View Full Version : ldcore.dll, maybe others
jcflyguy
2007-11-26, 05:03
Hello. Recently, Avast! has popped up recently saying I have ldcore.dll, and it seems that it can't handle the bug. I have a HJT log, but when I tried to run Kapersky, I got "Update Failed! No further antivirus actions can be taken!", and then it mentioned I must be online. This computer has multiple user accounts (three), but I don't know if that means anything.
I'm worried that other things may have infected my computer as well. I have run combofix.exe, as suggested by a friend, and I can post a log if need be. I've done everything (or tried, in the case of Kapersky) in the "Before you post" thread. Here is the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:28 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f502.mail.yahoo.com/ym/login?.rand=b601a0ngo0jjt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-21-1708537768-725345543-949384954-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Guest')
O4 - HKUS\S-1-5-21-1708537768-725345543-949384954-501\..\Run: [cmds] rundll32.exe C:\DOCUME~1\Guest\LOCALS~1\Temp\jkkjj.dll,c (User 'Guest')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6549 bytes
Hello jcflyguy
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Your infected with the SDbot worm and possibly the Vundo Trojan
Lets do this.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
The thieves have written Vundo to go undetected by HJT so I need you to rename it please.
This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
I need to see the SDFix report, the Combofix report and a new HJT log renamed to scanner.exe
jcflyguy
2007-11-26, 19:56
Thank you for the reply. I've run the programs, renamed Hijackthis, and here are the logs as requested.
SDFix: Version 1.115
Run by Corey on Mon 11/26/2007 at 01:10 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\PROGRA~1\MESSEN~1\PROFSY~1.HTM - Deleted
C:\WINDOWS\mrofinu572.exe.tmp - Deleted
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe - Deleted
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe - Deleted
C:\Temp\abW9\tPho.log - Deleted
C:\WINDOWS\mrofinu572.exe - Deleted
C:\WINDOWS\mrofinu77.exe - Deleted
C:\WINDOWS\mrofinu572.exe.tmp - Deleted
C:\WINDOWS\tcb.pmw - Deleted
Folder C:\Temp\abW9 - Removed
Folder C:\WINDOWS\system32\rMa01yy - Removed
Folder C:\WINDOWS\system32\rMa02yy - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 13:22:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\Gravity\\RO\\dyefire.exe"="C:\\Program Files\\Gravity\\RO\\dyefire.exe:*:Enabled:DyeFire - a Ragnarok Online client proxy to be able to see clothing dyes"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Fri 8 Jun 2007 1,808,519 ..SH. --- "C:\WINDOWS\system32\bccdd.bak1"
Fri 29 Jun 2007 1,854,829 ..SH. --- "C:\WINDOWS\system32\llnmp.bak1"
Fri 8 Jun 2007 1,808,519 ..SH. --- "C:\WINDOWS\system32\rstwa.bak1"
Finished!
ComboFix 07-11-19.3 - Corey 2007-11-26 13:33:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.49 [GMT -5:00]
Running from: C:\Documents and Settings\Corey\Desktop\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\mlljg.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.
2007-11-26 13:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-26 06:26 80,960 --a------ C:\WINDOWS\system32\htcanbml.dll
2007-11-25 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-25 22:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-25 20:19 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\HPAppData
2007-11-25 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 13:28 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2007-11-25 06:29 79,936 --a------ C:\WINDOWS\system32\uhegwwjt.dll
2007-11-25 05:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-24 00:28 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-24 00:28 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-23 22:15 <DIR> d-------- C:\Documents and Settings\Corey\.housecall6.6
2007-11-23 13:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-23 12:44 83,520 --a------ C:\WINDOWS\system32\lqfypekp.dll
2007-11-23 00:04 79,936 --a------ C:\WINDOWS\system32\itynwoja.dll
2007-11-22 16:08 79,936 --a------ C:\WINDOWS\system32\yecvslbr.dll
2007-11-21 19:10 80,960 --a------ C:\WINDOWS\system32\vhagrhxl.dll
2007-11-21 03:19 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-20 19:17 84,544 --a------ C:\WINDOWS\system32\nhwsjqur.dll
2007-11-20 16:36 22 --a------ C:\WINDOWS\b104.exe.bin
2007-11-20 16:36 22 --a------ C:\WINDOWS\b103.exe.bin
2007-11-20 16:25 36,864 --a------ C:\WINDOWS\system32\tuvsqnn.dll
2007-11-20 06:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-11-20 06:37 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-11-20 06:37 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-11-20 06:37 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-11-20 06:37 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-11-20 06:37 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-11-20 06:36 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2007-11-20 06:36 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2007-11-20 03:01 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-19 21:06 <DIR> d-------- C:\Program Files\Cool
2007-11-17 13:16 <DIR> d-------- C:\Program Files\EA Games
2007-11-16 12:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-04 15:59 <DIR> d-------- C:\Program Files\Google
2007-11-03 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-03 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-11-03 17:37 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-11-03 17:37 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-03 17:37 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-11-03 17:36 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\Corey\Application Data\HPAppData
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-03 17:26 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-11-03 17:24 <DIR> d-------- C:\Program Files\HP
2007-11-03 17:23 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-03 17:23 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-03 17:21 141,199 --a------ C:\WINDOWS\hpoins14.dat
2007-11-03 17:21 2,000 --------- C:\WINDOWS\hpomdl14.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 18:04 --------- d-----w C:\Program Files\mIRC
2007-11-24 03:15 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-20 21:26 36,864 ----a-w C:\WINDOWS\system32\gebyyay.dll
2007-11-20 02:02 36,352 ----a-w C:\WINDOWS\system32\efcayyx.dll
2007-11-18 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-17 19:33 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-17 18:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-11 16:41 --------- d-----w C:\Program Files\Warcraft III
2007-10-16 17:03 --------- d-----w C:\Documents and Settings\Corey\Application Data\fltk.org
2007-10-12 17:20 45,056 ----a-w C:\WINDOWS\system32\katzpdrbp.exe
2007-10-12 17:20 44,922 ----a-w C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-12 17:20 421,888 ----a-w C:\WINDOWS\system32\bkinpqrh.dll
2007-10-12 17:20 24,576 ----a-w C:\WINDOWS\system32\msxml3a.dll
2007-10-12 17:20 118,784 ----a-w C:\WINDOWS\system32\artchker.exe
2007-10-07 13:47 --------- d-----w C:\Program Files\Viewpoint
2007-10-07 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-04 01:33 1,099,693 --sh--w C:\WINDOWS\psutvw.ini2
2007-09-30 19:41 --------- d-----w C:\Program Files\MSN Messenger
2007-09-27 03:42 --------- d-----w C:\Program Files\Jnes 0.6
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-04 13:06 1,972 ----a-w C:\Program Files\installer.js
2005-07-29 20:24 472 --sha-r C:\WINDOWS\dXNlcg\xrh5w0.vbs
2007-06-09 01:46 1,808,519 --sha-w C:\WINDOWS\system32\bccdd.bak1
2007-06-29 10:05 1,854,829 --sha-w C:\WINDOWS\system32\llnmp.bak1
2007-06-09 01:54 1,808,519 --sha-w C:\WINDOWS\system32\rstwa.bak1
2007-06-09 19:48 1,864,650 --sha-w C:\WINDOWS\system32\rstwa.ini2
.
((((((((((((((((((((((((((((( snapshot@2007-11-24_ 1.57.19.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-26 18:09:02 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-11-26 18:09:02 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-26 18:08:54 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-11-26 18:08:54 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-26 18:43:51 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12A0EDF6-BFB9-4C54-9AF7-99FD436E1E9B}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18f605c0-f322-48d2-8acf-b9c263fb4f0f}]
2007-11-26 06:26 80960 --a------ C:\WINDOWS\system32\htcanbml.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2a5b09ef-b656-41ef-93a9-27125be10d1c}]
C:\WINDOWS\system32\fonqoa.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
2007-11-19 21:02 36352 --a------ C:\WINDOWS\system32\efcayyx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5690a155-2ace-4a08-8d89-05146877acbf}]
C:\WINDOWS\system32\huqcwyp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A590D6C-2549-4356-83FC-975843BB637B}]
C:\Program Files\Windows Media Player\hokeC:\DOCUME~1\Jared\LOCALS~1\Temp\CEMG555077.exe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
C:\WINDOWS\system32\48S378Ti.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 21:50]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 14:10]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 23:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 03:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 03:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\efcayyx.dll [2007-11-19 21:02 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcayyx]
efcayyx.dll 2007-11-19 21:02 36352 C:\WINDOWS\system32\efcayyx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fonqoa]
fonqoa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlljg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
2007-10-12 12:20 118784 --a------ C:\WINDOWS\system32\artchker.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\4T7DCm0H.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
2007-11-16 12:20 208896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\wvtusp.dll,forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{EE-E6-64-4B-ZN}]
C:\Documents and Settings\Jared\Local Settings\Temp\T0CHD001.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 npkycryp;npkycryp;\??\C:\Program Files\Gravity\RO\npkycryp.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 19:09:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-26 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 14:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 15:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 16:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 17:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 18:00:01 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-25 19:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-25 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-25 21:00:00 C:\WINDOWS\Tasks\At17.job"
"2007-11-25 22:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-25 23:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 00:00:03 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-25 01:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 02:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 03:00:01 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 04:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 11:00:00 C:\WINDOWS\Tasks\At7.job"
"2007-11-26 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\i38w3h1v.exe
"2007-11-26 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\i38w3h1v.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 13:45:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-26 13:50:12 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-24 02:00
.
--- E O F ---
jcflyguy
2007-11-26, 19:57
And here is the requested HJT log, renamed as you suggested.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:02 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f502.mail.yahoo.com/ym/login?.rand=b601a0ngo0jjt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12A0EDF6-BFB9-4C54-9AF7-99FD436E1E9B} - (no file)
O2 - BHO: {f0f4bf36-2c9b-fca8-2d84-223f0c506f81} - {18f605c0-f322-48d2-8acf-b9c263fb4f0f} - C:\WINDOWS\system32\htcanbml.dll
O2 - BHO: (no name) - {2a5b09ef-b656-41ef-93a9-27125be10d1c} - C:\WINDOWS\system32\fonqoa.dll (file missing)
O2 - BHO: (no name) - {38E04259-1064-4CED-8515-6E67F0D3C383} - C:\WINDOWS\system32\pmkjk.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\efcayyx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5690a155-2ace-4a08-8d89-05146877acbf} - C:\WINDOWS\system32\huqcwyp.dll (file missing)
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7A590D6C-2549-4356-83FC-975843BB637B} - C:\Program Files\Windows Media Player\hokeC:\DOCUME~1\Jared\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\48S378Ti.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: efcayyx - C:\WINDOWS\SYSTEM32\efcayyx.dll
O20 - Winlogon Notify: fonqoa - fonqoa.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8399 bytes
Hello,
Sorry for the delay but got hung up at work today.
ldcore.dll <-- SDFix always removes this, this time it did not :sad: Don't know why??
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {12A0EDF6-BFB9-4C54-9AF7-99FD436E1E9B} - (no file)
O2 - BHO: {f0f4bf36-2c9b-fca8-2d84-223f0c506f81} - {18f605c0-f322-48d2-8acf-b9c263fb4f0f} - C:\WINDOWS\system32\htcanbml.dll
O2 - BHO: (no name) - {2a5b09ef-b656-41ef-93a9-27125be10d1c} - C:\WINDOWS\system32\fonqoa.dll (file missing)
O2 - BHO: (no name) - {38E04259-1064-4CED-8515-6E67F0D3C383} - C:\WINDOWS\system32\pmkjk.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\efcayyx.dll
O2 - BHO: (no name) - {5690a155-2ace-4a08-8d89-05146877acbf} - C:\WINDOWS\system32\huqcwyp.dll (file missing)
O2 - BHO: (no name) - {7A590D6C-2549-4356-83FC-975843BB637B} - C:\Program Files\Windows Media Player\hokeC:\DOCUME~1\Jared\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\48S378Ti.dll (file missing)
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: efcayyx - C:\WINDOWS\SYSTEM32\efcayyx.dll
O20 - Winlogon Notify: fonqoa - fonqoa.dll (file missing)
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\lqfypekp.dll
C:\WINDOWS\system32\itynwoja.dll
C:\WINDOWS\system32\yecvslbr.dll
C:\WINDOWS\system32\vhagrhxl.dll
C:\WINDOWS\system32\nhwsjqur.dll
C:\WINDOWS\system32\htcanbml.dll
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\b103.exe.bin
C:\WINDOWS\system32\tuvsqnn.dll
C:\WINDOWS\system32\gebyyay.dll
C:\WINDOWS\system32\efcayyx.dll
C:\windows\system32\ldcore.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\system32\i38w3h1v.exe
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Folder::
C:\Program Files\Web Buying
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Post the new Combofix log, the Vundo log and a New HJT log please.
jcflyguy
2007-11-27, 02:24
Thank you for your time with this, here are the logs. Vundofix didn't find anything.
ComboFix 07-11-19.3 - Corey 2007-11-26 19:52:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.80 [GMT -5:00]
Running from: C:\Documents and Settings\Corey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corey\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\b103.exe.bin
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\efcayyx.dll
C:\WINDOWS\system32\gebyyay.dll
C:\WINDOWS\system32\htcanbml.dll
C:\WINDOWS\system32\i38w3h1v.exe
C:\WINDOWS\system32\itynwoja.dll
C:\windows\system32\ldcore.dll
C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\lqfypekp.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\nhwsjqur.dll
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\tuvsqnn.dll
C:\WINDOWS\system32\vhagrhxl.dll
C:\WINDOWS\system32\yecvslbr.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\b103.exe.bin
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\efcayyx.dll
C:\WINDOWS\system32\gebyyay.dll
C:\WINDOWS\system32\htcanbml.dll
C:\WINDOWS\system32\itynwoja.dll
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\lqfypekp.dll
C:\WINDOWS\system32\nhwsjqur.dll
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\tuvsqnn.dll
C:\WINDOWS\system32\vhagrhxl.dll
C:\WINDOWS\system32\yecvslbr.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.
2007-11-26 13:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-25 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-25 22:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-25 20:19 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\HPAppData
2007-11-25 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 13:28 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2007-11-25 06:29 79,936 --a------ C:\WINDOWS\system32\uhegwwjt.dll
2007-11-25 05:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-24 00:28 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-24 00:28 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-23 22:15 <DIR> d-------- C:\Documents and Settings\Corey\.housecall6.6
2007-11-23 13:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-21 03:19 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-20 06:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-11-20 06:37 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-11-20 06:37 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-11-20 06:37 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-11-20 06:37 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-11-20 06:37 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-11-20 06:36 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2007-11-20 06:36 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2007-11-20 03:01 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-19 21:06 <DIR> d-------- C:\Program Files\Cool
2007-11-17 13:16 <DIR> d-------- C:\Program Files\EA Games
2007-11-16 12:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-04 15:59 <DIR> d-------- C:\Program Files\Google
2007-11-03 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-03 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-11-03 17:37 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-03 17:36 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\Corey\Application Data\HPAppData
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-03 17:26 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-11-03 17:24 <DIR> d-------- C:\Program Files\HP
2007-11-03 17:23 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-03 17:23 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-03 17:21 141,199 --a------ C:\WINDOWS\hpoins14.dat
2007-11-03 17:21 2,000 --------- C:\WINDOWS\hpomdl14.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 00:45 --------- d-----w C:\Program Files\mIRC
2007-11-24 03:15 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-18 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-17 19:33 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-17 18:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-11 16:41 --------- d-----w C:\Program Files\Warcraft III
2007-10-16 17:03 --------- d-----w C:\Documents and Settings\Corey\Application Data\fltk.org
2007-10-07 13:47 --------- d-----w C:\Program Files\Viewpoint
2007-10-07 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-04 01:33 1,099,693 --sh--w C:\WINDOWS\psutvw.ini2
2007-09-30 19:41 --------- d-----w C:\Program Files\MSN Messenger
2007-09-27 03:42 --------- d-----w C:\Program Files\Jnes 0.6
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2007-08-04 13:06 1,972 ----a-w C:\Program Files\installer.js
2005-07-29 20:24 472 --sha-r C:\WINDOWS\dXNlcg\xrh5w0.vbs
.
((((((((((((((((((((((((((((( snapshot@2007-11-24_ 1.57.19.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-26 18:09:02 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-11-26 18:09:02 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-26 18:08:54 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-11-26 18:08:54 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-27 01:03:08 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_63c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 21:50]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 14:10]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 23:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 03:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 03:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcayyx]
efcayyx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
C:\WINDOWS\system32\artchker.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\4T7DCm0H.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
2007-11-16 12:20 208896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\wvtusp.dll,forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{EE-E6-64-4B-ZN}]
C:\Documents and Settings\Jared\Local Settings\Temp\T0CHD001.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 npkycryp;npkycryp;\??\C:\Program Files\Gravity\RO\npkycryp.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 19:09:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 20:04:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-26 20:07:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-26 13:50
C:\ComboFix3.txt ... 2007-11-24 02:00
.
--- E O F ---
VundoFix V6.6.2
Checking Java version...
Scan started at 8:09:29 PM 11/26/2007
Listing files found while scanning....
No infected files were found.
jcflyguy
2007-11-27, 02:25
And the HJT log, since the character limit is 20000.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:24 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f502.mail.yahoo.com/ym/login?.rand=b601a0ngo0jjt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: efcayyx - efcayyx.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7274 bytes
Your doing well, :bigthumb: a bit more to do.
Remove this with HJT.
O20 - Winlogon Notify: efcayyx - efcayyx.dll (file missing)
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\uhegwwjt.dll
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\hg173.exe
C:\WINDOWS\df87173.exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Post the new Combofix log and a New HJT log and let me know how your system is running now???
Forgot to mention that Viewpoint installed on your system without your knowledge or consent and uses system resources and is not needed for anything, you can uninstall it via the Add Remove Programs in the Control Panel
jcflyguy
2007-11-27, 07:11
Again, thank you so much for your time with this. So far, the computer is acting fine, but I haven't tried running two accounts at once, like we normally do. I've been keeping everyone else off while I've been getting your help. Here are the logs.
One more thing. When this all started, I noticed X_Cool.exe running in my processes. Normally I just kill it and things are fine. Is it anything to worry about?
ComboFix 07-11-19.3 - Corey 2007-11-27 0:44:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.93 [GMT -5:00]
Running from: C:\Documents and Settings\Corey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corey\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\df87173.exe
C:\WINDOWS\hg173.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\uhegwwjt.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\df87173.exe
C:\WINDOWS\hg173.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\uhegwwjt.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.
2007-11-26 20:09 <DIR> d-------- C:\VundoFix Backups
2007-11-26 13:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-25 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-25 20:19 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\HPAppData
2007-11-25 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 13:28 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2007-11-24 00:28 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-24 00:28 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-23 22:15 <DIR> d-------- C:\Documents and Settings\Corey\.housecall6.6
2007-11-23 13:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-20 06:37 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-11-20 06:37 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-11-20 06:37 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-11-20 06:37 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-11-20 06:37 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-11-20 06:36 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2007-11-20 06:36 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2007-11-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-19 21:06 <DIR> d-------- C:\Program Files\Cool
2007-11-17 13:16 <DIR> d-------- C:\Program Files\EA Games
2007-11-04 15:59 <DIR> d-------- C:\Program Files\Google
2007-11-03 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-03 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-11-03 17:37 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-03 17:36 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\Corey\Application Data\HPAppData
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-03 17:26 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-11-03 17:24 <DIR> d-------- C:\Program Files\HP
2007-11-03 17:23 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-03 17:23 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-03 17:21 141,199 --a------ C:\WINDOWS\hpoins14.dat
2007-11-03 17:21 2,000 --------- C:\WINDOWS\hpomdl14.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 05:42 --------- d-----w C:\Program Files\Viewpoint
2007-11-27 05:34 --------- d-----w C:\Program Files\mIRC
2007-11-24 03:15 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-18 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-17 19:33 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-17 18:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-11 16:41 --------- d-----w C:\Program Files\Warcraft III
2007-10-16 17:03 --------- d-----w C:\Documents and Settings\Corey\Application Data\fltk.org
2007-10-04 01:33 1,099,693 --sh--w C:\WINDOWS\psutvw.ini2
2007-09-30 19:41 --------- d-----w C:\Program Files\MSN Messenger
2007-09-27 03:42 --------- d-----w C:\Program Files\Jnes 0.6
2007-08-04 13:06 1,972 ----a-w C:\Program Files\installer.js
2005-07-29 20:24 472 --sha-r C:\WINDOWS\dXNlcg\xrh5w0.vbs
.
((((((((((((((((((((((((((((( snapshot@2007-11-24_ 1.57.19.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-26 18:09:02 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-11-26 18:09:02 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-26 18:08:54 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-11-26 18:08:54 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-27 05:49:48 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_644.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 21:50]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 14:10]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 23:26]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 03:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 03:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
C:\WINDOWS\system32\artchker.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\4T7DCm0H.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
C:\WINDOWS\io43mvuiw4kj.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\wvtusp.dll,forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{EE-E6-64-4B-ZN}]
C:\Documents and Settings\Jared\Local Settings\Temp\T0CHD001.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 npkycryp;npkycryp;\??\C:\Program Files\Gravity\RO\npkycryp.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 19:09:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 00:50:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-27 0:54:36 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-26 20:07
C:\ComboFix3.txt ... 2007-11-26 13:50
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:39 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f502.mail.yahoo.com/ym/login?.rand=b601a0ngo0jjt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 7037 bytes
jcflyguy
2007-11-27, 07:35
While I was at it, I went on my brother's account and ran CC Cleaner. I also forgot to mention that before I came here for help, I disabled something called T0CHD001 from my startup menu under MSConfig. When I went to my brother's account, I ran MSConfig and disabled TA_Checker, or something like that, which was related to T0CHD001. I also disabled x_cool.
Right now, things are running VERY smoothly. Sorry for the extra post, but the 15 minutes to edit my post expired.(though, I couldn't find the edit button within the 15 minutes.)
Good Morning,
Your log looks fine but there are some entries on the Combofix log that I need to look into.
I wanted to ask you about Cool, try removing it via the Add Remove Programs in the Control Panel. Let me know if it would not delete.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
I'll be back a little later
This is what we need to do. Part of this fix is going to make changes to your registry so download this program first , it will back it up for you and you can restore if there is a problem.
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\Program Files\installer.js
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\TEMP\4T7DCm0H.exe
C:\WINDOWS\TEMP\4T7DCm0H.exe
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\wvtusp.dll
C:\WINDOWS\winshow.exe
C:\Documents and Settings\Jared\Local Settings\Temp\T0CHD001.exe
Folder::
C:\Program Files\Cool
C:\Program Files\Web Buying
C:\WINDOWS\dXNlcg
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{EE-E6-64-4B-ZN}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
jcflyguy
2007-11-27, 19:30
Thank you again for your time. Here are the logs.
ComboFix 07-11-19.3 - Corey 2007-11-27 13:17:24.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.92 [GMT -5:00]
Running from: C:\Documents and Settings\Corey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corey\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\Jared\Local Settings\Temp\T0CHD001.exe
C:\Program Files\installer.js
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\TEMP\4T7DCm0H.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\wvtusp.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Cool
C:\Program Files\Cool\Cool.dll
C:\Program Files\Cool\Cool.dll.intermediate.manifest
C:\Program Files\Cool\cool.exe
C:\Program Files\Cool\cool.info
C:\Program Files\Cool\cool.original
C:\Program Files\Cool\info.dll
C:\Program Files\Cool\un_CoolSetup_15849.exe
C:\Program Files\Cool\un_CoolSetup_15849.txt
C:\Program Files\Cool\X_Cool.dll
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Cool\X_cool.log
C:\Program Files\installer.js
C:\WINDOWS\dXNlcg
C:\WINDOWS\dXNlcg\xrh5w0.vbs
.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.
2007-11-27 01:02 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-27 01:01 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-27 01:01 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-27 00:55 <DIR> d-------- C:\Program Files\CCleaner
2007-11-26 20:09 <DIR> d-------- C:\VundoFix Backups
2007-11-26 13:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-25 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-25 20:19 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\HPAppData
2007-11-25 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 13:28 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2007-11-24 00:28 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-24 00:28 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-23 22:15 <DIR> d-------- C:\Documents and Settings\Corey\.housecall6.6
2007-11-23 13:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-20 06:37 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-11-20 06:37 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-11-20 06:37 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-11-20 06:37 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-11-20 06:37 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-11-20 06:36 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2007-11-20 06:36 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2007-11-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-17 13:16 <DIR> d-------- C:\Program Files\EA Games
2007-11-04 15:59 <DIR> d-------- C:\Program Files\Google
2007-11-03 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-03 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-11-03 17:37 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-03 17:36 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\Corey\Application Data\HPAppData
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-03 17:26 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-11-03 17:24 <DIR> d-------- C:\Program Files\HP
2007-11-03 17:23 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-03 17:23 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-03 17:21 141,199 --a------ C:\WINDOWS\hpoins14.dat
2007-11-03 17:21 2,000 --------- C:\WINDOWS\hpomdl14.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 18:14 --------- d-----w C:\Program Files\mIRC
2007-11-27 06:02 --------- d-----w C:\Program Files\Java
2007-11-27 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 05:42 --------- d-----w C:\Program Files\Viewpoint
2007-11-24 03:15 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-18 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-17 19:33 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-17 18:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-11 16:41 --------- d-----w C:\Program Files\Warcraft III
2007-10-16 17:03 --------- d-----w C:\Documents and Settings\Corey\Application Data\fltk.org
2007-10-04 01:33 1,099,693 --sh--w C:\WINDOWS\psutvw.ini2
2007-09-30 19:41 --------- d-----w C:\Program Files\MSN Messenger
2007-09-27 03:42 --------- d-----w C:\Program Files\Jnes 0.6
.
((((((((((((((((((((((((((((( snapshot@2007-11-24_ 1.57.19.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\11-27-2007\ERDNT.EXE
+ 2007-11-27 18:16:14 2,719,744 ----a-w C:\WINDOWS\erdnt\11-27-2007\Users\00000001\ntuser.dat
+ 2007-11-27 18:16:14 147,456 ----a-w C:\WINDOWS\erdnt\11-27-2007\Users\00000002\UsrClass.dat
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-26 18:09:02 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-11-26 18:09:02 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-26 18:08:54 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-11-26 18:08:54 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-03-14 04:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-14 04:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 06:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-27 18:22:26 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 21:50]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 14:10]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 23:26]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 03:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 03:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jared^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=C:\Documents and Settings\Jared\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=C:\WINDOWS\pss\Cool - Auto Update.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jared^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Jared\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 npkycryp;npkycryp;\??\C:\Program Files\Gravity\RO\npkycryp.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 19:09:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 13:23:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-27 13:27:18 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 00:54
C:\ComboFix3.txt ... 2007-11-26 20:07
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:05 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f502.mail.yahoo.com/ym/login?.rand=b601a0ngo0jjt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 6994 bytes
Have not forgot you, be back in a bit. Your log looks fine, just a couple of entries in Combofix I am looking into.
Hello Again,
Go to My Computer> C:\ Drive> Documents and Settings> Jared>Start Menu>Programs>Startup> ( and delete anything related to Cool )
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\psutvw.ini2
C:\WINDOWS\mrofinu572.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
jcflyguy
2007-11-28, 03:42
Thank you again. There was nothing in the C:\Documents and Settings\Jared\Start Menu\Programs folder. Here are the logs.
ComboFix 07-11-19.3 - Corey 2007-11-27 21:32:53.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.84 [GMT -5:00]
Running from: C:\Documents and Settings\Corey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corey\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\psutvw.ini2
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\psutvw.ini2
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.
2007-11-27 01:02 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-27 01:01 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-27 01:01 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-27 00:55 <DIR> d-------- C:\Program Files\CCleaner
2007-11-26 20:09 <DIR> d-------- C:\VundoFix Backups
2007-11-26 13:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-25 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-25 20:19 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\HPAppData
2007-11-25 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 13:28 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2007-11-24 00:28 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-24 00:28 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-23 22:15 <DIR> d-------- C:\Documents and Settings\Corey\.housecall6.6
2007-11-23 13:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-20 06:37 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-11-20 06:37 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-11-20 06:37 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-11-20 06:37 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-11-20 06:37 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-11-20 06:36 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2007-11-20 06:36 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2007-11-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-17 13:16 <DIR> d-------- C:\Program Files\EA Games
2007-11-04 15:59 <DIR> d-------- C:\Program Files\Google
2007-11-03 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2007-11-03 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-11-03 17:37 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-03 17:36 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\Corey\Application Data\HPAppData
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-11-03 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-03 17:27 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-03 17:26 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-11-03 17:24 <DIR> d-------- C:\Program Files\HP
2007-11-03 17:23 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-03 17:23 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-03 17:21 141,199 --a------ C:\WINDOWS\hpoins14.dat
2007-11-03 17:21 2,000 --------- C:\WINDOWS\hpomdl14.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 02:27 --------- d-----w C:\Program Files\mIRC
2007-11-27 06:02 --------- d-----w C:\Program Files\Java
2007-11-27 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 05:42 --------- d-----w C:\Program Files\Viewpoint
2007-11-24 03:15 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-18 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-17 19:33 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-17 18:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-11 16:41 --------- d-----w C:\Program Files\Warcraft III
2007-10-16 17:03 --------- d-----w C:\Documents and Settings\Corey\Application Data\fltk.org
2007-10-12 17:20 45,056 ----a-w C:\WINDOWS\system32\katzpdrbp.exe
2007-10-12 17:20 44,922 ----a-w C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-12 17:20 421,888 ----a-w C:\WINDOWS\system32\bkinpqrh.dll
2007-10-12 17:20 24,576 ----a-w C:\WINDOWS\system32\msxml3a.dll
2007-09-30 19:41 --------- d-----w C:\Program Files\MSN Messenger
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.
((((((((((((((((((((((((((((( snapshot@2007-11-24_ 1.57.19.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\11-27-2007\ERDNT.EXE
+ 2007-11-27 18:16:14 2,719,744 ----a-w C:\WINDOWS\erdnt\11-27-2007\Users\00000001\ntuser.dat
+ 2007-11-27 18:16:14 147,456 ----a-w C:\WINDOWS\erdnt\11-27-2007\Users\00000002\UsrClass.dat
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-26 18:09:02 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-11-26 18:09:02 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-23 18:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-26 18:08:54 2,703,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-11-26 18:08:54 143,360 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-03-14 04:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-03-14 04:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-03-14 06:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-27 18:22:26 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 21:50]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 14:10]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 23:26]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 03:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 03:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jared^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=C:\Documents and Settings\Jared\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=C:\WINDOWS\pss\Cool - Auto Update.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jared^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Jared\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 npkycryp;npkycryp;\??\C:\Program Files\Gravity\RO\npkycryp.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 19:09:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 21:36:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-27 21:37:06
C:\ComboFix2.txt ... 2007-11-27 13:27
C:\ComboFix3.txt ... 2007-11-27 00:54
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:54 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f502.mail.yahoo.com/ym/login?.rand=b601a0ngo0jjt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 6916 bytes
Things are looking good :bigthumb: How is everything running now???
jcflyguy
2007-11-28, 05:45
Things are running perfectly. Thank you for all the help you've given me.
That's Great :bigthumb:
I am providing links and free tools to install to help keep you more secure. Keep in mind as you go through the list that only ONE Anti Virus and Firewall are recommended, more is overkill and can cause problems.
You want to flush out your System Restore because all the garbage we just removed is backed up in there.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, these are must haves to help keep you secure
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken