View Full Version : Need some help cleaning my laptop
Danilo-11
2008-01-20, 06:38
Hello,
I hope that you guys can help me out, my problems are:
- Memory usage seems to be very high, and there's been a few times that my laptop crashed.
- I keep on getting some pop-ups on IE that I have been unable to remove with any program. I even bought McAfee total protection and it still happens.
Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:47 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\InCD\InCD.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\AntiVirus\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {0A7A8324-1646-491F-BD53-EE8654D552AB} - (no file)
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {30CC0073-F70B-4EA2-9FBB-D2B529EB55BA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: (no name) - {35AF99FC-E205-4288-AA48-0F06779A25A5} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: {09fb716f-646b-59db-2024-3dc35c365b73} - {37b563c5-3cd3-4202-bd95-b646f617bf90} - C:\WINDOWS\system32\dvqqqhed.dll
O2 - BHO: (no name) - {399BB3E0-C03C-40B5-A563-B632343B1F32} - (no file)
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - (no file)
O2 - BHO: (no name) - {4CFA77CB-E9D6-4709-956F-4041EA9EE439} - C:\Program Files\MSN\meqosacik4444.dll (file missing)
O2 - BHO: (no name) - {4F5C0B8A-1B3F-46E0-B2DB-D6DF90DD62C3} - (no file)
O2 - BHO: (no name) - {4FD564D1-0B9E-47A6-8177-37B70A196339} - C:\Program Files\MSN\meqosacik83122.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8239990D-AF6D-40CB-F293-47F38AD45525} - C:\Program Files\Common Files\qucam.dll (file missing)
O2 - BHO: (no name) - {86882CA4-BE70-4BCE-AEA5-CF40EB8E0BC3} - C:\WINDOWS\system32\efcdawx.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {934076A4-A35D-451E-841E-44C51B1F59CE} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {AB17D7BC-99C7-43E0-9427-0124DB23E541} - C:\WINDOWS\system32\qskdsass.dll (file missing)
O2 - BHO: (no name) - {B2D83484-EA6A-465C-957A-3F35BB541BAD} - (no file)
O2 - BHO: (no name) - {b428571c-73cb-444b-8f8b-48aff8ff87d7} - C:\WINDOWS\system32\amugtrs.dll (file missing)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {E55FD378-C568-4D1F-AC30-5E23588ED6AF} - C:\WINDOWS\system32\vtssp.dll (file missing)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {E9AC098A-F6BD-4CD1-81E7-B1F04640F995} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSWindowsUpdate] C:\WINDOWS\system32\winsecurityxp\mswinup.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [{2D-DA-A8-87-ZN}] C:\Documents and Settings\Daniel\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [crezotaz] "rundll32.exe" "C:\Program Files\shehqfcn\ibwroboj.dll",Init
O4 - HKLM\..\Run: [ilmdizqr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ilmdizqr.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [4882da28] rundll32.exe "C:\WINDOWS\system32\hvnpayqe.dll",b
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [BM4bb1e9b4] Rundll32.exe "C:\WINDOWS\system32\whlxplva.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [pbmini] C:\Program Files\Pcast\PodcastbarMini\PodcastBarMiniStater.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Daniel\Local Settings\Temp\T0CHD001.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://danilo-11.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://danilo-11.spaces.live.com/PhotoUpload/MsnPUpld.cab
O20 - Winlogon Notify: efcdawx - efcdawx.dll (file missing)
O20 - Winlogon Notify: vturrsq - C:\WINDOWS\
O20 - Winlogon Notify: winaap32 - winaap32.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0144041200796282) (0144041200796282mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\014404~1.EXE
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\eqiwybyw.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 12190 bytes
Hello,
Welcome to the forum, you have a bit of a mess going on.
Please print out or copy this page to Notepad. Make sure to download all the required tools to your desktop before starting. If there is anything that you do not understand, ask your question(s) before proceeding with the fixes.
A. Tools to download:
Right click HERE (http://www.mvps.org/winhelp2002/DelDomains.inf) and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop.
**Note: In the event you already have SDFix and/or ComboFix, these are new versions that I need you to download. It is important that they are saved directly to your desktop**
B. Running the Tools
1. Run DelDomains:
Right click DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
Very Important!
Before running SDFix and ComboFix:
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with both SDFix and ComboFix and remove some of their embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Also, make sure you are physically disconnected from the Internet (unplug the cable) after downloading the programs but before running the files.
2. Run SDFix:
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Now reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press Enter
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Finally, copy the content of Report.txt to Notepad and Save it to your Desktop as you will be asked to post it later on.
3. Run ComboFix:
WARNING:
IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts.
Do not re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection when Combofix has completely finished, just restart your computer to restore the connection.
Double-click on combofix.exe and follow the prompts. When finished, it will produce a report for you.
**Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall**
C. After ComboFix has finished its run:
Restart/re-enable all the programs that you disabled before running the tools.
Physically reconnect to the internet.
D. Posting Logs/Reports:
Report.txt
C:\ComboFix.txt
A new HijackThis log run after all the tools have been run.
Danilo-11
2008-01-23, 03:05
When I ran the ComboFix, it ran fine for a while, it went through several steps, and then I ran to the door for a second and came back and all that was on my monitor was my wallpaper.
I went to do some things for about 20 minutes and came back and it looked the same.
I restarted the computer, ran ComboFix again, and when it was going through about Step 40-60 it showed a text of about 10 lines where I could only see "...... Windows ...."
because it was very fast, and the window closed and it didn't give me any report.
Here's the Report.txt and the HJT;
SDFix: Version 1.130
Run by Daniel on Tue 01/22/2008 at 05:44 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix
Safe Mode:
Checking Services:
Name:
core
Path:
system32\drivers\core.sys
core - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\PROGRA~1\COMMON~1\RTELEB~1.HTM - Deleted
C:\Documents and Settings\Daniel\Favorites\Online Security Guide.lnk - Deleted
C:\WINDOWS\Temp\win105.tmp.exe - Deleted
C:\WINDOWS\Temp\win1E3.tmp.exe - Deleted
C:\WINDOWS\Temp\win105.tmp.exe - Deleted
C:\WINDOWS\Temp\win1E3.tmp.exe - Deleted
C:\Documents and Settings\Daniel\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\Program Files\ucleaner_setup.exe - Deleted
C:\WINDOWS\hotporn.exe - Deleted
C:\WINDOWS\ie_32.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 17:52:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000098
"TracesSuccessful"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D61F9BAE-16E7-E587-5272-FE39C2B09624}]
"dbbdmofkfnngjedebhfmglhfifigedpdfmejhcgn"=hex:6b,61,70,65,68,6d,66,6e,61,66,66,6d,69,63,6a,64,6d,68,6e,65,62,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\Limewire\\LimeWire.exe"="C:\\Program Files\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Tencent\\QQLive\\QQLive.exe"="C:\\Program Files\\Tencent\\QQLive\\QQLive.exe:*:Enabled:QQ??????"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"="C:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe:*:Enabled:PE"
"C:\\Program Files\\SopCast\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast\\SopCast.exe:*:Enabled:SoP Client"
"C:\\Program Files\\Mirc\\mirc.exe"="C:\\Program Files\\Mirc\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\TVants\\tvants\\Tvants.exe"="C:\\Program Files\\TVants\\tvants\\Tvants.exe:*:Enabled:Tvants"
"C:\\Program Files\\CoolStreaming\\CoolstreamingIT\\CoolstreamingIT0.3.exe"="C:\\Program Files\\CoolStreaming\\CoolstreamingIT\\CoolstreamingIT0.3.exe:*:Enabled:eBook Workshop"
"C:\\Program Files\\PPStream\\ppStream\\ppStream.exe"="C:\\Program Files\\PPStream\\ppStream\\ppStream.exe:*:Enabled:ppStream P2P Streaming Player"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Imesh\\iMesh6.exe"="C:\\Program Files\\Imesh\\iMesh6.exe:*:Enabled:iMesh 6"
"C:\\Program Files\\Firefox\\firefox.exe"="C:\\Program Files\\Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\PeerCast\\PeerCast.exe"="C:\\Program Files\\PeerCast\\PeerCast.exe:*:Enabled:PeerCast"
"C:\\PROGRA~1\\pcast\\PODCAS~1\\PODCAS~1.EXE"="C:\\PROGRA~1\\Pcast\\PODCAS~1\\PODCAS~1.EXE:*:Enabled:Share Streaming"
"C:\\PROGRA~1\\pcast\\PODCAS~1\\PODCAS~2.EXE"="C:\\PROGRA~1\\Pcast\\PODCAS~1\\PODCAS~2.EXE:*:Enabled:Share Streaming"
"C:\\Program Files\\pcast\\PodcastbarMini\\PodcastBarMini.exe"="C:\\Program Files\\Pcast\\PodcastbarMini\\PodcastBarMini.exe:*:Enabled:Share Streaming"
"C:\\Program Files\\Emule\\emule.exe"="C:\\Program Files\\Emule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1149944720\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1149944720\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1149944720\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1149944720\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast"
"C:\\Program Files\\PPLive\\PPlive.exe"="C:\\Program Files\\PPLive\\PPlive.exe:*:Enabled:PPLive"
"C:\\Documents and Settings\\Daniel\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\Daniel\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopAdver"
"C:\\Program Files\\VLCplayer\\VLC\\vlc.exe"="C:\\Program Files\\VLCplayer\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\TVants\\Tvants.exe"="C:\\Program Files\\TVants\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"%SystemDir%\\winsecurityxp\\mswinup.exe"="%SystemDir%\\winsecurityxp\\mswinup.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPmate\\ppmnet.exe:*:Enabled:PPMate"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\IP Anonymizer\\common\\AnonProxy.exe"="C:\\Program Files\\IP Anonymizer\\common\\AnonProxy.exe:*:Enabled:AnonProxy"
"C:\\Program Files\\Proxyway\\proxyway.exe"="C:\\Program Files\\Proxyway\\proxyway.exe:*:Enabled:proxyway"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\DOCUME~1\\Daniel\\LOCALS~1\\Temp\\winD4.tmp.exe"="C:\\DOCUME~1\\Daniel\\LOCALS~1\\Temp\\winD4.tmp.exe:*:Enabled:winD4.tmp"
"C:\\WINDOWS\\system32\\eqiwybyw.exe"="C:\\WINDOWS\\system32\\eqi"
"C:\\WINDOWS\\TEMP\\winFD.tmp.exe"="C:\\WINDOWS\\TEMP\\winFD.tmp.exe:*:Enabled:winFD.tmp"
"C:\\WINDOWS\\system32\\dmbohgxp.exe"="C:\\WINDOWS\\system32\\dmb"
"C:\\WINDOWS\\system32\\vwcqelkx.exe"="C:\\WINDOWS\\system32\\vwc"
"C:\\WINDOWS\\system32\\rimqajmr.exe"="C:\\WINDOWS\\system32\\rim"
"C:\\Program Files\\TVUplayer\\TVUPlayer.exe"="C:\\Program Files\\TVUplayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\WINDOWS\\system32\\apywtost.exe"="C:\\WINDOWS\\system32\\apy"
"C:\\PROGRA~1\\PPcast\\PODCAS~1\\PODCAS~2.EXE"="C:\\PROGRA~1\\PPcast\\PODCAS~1\\PODCAS~2.EXE:*:Enabled:Share Streaming"
"C:\\Program Files\\PPcast\\PodcastbarMini\\PodcastBarMini.exe"="C:\\Program Files\\PPcast\\PodcastbarMini\\PodcastBarMini.exe:*:Enabled:Share Streaming"
"C:\\Program Files\\PPMate\\ppamnet.exe"="C:\\Program Files\\PPMate\\ppamnet.exe:*:Enabled:PPMate"
"C:\\WINDOWS\\system32\\ssbbbpog.exe"="C:\\WINDOWS\\system32\\ssb"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
File Backups: - C:\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes:
Mon 18 Apr 2005 29,184 A..H. --- "C:\Files\Jobs\~WRL0001.tmp"
Tue 30 Oct 2007 442,258 ..SH. --- "C:\WINDOWS\system32\orqss.tmp"
Fri 11 Jan 2008 431,897 ..SH. --- "C:\WINDOWS\system32\orqss.bak1"
Sat 12 Jan 2008 431,681 ..SH. --- "C:\WINDOWS\system32\orqss.bak2"
Tue 20 Nov 2007 20,810 ..SH. --- "C:\WINDOWS\system32\uyxxftbs.dllbox"
Sun 27 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 12 Jan 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 12 Jan 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Wed 4 Apr 2001 28,738 A..HR --- "C:\Program Files\Microsoft Office\MSDE2000\SQLRESLD.DLL"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\RECYCLER\S-1-5-21-1797230346-1586699669-1974590853-1006\Dc471\cygz.dll"
Sun 2 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 8 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 16 Nov 2004 19,456 A..H. --- "C:\Files\Files1\School\Psy50\~WRL3166.tmp"
Mon 18 Apr 2005 29,184 A..H. --- "C:\Documents and Settings\Daniel\My Documents\Files01\Jobs\~WRL0001.tmp"
Sun 27 Nov 2005 4,348 ...H. --- "C:\Documents and Settings\Daniel\My Documents\My Music\License Backup\drmv1key.bak"
Thu 16 Mar 2006 20 A..H. --- "C:\Documents and Settings\Daniel\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 16 Mar 2006 488 A.SH. --- "C:\Documents and Settings\Daniel\My Documents\My Music\License Backup\drmv2key.bak"
Finished!
Danilo-11
2008-01-23, 03:08
Here's the HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:59, on 2008-01-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\InCD\InCD.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AntiVirus\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {30CC0073-F70B-4EA2-9FBB-D2B529EB55BA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: (no name) - {4CFA77CB-E9D6-4709-956F-4041EA9EE439} - C:\Program Files\MSN\meqosacik4444.dll (file missing)
O2 - BHO: (no name) - {4FD564D1-0B9E-47A6-8177-37B70A196339} - C:\Program Files\MSN\meqosacik83122.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {8239990D-AF6D-40CB-F293-47F38AD45525} - C:\Program Files\Common Files\qucam.dll (file missing)
O2 - BHO: (no name) - {AB17D7BC-99C7-43E0-9427-0124DB23E541} - C:\WINDOWS\system32\qskdsass.dll (file missing)
O2 - BHO: (no name) - {b428571c-73cb-444b-8f8b-48aff8ff87d7} - C:\WINDOWS\system32\amugtrs.dll (file missing)
O2 - BHO: (no name) - {E55FD378-C568-4D1F-AC30-5E23588ED6AF} - C:\WINDOWS\system32\vtssp.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [{2D-DA-A8-87-ZN}] C:\Documents and Settings\Daniel\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [pbmini] C:\Program Files\Pcast\PodcastbarMini\PodcastBarMiniStater.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://danilo-11.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://danilo-11.spaces.live.com/PhotoUpload/MsnPUpld.cab
O20 - Winlogon Notify: efcdawx - efcdawx.dll (file missing)
O20 - Winlogon Notify: vturrsq - C:\WINDOWS\
O20 - Winlogon Notify: winaap32 - winaap32.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 9013 bytes
Hello,
This system is pretty heavily infected, its a wonder it starts up and runs at all.
c:\rapport.txt <-- You can find the combofix log here, its extremely important that I see it. Post it please and then run Vundofix and post a new HJT log
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Danilo-11
2008-01-23, 05:32
Hello,
This system is pretty heavily infected, its a wonder it starts up and runs at all.
c:\rapport.txt <-- You can find the combofix log here, its extremely important that I see it. .
I couldn't find it,
I did a search on my C:\ drive
I only found a new ComboFix folder with 2 new text files.
ComboFix.txt:
ComboFix 08-01-23.1 - Daniel 2008-01-22 18:47:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -6:00]
Running from: C:\Documents and Settings\Daniel\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
pend.txt:
\??\C:\ntdetect.com\0\0
\??\C:\boot.ini\0\0
\??\C:\ntldr\0\0
\??\C:\WINDOWS\0\0
\??\C:\WINDOWS\explorer.exe\0\0
\??\C:\WINDOWS\system32\csrss.exe\0\0
\??\C:\WINDOWS\system32\lsass.exe\0\0
\??\C:\WINDOWS\system32\services.exe\0\0
\??\C:\WINDOWS\system32\smss.exe\0\0
\??\C:\WINDOWS\system32\svchost.exe\0\0
\??\C:\WINDOWS\system32\userinit.exe\0\0
\??\C:\WINDOWS\system32\winlogon.exe\0\0
\??\C:\WINDOWS\system32\hal.dll\0\0
\??\C:\WINDOWS\system32\ntdll.dll\0\0
\??\C:\WINDOWS\system32\config\0\0
\??\C:\WINDOWS\system32\drivers\0\0
\??\C:\WINDOWS\system32\wbem\0\0
Danilo-11
2008-01-23, 06:33
BTW, thanks for all the help
Here's the Vundofix.txt file:
VundoFix V6.3.21
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 11:45:02 PM 5/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\fakmefge.dll
C:\WINDOWS\system32\krdanfss.dll
C:\WINDOWS\system32\psstv.bak1
C:\WINDOWS\system32\psstv.bak2
C:\WINDOWS\system32\psstv.ini
C:\WINDOWS\system32\qjgjlriq.dll
C:\WINDOWS\system32\rqrqqqr.dll
C:\WINDOWS\system32\vhorygte.dll
C:\WINDOWS\system32\vtssp.dll
C:\WINDOWS\system32\vturrsq.dll
C:\WINDOWS\system32\wxnljwvs.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\fakmefge.dll
C:\WINDOWS\system32\fakmefge.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\krdanfss.dll
C:\WINDOWS\system32\krdanfss.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\psstv.bak1
C:\WINDOWS\system32\psstv.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\psstv.bak2
C:\WINDOWS\system32\psstv.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\psstv.ini
C:\WINDOWS\system32\psstv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\qjgjlriq.dll
C:\WINDOWS\system32\qjgjlriq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrqqqr.dll
C:\WINDOWS\system32\rqrqqqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vhorygte.dll
C:\WINDOWS\system32\vhorygte.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtssp.dll
C:\WINDOWS\system32\vtssp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vturrsq.dll
C:\WINDOWS\system32\vturrsq.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\vturrsq.dll
C:\WINDOWS\system32\vturrsq.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 21:40:58 2008-01-22
Listing files found while scanning....
C:\WINDOWS\Replay Media Catcher\uninstall.exe
Beginning removal...
Attempting to delete C:\WINDOWS\Replay Media Catcher\uninstall.exe
C:\WINDOWS\Replay Media Catcher\uninstall.exe Has been deleted!
Performing Repairs to the registry.
Done!
Here's the HJT file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31, on 2008-01-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\AntiVirus\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {30CC0073-F70B-4EA2-9FBB-D2B529EB55BA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: (no name) - {4CFA77CB-E9D6-4709-956F-4041EA9EE439} - C:\Program Files\MSN\meqosacik4444.dll (file missing)
O2 - BHO: (no name) - {4FD564D1-0B9E-47A6-8177-37B70A196339} - C:\Program Files\MSN\meqosacik83122.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {8239990D-AF6D-40CB-F293-47F38AD45525} - C:\Program Files\Common Files\qucam.dll (file missing)
O2 - BHO: (no name) - {AB17D7BC-99C7-43E0-9427-0124DB23E541} - C:\WINDOWS\system32\qskdsass.dll (file missing)
O2 - BHO: (no name) - {b428571c-73cb-444b-8f8b-48aff8ff87d7} - C:\WINDOWS\system32\amugtrs.dll (file missing)
O2 - BHO: (no name) - {E55FD378-C568-4D1F-AC30-5E23588ED6AF} - C:\WINDOWS\system32\vtssp.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [{2D-DA-A8-87-ZN}] C:\Documents and Settings\Daniel\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [pbmini] C:\Program Files\Pcast\PodcastbarMini\PodcastBarMiniStater.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Firefox\plugins\NPSWF32_FlashUtil.exe -p
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://danilo-11.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://danilo-11.spaces.live.com/PhotoUpload/MsnPUpld.cab
O20 - Winlogon Notify: efcdawx - efcdawx.dll (file missing)
O20 - Winlogon Notify: vturrsq - C:\WINDOWS\
O20 - Winlogon Notify: winaap32 - winaap32.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 9191 bytes
Good Moring,
You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
C:\Program Files\MalwareAlarm <-- This is a Rogue program and part of your problem, try removing it via the Add Remov Programs in the Control Panel
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {30CC0073-F70B-4EA2-9FBB-D2B529EB55BA} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: (no name) - {4CFA77CB-E9D6-4709-956F-4041EA9EE439} - C:\Program Files\MSN\meqosacik4444.dll (file missing)
O2 - BHO: (no name) - {4FD564D1-0B9E-47A6-8177-37B70A196339} - C:\Program Files\MSN\meqosacik83122.dll (file missing)
O2 - BHO: (no name) - {8239990D-AF6D-40CB-F293-47F38AD45525} - C:\Program Files\Common Files\qucam.dll (file missing)
O2 - BHO: (no name) - {AB17D7BC-99C7-43E0-9427-0124DB23E541} - C:\WINDOWS\system32\qskdsass.dll (file missing)
O2 - BHO: (no name) - {b428571c-73cb-444b-8f8b-48aff8ff87d7} - C:\WINDOWS\system32\amugtrs.dll (file missing)
O2 - BHO: (no name) - {E55FD378-C568-4D1F-AC30-5E23588ED6AF} - C:\WINDOWS\system32\vtssp.dll (file missing)
04 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [{2D-DA-A8-87-ZN}] C:\Documents and Settings\Daniel\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O20 - Winlogon Notify: efcdawx - efcdawx.dll (file missing)
O20 - Winlogon Notify: vturrsq - C:\WINDOWS\
O20 - Winlogon Notify: winaap32 - winaap32.dll (file missing)
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\plite731.exe
C:\Documents and Settings\Daniel\Local Settings\Temp\T0CHD001.exe
C:\Program Files\MalwareAlarm
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it into your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Drag Combofix to the trash and download a fresh copy, run it and post the log
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I need to see the OtMoveIt log, the Combofix log and a New HJT log please
Danilo-11
2008-01-23, 16:50
Good Moring,
You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
C:\Program Files\MalwareAlarm <-- This is a Rogue program and part of your problem, try removing it via the Add Remov Programs in the Control Panel
I believe that I uninstalled the Spybot S&D and the MalwareAlarm a few weeks ago before I installed the McAfee Total Protection.
I searched for both of them in "My Computer" and I only found Spybot S&D, I ran it and while running it I clicked on "uninstall", restarted the laptop, ran a new HJT and I could still see the teatimer.exe (and malware, too)
I didn't do the rest of the steps since I was unable to do this 1st part.
Disable the TeaTimer and reboot for it to take effect. According to your last HJT log its still running
Remove those entries with HJT
Run those files through OtMoveIt
Delete Combofix, download a newer version and run the program
Let me see the OtMoveIt log, the Combofix log and a New HJT log
Danilo-11
2008-01-23, 22:30
Here's the OTMoveIt:
File/Folder C:\WINDOWS\plite731.exe not found.
File/Folder C:\Documents and Settings\Daniel\Local Settings\Temp\T0CHD001.exe not found.
File/Folder C:\Program Files\MalwareAlarm not found.
Created on 01-23-2008 13:52:25
Here's the ComboFix:
ComboFix 08-01-23.2 - Daniel 2008-01-23 13:57:13.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT -6:00]
Running from: C:\Documents and Settings\Daniel\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\Abbr
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\HOURS
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ProductCode
C:\Documents and Settings\Daniel\My Documents\YMBOLS~1
C:\Documents and Settings\Daniel\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Daniel\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Daniel\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\hydramedupd.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\ISMPack8.exe
C:\Program Files\ISM2\targets.gz
C:\WINDOWS\7search.dll
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\frexup3.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ankxlapu.dll
C:\WINDOWS\system32\atdetpak.dll
C:\WINDOWS\system32\axxckikv.dll
C:\WINDOWS\system32\bdpbwdds.ini
C:\WINDOWS\system32\caswgfen.ini
C:\WINDOWS\system32\cfcgfqrw.ini
C:\WINDOWS\system32\cqqsvwqx.dll
C:\WINDOWS\system32\d3
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dlbmipww.ini
C:\WINDOWS\system32\dmqjmfeu.ini
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\drvlikr.dll
C:\WINDOWS\system32\drvxigr.dll
C:\WINDOWS\system32\dvqqqhed.dll
C:\WINDOWS\system32\ehiqqpxk.ini
C:\WINDOWS\system32\elgfnqsg.ini
C:\WINDOWS\system32\eqyapnvh.ini
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\f22
C:\WINDOWS\system32\ghatqkio.ini
C:\WINDOWS\system32\gpflbitj.dll
C:\WINDOWS\system32\gsjnufwu.dll
C:\WINDOWS\system32\gsqnfgle.dll
C:\WINDOWS\system32\hvnpayqe.dll
C:\WINDOWS\system32\hxmjsydg.dll
C:\WINDOWS\system32\ieahyupn.dll
C:\WINDOWS\system32\iiucvhrm.dll
C:\WINDOWS\system32\ivdktyby.dll
C:\WINDOWS\system32\jdbclbet.dll
C:\WINDOWS\system32\kaptedta.ini
C:\WINDOWS\system32\kbjfcwgn.dll
C:\WINDOWS\system32\kxpqqihe.dll
C:\WINDOWS\system32\lmptnrvv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\mvjnuneq.ini
C:\WINDOWS\system32\nefgwsac.dll
C:\WINDOWS\system32\ngaoiarn.dll
C:\WINDOWS\system32\ngwcfjbk.ini
C:\WINDOWS\system32\niertcrw.ini
C:\WINDOWS\system32\oikqtahg.dll
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\orqss.tmp
C:\WINDOWS\system32\oTt06e
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\ovhqwxlq.dll
C:\WINDOWS\system32\p8
C:\WINDOWS\system32\pdeansru.dll
C:\WINDOWS\system32\pfcjvhaf.dll
C:\WINDOWS\system32\poprqoko.dll
C:\WINDOWS\system32\qbbvycgx.dll
C:\WINDOWS\system32\qenunjvm.dll
C:\WINDOWS\system32\qmraiivx.dll
C:\WINDOWS\system32\s2
C:\WINDOWS\system32\sddwbpdb.dll
C:\WINDOWS\system32\smjabexx.ini
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\stlovlde.dll
C:\WINDOWS\system32\suodemev.dll
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\tdlmqbvv.dll
C:\WINDOWS\system32\teblcbdj.ini
C:\WINDOWS\system32\txhirdgx.ini
C:\WINDOWS\system32\uefmjqmd.dll
C:\WINDOWS\system32\upalxkna.ini
C:\WINDOWS\system32\ursnaedp.ini
C:\WINDOWS\system32\uwfunjsg.ini
C:\WINDOWS\system32\uyxxftbs.dllbox
C:\WINDOWS\system32\v1
C:\WINDOWS\system32\vemedous.ini
C:\WINDOWS\system32\vidokcco.dll
C:\WINDOWS\system32\vllvgqhy.dll
C:\WINDOWS\system32\vvrntpml.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\whlxplva.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wqalsmhw.dll
C:\WINDOWS\system32\wrctrein.dll
C:\WINDOWS\system32\wrqfgcfc.dll
C:\WINDOWS\system32\wwpimbld.dll
C:\WINDOWS\system32\xgcyvbbq.ini
C:\WINDOWS\system32\xgdrihxt.dll
C:\WINDOWS\system32\xqwvsqqc.ini
C:\WINDOWS\system32\xviiarmq.ini
C:\WINDOWS\system32\xxebajms.dll
C:\WINDOWS\system32\ybytkdvi.ini
C:\WINDOWS\system32\yhqgvllv.ini
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.
2008-01-22 21:40 . 2008-01-22 21:40 <DIR> d-------- C:\VundoFix Backups
2008-01-22 18:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 17:42 . 2008-01-22 17:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-21 21:03 . 2008-01-21 21:04 <DIR> d-------- C:\Program Files\Irfanview
2008-01-21 20:45 . 1998-07-21 20:29 21 --a------ C:\WINDOWS\Ps_setup.ini
2008-01-17 20:58 . 2008-01-17 20:58 268 --ah----- C:\sqmdata10.sqm
2008-01-17 20:58 . 2008-01-17 20:58 244 --ah----- C:\sqmnoopt10.sqm
2008-01-17 19:20 . 2008-01-17 19:20 268 --ah----- C:\sqmdata09.sqm
2008-01-17 19:20 . 2008-01-17 19:20 244 --ah----- C:\sqmnoopt09.sqm
2008-01-17 19:12 . 2003-09-25 15:39 102,481 --------- C:\WINDOWS\system32\stac97.cpl
2008-01-17 19:11 . 2008-01-17 19:11 <DIR> d-------- C:\Program Files\SigmaTel
2008-01-17 19:11 . 2003-07-17 17:19 230,416 --a------ C:\WINDOWS\system32\drivers\stac97.sys
2008-01-16 00:18 . 2008-01-16 00:18 <DIR> d-------- C:\McAfee
2008-01-16 00:16 . 2008-01-16 00:16 <DIR> d-------- C:\SiteAdvisor
2008-01-16 00:02 . 2008-01-16 00:02 268 --ah----- C:\sqmdata08.sqm
2008-01-16 00:02 . 2008-01-16 00:02 244 --ah----- C:\sqmnoopt08.sqm
2008-01-15 23:59 . 2008-01-15 23:59 <DIR> d-------- C:\Program Files\Realtek
2008-01-15 23:58 . 2005-04-16 22:20 487,424 --a------ C:\WINDOWS\RtlExUpd.dll
2008-01-12 21:37 . 2008-01-12 21:37 268 --ah----- C:\sqmdata07.sqm
2008-01-12 21:37 . 2008-01-12 21:37 244 --ah----- C:\sqmnoopt07.sqm
2008-01-12 17:59 . 2008-01-23 14:02 10,987 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-12 17:57 . 2008-01-16 00:02 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-01-12 17:55 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-12 17:52 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-12 17:51 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-12 17:51 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-12 17:51 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-12 17:51 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-12 17:51 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-12 17:48 . 2008-01-12 17:51 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-12 17:46 . 2008-01-12 17:46 268 --ah----- C:\sqmdata06.sqm
2008-01-12 17:46 . 2008-01-12 17:46 244 --ah----- C:\sqmnoopt06.sqm
2008-01-12 17:30 . 2008-01-12 21:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-12 17:10 . 2008-01-12 17:10 268 --ah----- C:\sqmdata05.sqm
2008-01-12 17:10 . 2008-01-12 17:10 244 --ah----- C:\sqmnoopt05.sqm
2008-01-12 17:04 . 2008-01-12 17:04 268 --ah----- C:\sqmdata04.sqm
2008-01-12 17:04 . 2008-01-12 17:04 244 --ah----- C:\sqmnoopt04.sqm
2008-01-11 14:42 . 2008-01-21 21:09 16,808 --a------ C:\WINDOWS\BM4bb1e9b4.xml
2008-01-11 14:42 . 2008-01-22 18:04 21 --a------ C:\WINDOWS\pskt.ini
2008-01-09 18:34 . 2008-01-09 18:34 268 --ah----- C:\sqmdata03.sqm
2008-01-09 18:34 . 2008-01-09 18:34 244 --ah----- C:\sqmnoopt03.sqm
2008-01-08 20:11 . 2008-01-09 17:58 1,049,449 ---hs---- C:\WINDOWS\system32\tfcdflrj.ini
2008-01-01 08:52 . 2008-01-03 09:27 1,036,162 ---hs---- C:\WINDOWS\system32\vvbfbcjf.ini
2007-12-31 00:10 . 2007-12-31 18:04 1,031,199 ---hs---- C:\WINDOWS\system32\mocyjugv.ini
2007-12-29 19:27 . 2007-12-31 00:07 1,031,139 ---hs---- C:\WINDOWS\system32\tfqvhokg.ini
2007-12-29 17:07 . 2007-12-29 17:07 1,031,139 ---hs---- C:\WINDOWS\system32\xqxdiwku.ini
2007-12-26 09:17 . 2007-12-27 09:29 1,027,531 ---hs---- C:\WINDOWS\system32\pvjcdwlv.ini
2007-12-26 00:15 . 2007-12-26 00:18 1,019,217 ---hs---- C:\WINDOWS\system32\jtcbgtih.ini
2007-12-25 00:22 . 2007-12-26 00:14 1,010,035 ---hs---- C:\WINDOWS\system32\pqxmbqpq.ini
2007-12-23 22:04 . 2007-12-25 00:16 990,639 ---hs---- C:\WINDOWS\system32\jdmanntd.ini
2007-12-23 22:04 . 2007-12-23 22:04 244 --ah----- C:\sqmnoopt02.sqm
2007-12-23 22:04 . 2007-12-23 22:04 232 --ah----- C:\sqmdata02.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 05:53 --------- d-----w C:\Program Files\Firefox
2008-01-23 04:25 --------- d-----w C:\Program Files\McAfee
2008-01-21 00:45 --------- d-----w C:\Program Files\Common Files\Logitech
2008-01-18 04:34 --------- d-----w C:\Program Files\Adaware
2008-01-18 01:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 03:17 --------- d-----w C:\Program Files\FLV Player
2008-01-13 03:07 --------- d-----w C:\Program Files\QuickTime
2008-01-13 03:03 --------- d-----w C:\Program Files\Logitech
2008-01-13 03:02 --------- d-----w C:\Program Files\Limewire
2008-01-13 00:01 --------- d-----w C:\Program Files\McAfee.com
2008-01-12 23:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 23:33 --------- d-----w C:\Program Files\AntiVirus
2007-11-14 00:08 246 ----a-w C:\Program Files\Common Files\qucam
2007-07-28 03:28 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-28 03:21 409,250 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"pbmini"="C:\Program Files\Pcast\PodcastbarMini\PodcastBarMiniStater.exe" [ ]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46 192512]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-26 20:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-26 20:03 118784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 88363 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2004-06-01 21:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 17:37 151552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-27 13:05 180269]
"CFSServ.exe"="CFSServ.exe" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 32768]
"InCD"="C:\Program Files\Nero\InCD\InCD.exe" [2006-03-16 02:00 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-13 11:25 98304]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 15:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 16:01 86073]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{232f4e3f2-bab8-11d0-97b9-00c04f98bcb9}]
C:\WINDOWS\system32\winsecurityxp\rk.exe -r -p mswinup.exe -p rk.exe -f winsecurityxp -v MSWindowsUpdate -tcp 22277 -udp 22277 -v %SystemDir%winsecurityxpmswinup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 23:50:57 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-01-12 23:50:55 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:03:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Danilo-11
2008-01-23, 22:34
Here's the HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:10, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\AntiVirus\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pbmini] C:\Program Files\Pcast\PodcastbarMini\PodcastBarMiniStater.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://danilo-11.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://danilo-11.spaces.live.com/PhotoUpload/MsnPUpld.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 7619 bytes
Hello,
Your doing well , :bigthumb:just some leftovers.
C:\Program Files\Pcast
Read this about this program and then uninstall it via the Add Remove Programs in the Control Panel
Description of PodcastbarMini
PodcastbarMini claims to be an online P2P TV broadcasting application. It advertises pop-ups and may download other malware.
Remove this entry with HJT.
O4 - HKCU\..\Run: [pbmini] C:\Program Files\Pcast\PodcastbarMini\PodcastBarMiniStater.exe
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\tfcdflrj.ini
C:\WINDOWS\system32\vvbfbcjf.ini
C:\WINDOWS\system32\mocyjugv.ini
C:\WINDOWS\system32\tfqvhokg.ini
C:\WINDOWS\system32\xqxdiwku.ini
C:\WINDOWS\system32\pvjcdwlv.ini
C:\WINDOWS\system32\jtcbgtih.ini
C:\WINDOWS\system32\pqxmbqpq.ini
C:\WINDOWS\system32\jdmanntd.ini
Folder::
C:\VundoFix Backups
C:\Program Files\Pcast
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log, also let me know how your system is running now
Danilo-11
2008-01-24, 13:38
ComboFix:
(I deleted the 1st 10-15 lines, because the message was too long)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\uninstall.exe.bad
C:\WINDOWS\system32\bamijcau.ini
C:\WINDOWS\system32\bstkflek.ini
C:\WINDOWS\system32\cgsalylg.ini
C:\WINDOWS\system32\cqnelfjf.ini
C:\WINDOWS\system32\cvqbtirc.ini
C:\WINDOWS\system32\ddercmcf.ini
C:\WINDOWS\system32\edcdpabf.ini
C:\WINDOWS\system32\giogmrrb.ini
C:\WINDOWS\system32\gupumsbf.ini
C:\WINDOWS\system32\igrwfrll.ini
C:\WINDOWS\system32\ipoilbrr.ini
C:\WINDOWS\system32\jdmanntd.ini
C:\WINDOWS\system32\jhvdttpb.ini
C:\WINDOWS\system32\jibnifcj.ini
C:\WINDOWS\system32\jldpqnkr.ini
C:\WINDOWS\system32\jtcbgtih.ini
C:\WINDOWS\system32\kibipbfl.ini
C:\WINDOWS\system32\kxsbpouv.ini
C:\WINDOWS\system32\mocyjugv.ini
C:\WINDOWS\system32\mrtqdwii.ini
C:\WINDOWS\system32\mtdoesyk.ini
C:\WINDOWS\system32\mtreuhdl.ini
C:\WINDOWS\system32\oimaiwts.ini
C:\WINDOWS\system32\pqxmbqpq.ini
C:\WINDOWS\system32\pvjcdwlv.ini
C:\WINDOWS\system32\pytbmgtr.ini
C:\WINDOWS\system32\qgrrignt.ini
C:\WINDOWS\system32\sbulwloo.ini
C:\WINDOWS\system32\scdegjtp.ini
C:\WINDOWS\system32\tfcdflrj.ini
C:\WINDOWS\system32\tfqvhokg.ini
C:\WINDOWS\system32\tjanefhc.ini
C:\WINDOWS\system32\ucwkfxxg.ini
C:\WINDOWS\system32\uhnhopud.ini
C:\WINDOWS\system32\uikwhqjv.ini
C:\WINDOWS\system32\vvbfbcjf.ini
C:\WINDOWS\system32\wjgavpmx.ini
C:\WINDOWS\system32\xqxdiwku.ini
C:\WINDOWS\system32\yftpkier.ini
C:\WINDOWS\system32\ygyppjom.ini
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\Abbr
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\HOURS
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ProductCode
C:\Documents and Settings\Daniel\My Documents\YMBOLS~1
C:\Documents and Settings\Daniel\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Daniel\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Daniel\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\hydramedupd.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\ISMPack8.exe
C:\Program Files\ISM2\targets.gz
C:\WINDOWS\7search.dll
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\frexup3.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ankxlapu.dll
C:\WINDOWS\system32\atdetpak.dll
C:\WINDOWS\system32\axxckikv.dll
C:\WINDOWS\system32\bdpbwdds.ini
C:\WINDOWS\system32\caswgfen.ini
C:\WINDOWS\system32\cfcgfqrw.ini
C:\WINDOWS\system32\cqqsvwqx.dll
C:\WINDOWS\system32\d3
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dlbmipww.ini
C:\WINDOWS\system32\dmqjmfeu.ini
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\drvlikr.dll
C:\WINDOWS\system32\drvxigr.dll
C:\WINDOWS\system32\dvqqqhed.dll
C:\WINDOWS\system32\ehiqqpxk.ini
C:\WINDOWS\system32\elgfnqsg.ini
C:\WINDOWS\system32\eqyapnvh.ini
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\f22
C:\WINDOWS\system32\ghatqkio.ini
C:\WINDOWS\system32\gpflbitj.dll
C:\WINDOWS\system32\gsjnufwu.dll
C:\WINDOWS\system32\gsqnfgle.dll
C:\WINDOWS\system32\hvnpayqe.dll
C:\WINDOWS\system32\hxmjsydg.dll
C:\WINDOWS\system32\ieahyupn.dll
C:\WINDOWS\system32\iiucvhrm.dll
C:\WINDOWS\system32\ivdktyby.dll
C:\WINDOWS\system32\jdbclbet.dll
C:\WINDOWS\system32\kaptedta.ini
C:\WINDOWS\system32\kbjfcwgn.dll
C:\WINDOWS\system32\kxpqqihe.dll
C:\WINDOWS\system32\lmptnrvv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\mvjnuneq.ini
C:\WINDOWS\system32\nefgwsac.dll
C:\WINDOWS\system32\ngaoiarn.dll
C:\WINDOWS\system32\ngwcfjbk.ini
C:\WINDOWS\system32\niertcrw.ini
C:\WINDOWS\system32\oikqtahg.dll
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\orqss.tmp
C:\WINDOWS\system32\oTt06e
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\ovhqwxlq.dll
C:\WINDOWS\system32\p8
C:\WINDOWS\system32\pdeansru.dll
C:\WINDOWS\system32\pfcjvhaf.dll
C:\WINDOWS\system32\poprqoko.dll
C:\WINDOWS\system32\qbbvycgx.dll
C:\WINDOWS\system32\qenunjvm.dll
C:\WINDOWS\system32\qmraiivx.dll
C:\WINDOWS\system32\s2
C:\WINDOWS\system32\sddwbpdb.dll
C:\WINDOWS\system32\smjabexx.ini
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\stlovlde.dll
C:\WINDOWS\system32\suodemev.dll
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\tdlmqbvv.dll
C:\WINDOWS\system32\teblcbdj.ini
C:\WINDOWS\system32\txhirdgx.ini
C:\WINDOWS\system32\uefmjqmd.dll
C:\WINDOWS\system32\upalxkna.ini
C:\WINDOWS\system32\ursnaedp.ini
C:\WINDOWS\system32\uwfunjsg.ini
C:\WINDOWS\system32\uyxxftbs.dllbox
C:\WINDOWS\system32\v1
C:\WINDOWS\system32\vemedous.ini
C:\WINDOWS\system32\vidokcco.dll
C:\WINDOWS\system32\vllvgqhy.dll
C:\WINDOWS\system32\vvrntpml.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\whlxplva.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wqalsmhw.dll
C:\WINDOWS\system32\wrctrein.dll
C:\WINDOWS\system32\wrqfgcfc.dll
C:\WINDOWS\system32\wwpimbld.dll
C:\WINDOWS\system32\xgcyvbbq.ini
C:\WINDOWS\system32\xgdrihxt.dll
C:\WINDOWS\system32\xqwvsqqc.ini
C:\WINDOWS\system32\xviiarmq.ini
C:\WINDOWS\system32\xxebajms.dll
C:\WINDOWS\system32\ybytkdvi.ini
C:\WINDOWS\system32\yhqgvllv.ini
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.
2008-01-23 19:05 . 2008-01-23 19:05 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-22 18:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 17:42 . 2008-01-22 17:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-21 21:03 . 2008-01-21 21:04 <DIR> d-------- C:\Program Files\Irfanview
2008-01-21 20:45 . 1998-07-21 20:29 21 --a------ C:\WINDOWS\Ps_setup.ini
2008-01-17 20:58 . 2008-01-17 20:58 268 --ah----- C:\sqmdata10.sqm
2008-01-17 20:58 . 2008-01-17 20:58 244 --ah----- C:\sqmnoopt10.sqm
2008-01-17 19:20 . 2008-01-17 19:20 268 --ah----- C:\sqmdata09.sqm
2008-01-17 19:20 . 2008-01-17 19:20 244 --ah----- C:\sqmnoopt09.sqm
2008-01-17 19:12 . 2003-09-25 15:39 102,481 --------- C:\WINDOWS\system32\stac97.cpl
2008-01-17 19:11 . 2008-01-17 19:11 <DIR> d-------- C:\Program Files\SigmaTel
2008-01-17 19:11 . 2003-07-17 17:19 230,416 --a------ C:\WINDOWS\system32\drivers\stac97.sys
2008-01-16 00:18 . 2008-01-16 00:18 <DIR> d-------- C:\McAfee
2008-01-16 00:16 . 2008-01-16 00:16 <DIR> d-------- C:\SiteAdvisor
2008-01-16 00:02 . 2008-01-16 00:02 268 --ah----- C:\sqmdata08.sqm
2008-01-16 00:02 . 2008-01-16 00:02 244 --ah----- C:\sqmnoopt08.sqm
2008-01-15 23:59 . 2008-01-15 23:59 <DIR> d-------- C:\Program Files\Realtek
2008-01-15 23:58 . 2005-04-16 22:20 487,424 --a------ C:\WINDOWS\RtlExUpd.dll
2008-01-12 21:37 . 2008-01-12 21:37 268 --ah----- C:\sqmdata07.sqm
2008-01-12 21:37 . 2008-01-12 21:37 244 --ah----- C:\sqmnoopt07.sqm
2008-01-12 17:59 . 2008-01-24 04:54 11,119 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-12 17:57 . 2008-01-16 00:02 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-01-12 17:55 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-12 17:52 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-12 17:51 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-12 17:51 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-12 17:51 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-12 17:51 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-12 17:51 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-12 17:48 . 2008-01-12 17:51 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-12 17:46 . 2008-01-12 17:46 268 --ah----- C:\sqmdata06.sqm
2008-01-12 17:46 . 2008-01-12 17:46 244 --ah----- C:\sqmnoopt06.sqm
2008-01-12 17:30 . 2008-01-12 21:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-12 17:10 . 2008-01-12 17:10 268 --ah----- C:\sqmdata05.sqm
2008-01-12 17:10 . 2008-01-12 17:10 244 --ah----- C:\sqmnoopt05.sqm
2008-01-12 17:04 . 2008-01-12 17:04 268 --ah----- C:\sqmdata04.sqm
2008-01-12 17:04 . 2008-01-12 17:04 244 --ah----- C:\sqmnoopt04.sqm
2008-01-11 14:42 . 2008-01-21 21:09 16,808 --a------ C:\WINDOWS\BM4bb1e9b4.xml
2008-01-11 14:42 . 2008-01-22 18:04 21 --a------ C:\WINDOWS\pskt.ini
2008-01-09 18:34 . 2008-01-09 18:34 268 --ah----- C:\sqmdata03.sqm
2008-01-09 18:34 . 2008-01-09 18:34 244 --ah----- C:\sqmnoopt03.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 10:45 --------- d-----w C:\Program Files\Firefox
2008-01-24 01:05 --------- d-----w C:\Program Files\McAfee
2008-01-21 00:45 --------- d-----w C:\Program Files\Common Files\Logitech
2008-01-18 04:34 --------- d-----w C:\Program Files\Adaware
2008-01-18 01:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 03:17 --------- d-----w C:\Program Files\FLV Player
2008-01-13 03:07 --------- d-----w C:\Program Files\QuickTime
2008-01-13 03:03 --------- d-----w C:\Program Files\Logitech
2008-01-13 03:02 --------- d-----w C:\Program Files\Limewire
2008-01-13 00:01 --------- d-----w C:\Program Files\McAfee.com
2008-01-12 23:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 23:33 --------- d-----w C:\Program Files\AntiVirus
2007-11-14 00:08 246 ----a-w C:\Program Files\Common Files\qucam
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-28 03:28 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-28 03:21 409,250 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( snapshot@2008-01-23_14.06.44.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 19:56:51 585,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 10:55:27 585,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 19:56:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 10:55:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 19:56:54 5,193,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-24 10:55:30 5,193,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-23 19:56:54 102,400 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 10:55:30 102,400 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 19:56:54 585,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 10:55:31 585,728 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-23 19:56:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 10:55:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-23 04:12:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-24 10:39:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-23 04:12:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-24 10:39:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-23 04:12:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-24 10:39:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46 192512]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-26 20:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-26 20:03 118784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 88363 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2004-06-01 21:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 17:37 151552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-27 13:05 180269]
"CFSServ.exe"="CFSServ.exe" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 32768]
"InCD"="C:\Program Files\Nero\InCD\InCD.exe" [2006-03-16 02:00 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-13 11:25 98304]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 15:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 16:01 86073]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05]
S2 0120261201136722mcinstcleanup;McAfee Application Installer Cleanup (0120261201136722);C:\WINDOWS\TEMP\012026~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{232f4e3f2-bab8-11d0-97b9-00c04f98bcb9}]
C:\WINDOWS\system32\winsecurityxp\rk.exe -r -p mswinup.exe -p rk.exe -f winsecurityxp -v MSWindowsUpdate -tcp 22277 -udp 22277 -v %SystemDir%winsecurityxpmswinup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 23:50:57 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-12 23:50:55 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 05:00:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Danilo-11
2008-01-24, 13:41
HighJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:30, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\AntiVirus\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://danilo-11.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://www.ppstream.com/bin/powerplayer.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://danilo-11.spaces.live.com/PhotoUpload/MsnPUpld.cab
O23 - Service: McAfee Application Installer Cleanup (0120261201136722) (0120261201136722mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\012026~1.EXE (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 7745 bytes
Good Morning,
Your HJT log looks fine :bigthumb:
Run this system cleaner, there may be some bad files lurking in temp folders.
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Things are looking good, how is your system behaving now ??
Danilo-11
2008-01-24, 13:58
Thanks for all the help,
as you can imagine, my laptop is working much better:
- The physical memory right now is about 280Mb, when before it would have been close to 400Mb out of 512Mb.
- Now I don't get any pop-ups when i start the laptop,
before I was getting at least 5 of them
- I don't know about now, but before this last fix that I did this morning, I noticed that when I used Firefox, it's memory usage seemed to keep on going up constantly, Do you know what might have caused that?
- My time on my laptop is still showing as military time, how can I fix it?
Hello,
Glad things are better for you :bigthumb: If Firefox gives you trouble, make sure you have the latest version. 2.0.0.11. If not , get it here, you can install it right over the current version.
http://www.mozilla.com/en-US/firefox/
As far as military time, you can post in one of these forums for windows issues.
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
If you install Spyware Blaster and Spyware Guard, do not enable the Tea Timer in Spybot Search and Destroy or they will conflict.
Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs,
Glad we could help.
Safe Surfn
Ken
Danilo-11
2008-01-25, 01:31
I'll give it a try on Saturday and let you know what happens.
Thanks.