\igfxtray.exe
----a-w 81,920 2002-10-16 22:57:10 C:\WINDOWS\system32\bak\ps2.exe
----a-w 81,920 2002-10-16 22:57:10 C:\WINDOWS\system32\ps2.exe
-c--a-w 98,304 2005-09-21 00:33:48 C:\_OTMoveIt\MovedFiles\Program Files\QuickTime\bak\qttask.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-03 10:56 340032 --a------ C:\WINDOWS\system32\tuamsqtp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0e8679d-f748-4234-bcd4-0ce217d47c81}]
2007-11-03 10:53 81472 --a------ C:\WINDOWS\system32\ptmadlxo.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\tuamsqtp.dll [2007-11-03 10:56 340032]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\tuamsqtp.dll [2007-11-03 10:56 340032]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-03 13:21 C:\WINDOWS\SOUNDMAN.EXE]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 15:43]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 16:25]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 16:26]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 16:22]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 05:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 05:15]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 17:38]
"AlcWzrd"="ALCWZRD.EXE" [2004-05-03 15:23 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-07 12:49]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuamsqtp]
tuamsqtp.dll 2007-11-03 10:56 340032 C:\WINDOWS\system32\tuamsqtp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"iPodService"=3 (0x3)
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 18:27:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-03 18:32:26 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-03 11:07
C:\ComboFix3.txt ... 2007-11-01 00:35
.
--- E O F ---
holyspecter
2007-11-04, 01:38
And here the renamed HJT to Scanner.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:37 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\tuamsqtp.dll
O2 - BHO: {18c74d71-2ec0-4dcb-4324-847fd9768e0b} - {b0e8679d-f748-4234-bcd4-0ce217d47c81} - C:\WINDOWS\system32\ptmadlxo.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tuamsqtp.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: tuamsqtp - C:\WINDOWS\SYSTEM32\tuamsqtp.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
--
End of file - 7120 bytes
Option 3 of FindAWF did not take.
Double-click FindAWF.exe to start the tool.
* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
C:\hp\KBD\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system\bak
C:\_OTMoveIt\MovedFiles\Program Files\QuickTime\bak
C:\WINDOWS\system\bak
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt in your next reply
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
files::
C:\WINDOWS\system32\ylljuyjb.dll
C:\WINDOWS\system32\tuamsqtp.dll
C:\WINDOWS\system32\ptmadlxo.dll
C:\WINDOWS\system32\ueoxvtdo.dll
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu1000106.exe
Folder::
C:\VundoFix\Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-03 10:56 340032 --a------ C:\WINDOWS\system32\tuamsqtp.dll
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0e8679d-f748-4234-bcd4-0ce217d47c81}]
2007-11-03 10:53 81472 --a------ C:\WINDOWS\system32\ptmadlxo.dll
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\tuamsqtp.dll [2007-11-03 10:56 340032]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\tuamsqtp.dll [2007-11-03 10:56 340032]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuamsqtp]
tuamsqtp.dll 2007-11-03 10:56 340032 C:\WINDOWS\system32\tuamsqtp.dll
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Let me see the AWF log, the new Combofix log and a new HJT log
holyspecter
2007-11-04, 03:12
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Sat 11/03/2007
The current time is: 20:08:11.23
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\SYSTEM32\BAK
11/03/2005 04:22 PM 77,824 hkcmd.exe
08/21/2003 05:15 AM 483,328 hphmon05.exe
11/03/2005 04:26 PM 118,784 igfxpers.exe
11/03/2005 04:25 PM 98,304 igfxtray.exe
10/16/2002 05:57 PM 81,920 ps2.exe
5 File(s) 860,160 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
77824 Nov 3 2005 "C:\WINDOWS\system32\hkcmd.exe"
118784 Apr 20 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Apr 20 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
end of report
holyspecter
2007-11-04, 03:22
ComboFix 07-11-01.1 - Owner 2007-11-03 20:13:42.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.207 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\tuamsqtp.dllbox
.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.
2007-11-03 10:53 81,472 --a------ C:\WINDOWS\system32\ptmadlxo.dll
2007-11-03 10:47 87,616 --a------ C:\WINDOWS\system32\ueoxvtdo.dll
2007-11-02 23:36 <DIR> d-------- C:\VundoFix Backups
2007-11-02 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-01 18:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 18:13 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-01 12:54 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-01 12:54 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-01 00:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 00:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-01 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-31 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2007-10-31 22:01 <DIR> d--hs---- C:\WINDOWS\SFVJTk9ORyBFTkc
2007-10-31 22:01 35,840 --a------ C:\WINDOWS\mrofinu572.exe
2007-10-31 22:01 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-10-31 22:00 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-31 22:00 <DIR> d-------- C:\Temp\mZOr
2007-10-31 22:00 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 15:53 --------- d-----w C:\Program Files\QuickTime
2007-11-03 02:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 00:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-02 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-27 02:59 --------- d-----w C:\Program Files\World of Warcraft
2007-09-28 00:56 --------- d-----w C:\Program Files\Starcraft
2007-09-21 19:59 --------- d-----w C:\Program Files\AviSynth 2.5
2007-09-09 15:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-11-01 00:20 43,664 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 22:24:26 472 --sha-r C:\WINDOWS\SFVJTk9ORyBFTkc\mIpLn46ilV1In4w.vbs
2004-09-01 18:58:00 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 77,824 2005-11-03 21:22:36 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 77,824 2005-11-03 21:22:36 C:\WINDOWS\system32\hkcmd.exe
----a-w 483,328 2003-08-21 10:15:48 C:\WINDOWS\system32\bak\hphmon05.exe
----a-w 483,328 2003-08-21 10:15:48 C:\WINDOWS\system32\hphmon05.exe
----a-w 118,784 2005-11-03 21:26:30 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 118,784 2005-11-03 21:26:30 C:\WINDOWS\system32\igfxpers.exe
----a-w 98,304 2005-11-03 21:25:48 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 98,304 2005-11-03 21:25:48 C:\WINDOWS\system32\igfxtray.exe
----a-w 81,920 2002-10-16 22:57:10 C:\WINDOWS\system32\bak\ps2.exe
----a-w 81,920 2002-10-16 22:57:10 C:\WINDOWS\system32\ps2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-03 13:21 C:\WINDOWS\SOUNDMAN.EXE]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 15:43]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 16:25]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 16:26]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 16:22]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 05:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 05:15]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 17:38]
"AlcWzrd"="ALCWZRD.EXE" [2004-05-03 15:23 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-07 12:49]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"iPodService"=3 (0x3)
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 20:16:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-03 20:18:07 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-03 18:44
C:\ComboFix3.txt ... 2007-11-03 18:32
.
--- E O F ---
holyspecter
2007-11-04, 03:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:59 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
--
End of file - 6408 bytes
Double-click FindAWF.exe to start the tool.
* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
C:\WINDOWS\system32\bak
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt in your next reply
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\WINDOWS\system32\ptmadlxo.dll
C:\WINDOWS\system32\ueoxvtdo.dll
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu1000106.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Run Combofix again please and let me see the new Combofix log, the Avenger log, the AWF log
holyspecter
2007-11-04, 04:04
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Sat 11/03/2007
The current time is: 21:01:16.43
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
holyspecter
2007-11-04, 04:10
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rrvjqvgm
*******************
Script file located at: \??\C:\dsurpqiw.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\ptmadlxo.dll deleted successfully.
File C:\WINDOWS\system32\ueoxvtdo.dll deleted successfully.
File C:\WINDOWS\mrofinu572.exe deleted successfully.
File C:\WINDOWS\mrofinu1000106.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
AHHHH, Option 3 for AWF worked great this time, thanks for your patience
holyspecter
2007-11-04, 04:15
Haha! =D No, thank you for yours :laugh:
ComboFix 07-11-01.1 - Owner 2007-11-03 21:08:42.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.250 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.
2007-11-02 23:36 <DIR> d-------- C:\VundoFix Backups
2007-11-02 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-01 18:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 18:13 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-01 12:54 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-01 12:54 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-01 00:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 00:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-01 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-31 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2007-10-31 22:01 <DIR> d--hs---- C:\WINDOWS\SFVJTk9ORyBFTkc
2007-10-31 22:00 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-31 22:00 <DIR> d-------- C:\Temp\mZOr
2007-10-31 22:00 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 15:53 --------- d-----w C:\Program Files\QuickTime
2007-11-03 02:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 00:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-02 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-27 02:59 --------- d-----w C:\Program Files\World of Warcraft
2007-09-28 00:56 --------- d-----w C:\Program Files\Starcraft
2007-09-21 19:59 --------- d-----w C:\Program Files\AviSynth 2.5
2007-09-09 15:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-11-01 00:20 43,664 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 22:24:26 472 --sha-r C:\WINDOWS\SFVJTk9ORyBFTkc\mIpLn46ilV1In4w.vbs
2004-09-01 18:58:00 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-03 13:21 C:\WINDOWS\SOUNDMAN.EXE]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 15:43]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 16:25]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 16:26]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 16:22]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 05:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 05:15]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 17:38]
"AlcWzrd"="ALCWZRD.EXE" [2004-05-03 15:23 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-07 12:49]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"iPodService"=3 (0x3)
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 21:10:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-03 21:11:04
C:\ComboFix2.txt ... 2007-11-03 20:18
C:\ComboFix3.txt ... 2007-11-03 18:44
.
--- E O F ---
And the HJT incoming
holyspecter
2007-11-04, 04:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:23 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
This HJT I'm still running it as "Scanner.exe" Hopefully that's fine.
You can keep HJT renamed, wont hurt anything but I need to see the whole log please
holyspecter
2007-11-04, 04:44
:oops:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:20 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
--
End of file - 6414 bytes
Things look good :bigthumb: How is your system behaving now??
holyspecter
2007-11-04, 05:02
Well b4 one of your replys... I had ran Spybot SnD and VundoFix because Security Toolbar 7.1 was up again, after that I did all the FindAWF, the stuff is gone and behaving well... But that was the same 2 nights ago it was well then woke up the next morning and BAM Vundo was here again. Hopefully it doesn't appear again tomorrow...
Thank you Ken545, you are THE MAN!!!:laugh:
Well lets hope things keep running good for you, this thread will be open for a week or so so if you need to post back please do so.
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken