PDA

View Full Version : Help for my friends...



killer942
2007-11-15, 21:07
As my friend is complaining of slow sys..i decided to help him to seek some advise...tis is his combofix log n HJT log:

ComboFix 07-11-08.1 - Kching 2007-11-16 2:49:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.74 [GMT 8:00]
Running from: C:\Documents and Settings\Kching\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Kching\Application Data\p4p
C:\Documents and Settings\Kching\Application Data\p4p\dlmgr.dat
C:\Documents and Settings\Kching\Application Data\p4p\rss.opml
C:\Documents and Settings\Kching\Application Data\p4p\rsslasturl.txt
C:\WINDOWS\rofs103.exe
C:\WINDOWS\rofs110.exe
C:\WINDOWS\rofs115.exe
C:\WINDOWS\rofs117.exe
C:\WINDOWS\rofs125.exe
C:\WINDOWS\rofs146.exe
C:\WINDOWS\rofs162.exe
C:\WINDOWS\rofs190.exe
C:\WINDOWS\system32\k119364997413.exe
C:\WINDOWS\system32\k11936623424.exe
C:\WINDOWS\system32\k11936623457.exe
C:\WINDOWS\system32\k11936623489.exe
C:\WINDOWS\system32\k119366235112.exe
C:\WINDOWS\system32\k119366235414.exe
C:\WINDOWS\system32\k11937456793.exe
C:\WINDOWS\system32\k11938488597.exe
C:\WINDOWS\system32\k11938947698.exe
C:\WINDOWS\system32\k119389477311.exe
C:\WINDOWS\system32\k119389477412.exe
C:\WINDOWS\system32\k119389477513.exe
C:\WINDOWS\system32\k119389477714.exe
C:\WINDOWS\system32\k119403766012.exe
C:\WINDOWS\system32\k119403766113.exe
C:\WINDOWS\system32\k11940408705.exe
C:\WINDOWS\system32\k11940408737.exe
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_POOF
-------\kprof
-------\poof
-------\xlavba8


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-16 02:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 02:26 <DIR> d-------- C:\Program Files\Giganology
2007-11-16 02:26 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2007-11-16 02:04 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-15 16:23 <DIR> d-------- C:\SAVE
2007-11-15 16:21 217,088 --a------ C:\WINDOWS\system32\libmySQL.dll
2007-11-15 16:16 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll
2007-11-15 16:16 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll
2007-11-15 14:33 <DIR> d-------- C:\Program Files\WIZET
2007-11-15 02:50 <DIR> d-------- C:\Program Files\CCleaner
2007-11-14 18:37 41,984 --a------ C:\WINDOWS\ksacre.exe
2007-11-14 18:37 41,984 --a------ C:\WINDOWS\0x57.exe
2007-11-14 18:37 16,384 --a------ C:\WINDOWS\xlaherx.exe
2007-11-11 20:29 <DIR> d----c--- C:\Media
2007-11-11 16:51 <DIR> d-------- C:\Program Files\QvodPlayer
2007-11-11 14:49 <DIR> d-------- C:\Program Files\WinMount
2007-11-11 14:49 196,224 --a------ C:\WINDOWS\system32\WinMTBus.sys
2007-11-11 14:49 196,224 --a------ C:\WINDOWS\system32\drivers\WinMTBus.sys
2007-11-11 14:48 286,720 --------- C:\WINDOWS\Setup1.exe
2007-11-11 14:48 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-10 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-11-10 10:10 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-11-10 10:10 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-11-10 10:09 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-11-10 10:09 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-11-10 10:09 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-11-10 10:09 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2007-11-10 10:09 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-11-10 10:09 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys
2007-11-10 10:09 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-11-10 10:09 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-11-10 10:08 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-11-10 10:08 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-11-10 10:08 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-11-10 10:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-11-10 10:07 77,824 -ra------ C:\WINDOWS\system32\drivers\SioUi2k.dll
2007-11-10 10:07 63,488 -ra------ C:\WINDOWS\system32\drivers\wssbtr1f.sys
2007-11-10 10:07 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-11-10 10:07 51,169 -ra------ C:\WINDOWS\system32\drivers\OXSER.SYS
2007-11-10 10:07 48,556 -ra------ C:\WINDOWS\system32\drivers\SktBt2k.sys
2007-11-10 10:07 48,076 -ra------ C:\WINDOWS\system32\drivers\Sio9502k.sys
2007-11-10 10:07 40,960 -ra------ C:\WINDOWS\system32\drivers\SCTray.exe
2007-11-10 10:06 <DIR> d-------- C:\Program Files\IVT Corporation
2007-11-09 20:01 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-11-07 21:28 <DIR> d-------- C:\Program Files\FairStars CD Ripper
2007-11-06 08:24 41,472 --a------ C:\WINDOWS\system32\levro.exe
2007-11-06 01:28 6,069,803 --a------ C:\iTudouInstaller1.3.32.exe
2007-11-05 21:28 <DIR> d-------- C:\Program Files\KWMUSIC
2007-11-05 21:28 32 --a------ C:\WINDOWS\system32\mylk.dat
2007-11-05 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mcache
2007-11-05 21:26 <DIR> d-------- C:\Program Files\FlashGet
2007-11-05 20:06 <DIR> d-------- C:\Program Files\PowerISO
2007-11-04 23:10 <DIR> d-------- C:\Program Files\Ape Ripper
2007-11-04 23:10 966,144 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2007-11-04 23:10 877,568 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2007-11-04 23:10 724,992 --a------ C:\WINDOWS\system32\ebCrypt.dll
2007-11-04 23:10 376,832 --a------ C:\WINDOWS\system32\cmd22.dll
2007-11-04 23:10 368,640 --a------ C:\WINDOWS\system32\MACDLL.dll
2007-11-04 23:10 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-11-04 23:10 253,952 --a------ C:\WINDOWS\system32\SkinBoxer43.dll
2007-11-04 23:10 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-11-04 23:10 20,992 --a------ C:\WINDOWS\system32\srmApeInfo.dll
2007-11-02 06:10 3,072 --a------ C:\WINDOWS\system32\MJDLL.DLL
2007-10-26 15:03 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-24 18:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-23 19:37 <DIR> d-------- C:\Program Files\PPStream
2007-10-23 19:24 <DIR> d-------- C:\Documents and Settings\Kching\Application Data\ppStream
2007-10-22 02:42 <DIR> d-------- C:\Documents and Settings\Kching\Application Data\Ahead
2007-10-20 21:33 <DIR> d-------- C:\WINDOWS\Application Data
2007-10-20 21:31 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-10-20 01:44 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-20 01:44 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-20 01:43 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-20 01:43 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-19 22:10 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-10-19 22:02 <DIR> d-------- C:\Program Files\Avant Browser
2007-10-18 19:29 <DIR> d-------- C:\Documents and Settings\Kching\Application Data\AdobeUM
2007-10-17 22:30 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-17 22:13 <DIR> d-------- C:\Documents and Settings\Kching\Application Data\GRETECH
2007-10-17 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2007-10-17 22:11 <DIR> d-------- C:\Program Files\GRETECH
2007-10-17 21:57 <DIR> d-------- C:\Program Files\eMule
2007-10-17 02:29 <DIR> d-------- C:\WINDOWS\Sun
2007-10-16 11:46 <DIR> d---s---- C:\Documents and Settings\Kching\UserData
2007-10-16 10:15 <DIR> d-------- C:\Program Files\Java
2007-10-16 10:14 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-16 03:08 <DIR> d-------- C:\Documents and Settings\Kching\Application Data\Media Player Classic
2007-10-15 23:35 2,977,792 --------- C:\WINDOWS\UNNMP.exe
2007-10-15 23:32 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-15 23:31 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-15 23:30 2,973,696 --------- C:\WINDOWS\UNNeroVision.exe
2007-10-15 23:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2007-10-15 23:29 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-10-15 23:29 <DIR> d-------- C:\Program Files\Ahead
2007-10-15 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-10-15 23:29 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-10-15 23:29 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-10-15 23:29 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-10-15 23:29 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-10-15 23:29 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 06:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-15 13:26 --------- d-----w C:\Program Files\C-Media 3D Audio
2007-10-15 13:22 --------- d-----w C:\Program Files\VIA
2007-10-15 13:13 --------- d-----w C:\Program Files\microsoft frontpage
2007-08-21 10:27 303,104 ----a-w C:\WINDOWS\system32\QvodInsert.dll
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 09:07]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"Cmaudio"="cmicnfg.cpl" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 09:34]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"QuickTime Task"="C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2007-10-15 23:18]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe" [2003-09-16 19:01]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 08:05]
"clkhost"="C:\WINDOWS\xlaherx.exe" [2007-11-14 18:37]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 09:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:07]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2007-09-20 17:27]

C:\Documents and Settings\Kching\Start Menu\Programs\Startup\
PPS.lnk - C:\Program Files\PPStream\PPStream.exe [2007-10-31 18:08:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R2 Qvod Terminal;Qvod Terminal;C:\Program Files\QvodPlayer\QvodTerminal.exe
R2 SetupNT;SetupNT;C:\WINDOWS\system32\SetupNT.sys
R3 WinMTBus;WinMount Bus;C:\WINDOWS\system32\DRIVERS\WinMTBus.sys
S2 7C8E563A;7C8E563A;C:\WINDOWS\system32\FB46626C.EXE -k
S3 noskrnl.sys;noskrnl.sys;\??\C:\WINDOWS\system32\noskrnl.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a495c77-7c16-11dc-81aa-00e04cbe9340}]
\Shell\Auto\command - G:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 07:05:52 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 02:56:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 2:59:17 - machine was rebooted
.
--- E O F ---

killer942
2007-11-15, 21:08
HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:05 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QvodPlayer\QvodTerminal.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Kching\Desktop\HiJackThis.exe

R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
R3 - URLSearchHook: (no name) - {BAB1AC41-6FF7-4F2E-A04E-5C592CCFEA7D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PPS.lnk = C:\Program Files\PPStream\PPStream.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra button: BitComet ¡Á¨º?¡ä???¡Â - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2C27680-58B9-45B6-A5CC-8FF7B370B1AB}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: 7C8E563A - Unknown owner - C:\WINDOWS\system32\FB46626C.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Qvod Terminal - Shenzhen TASK Technology Co.,Ltd - C:\Program Files\QvodPlayer\QvodTerminal.exe

--
End of file - 6109 bytes

pskelley
2007-11-20, 14:49
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

My suggestion is that when you give a friend advice, suggest they read the directions first which you have not done. As many times as you have posted, you should know this.

Posted above and Pinned to the of the forum are the instructions, I would read them all, they are there for your benefit.
Start with ONLY the Two Logs We Ask For in Our Sticky Topic, NOT CF etc http://forums.spybot.info/showthread.php?t=16806

Follow my instructions from this point on and I will do my very best to help.

1) See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_02\ <<< Java is VERY out of date and likely why they are infected. Download the newest version and uninstall all old version in Add Remove programs.

2) I prefer HJT not run of the Desktop but if you must, then create a folder and move HJTand the log into it. Backups for safety will store there also.
C:\Documents and Settings\Kching\Desktop\HJT\HiJackThis.exe <<< example in red

3) O23 - Service: 7C8E563A - Unknown owner - C:\WINDOWS\system32\FB46626C.EXE <<< I need to know what that file is, if you or your friend do not know, use one or more of these free online scanners to find out and post the information for me to view.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

4) I will not know all of your friends programs, but you should. If you see something you are unsure of, make me aware so we can look into it.

5) O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
I would not have programs like this junk running at startup??

Instructions start here:

How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
R3 - URLSearchHook: (no name) - {BAB1AC41-6FF7-4F2E-A04E-5C592CCFEA7D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
Trojan.Win32.LipGame.a

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\xlaherx.exe <<< delete that file

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log, any information I requested and tell me how the computer run now.

Thanks

killer942
2007-11-27, 00:02
sry for posting the cf log also..erm..my fren cnt seem to find the 2 following files

:C:\WINDOWS\xlaherx.exe
O23 - Service: 7C8E563A - Unknown owner - C:\WINDOWS\system32\FB46626C.EXE

my fren had told mi that his avg had helped him deleted the xlaherx.exe file so thus he is unable to see it again in HJT
nxt is the " O23 - Service: 7C8E563A - Unknown owner - C:\WINDOWS\system32\FB46626C.EXE " he is unable to find it...
as for the outdated java.......he had fully uninstalled it

the new HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:01 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\PPStream\PPStream.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\QvodPlayer\QvodTerminal.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Kching\Desktop\HJT\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PPS.lnk = C:\Program Files\PPStream\PPStream.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: BitComet ¡Á¨º?¡ä???¡Â - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2C27680-58B9-45B6-A5CC-8FF7B370B1AB}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: 7C8E563A - Unknown owner - C:\WINDOWS\system32\FB46626C.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Qvod Terminal - Shenzhen TASK Technology Co.,Ltd - C:\Program Files\QvodPlayer\QvodTerminal.exe

--
End of file - 5353 bytes

pskelley
2007-11-27, 00:32
Thanks for the feedback, I am still concerned about this item:
O23 - Service: 7C8E563A - Unknown owner - C:\WINDOWS\system32\FB46626C.EXE
Makes sure all files and folder are showing:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Use Search Companion. Start > Search > All Files and Folders > Enter this in the box: FB46626C.EXE
It should be in the System32 folder as you can see. Use the free scanners to find out what that is.

How is the computer running, what issues?

Follow these instructions to look for hidden malware:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks