View Full Version : Need help with Virus removal
Hi, I was installing sopcast and all the sudden I start getting popups so i disconnected the network but i guess it was too late, the damage was allready done. I been trying to get rid of it but no luck. please help. here is my hijack long. thanks in advance
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:59 AM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [zsmscc] rundll32.exe C:\WINDOWS\system32\zsmscc071001.dll mymain
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: 34121F39 - Unknown owner - C:\WINDOWS\system32\57572621.EXE (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmluYQ\command.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 5231 bytes
Anybody? Please help:sad:
i guess no one can help :(
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)
random/random
2008-03-01, 13:14
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the combofix log and a new HijackThis log as a reply to this topic.
Here is my log
ComboFix 08-03-01.3 - jjh 2008-03-01 16:07:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT -5:00]
Running from: C:\Documents and Settings\jjh\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\pac.txt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\cmdService
((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.
2008-03-01 15:48 . 2008-03-01 15:48 <DIR> d-------- C:\Documents and Settings\jjh\Application Data\ESET
2008-03-01 15:47 . 2008-03-01 15:47 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-03-01 15:46 . 2008-03-01 15:46 <DIR> d-------- C:\Program Files\ESET
2008-03-01 15:46 . 2008-03-01 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-01 15:36 . 2008-03-01 15:36 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-01 15:11 . 2008-03-01 15:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-01 13:17 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-01 13:17 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-01 13:17 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-01 13:17 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-01 13:17 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-01 13:17 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-01 13:17 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-01 13:17 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-01 13:17 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-01 13:09 . 2008-03-01 15:35 <DIR> d-------- C:\Documents and Settings\jjh\Contacts
2008-03-01 12:19 . 2008-03-01 14:11 <DIR> d-------- C:\Documents and Settings\jjh\Application Data\uTorrent
2008-03-01 01:38 . 2008-03-01 15:09 <DIR> d-------- C:\Documents and Settings\jjh\Application Data\Azureus
2008-03-01 00:53 . 2008-03-01 00:53 <DIR> d-------- C:\Program Files\Avira
2008-03-01 00:53 . 2008-03-01 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-01 00:51 . 2008-03-01 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-29 18:01 . 2008-03-01 15:23 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-02-29 17:43 . 2008-02-29 17:43 <DIR> d-------- C:\Program Files\Opera
2008-02-29 17:36 . 2008-02-29 17:37 <DIR> d-------- C:\Program Files\Java
2008-02-29 16:14 . 2008-03-01 15:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-29 15:45 . 2008-02-29 15:45 268 --ah----- C:\sqmdata02.sqm
2008-02-29 15:45 . 2008-02-29 15:45 244 --ah----- C:\sqmnoopt02.sqm
2008-02-29 15:16 . 2008-02-29 15:19 <DIR> d-------- C:\Program Files\PCDR5
2008-02-29 02:15 . 2008-02-29 02:15 268 --ah----- C:\sqmdata01.sqm
2008-02-29 02:15 . 2008-02-29 02:15 244 --ah----- C:\sqmnoopt01.sqm
2008-02-29 02:13 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-29 02:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-29 02:13 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-29 02:01 . 2008-02-29 02:01 268 --ah----- C:\sqmdata00.sqm
2008-02-29 02:01 . 2008-02-29 02:01 244 --ah----- C:\sqmnoopt00.sqm
2008-02-29 01:10 . 2008-02-29 01:47 <DIR> d-------- C:\VundoFix Backups
2008-02-29 01:08 . 2008-02-29 01:08 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-29 00:27 . 2008-02-29 00:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-29 00:13 . 2004-03-10 21:54 385,536 --a------ C:\WINDOWS\system32\drivers\TNET1130x.sys
2008-02-29 00:13 . 2004-03-10 21:13 84,644 --a------ C:\WINDOWS\system32\drivers\FwRad17.bin
2008-02-29 00:13 . 2004-03-10 21:13 83,024 --a------ C:\WINDOWS\system32\drivers\FwRad16.bin
2008-02-27 20:43 . 2008-02-29 16:05 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2008-02-27 17:50 . 2004-08-04 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-27 17:36 . 2008-02-27 17:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-27 15:53 . 2008-02-27 16:34 1,242 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-27 15:41 . 2008-02-28 22:32 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-02-26 21:59 . 2008-02-26 22:20 261 --a------ C:\WINDOWS\wininit.ini
2008-02-26 12:49 . 2008-02-26 12:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 12:49 . 2008-02-26 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 12:00 . 2008-02-26 12:24 354 ---hs---- C:\WINDOWS\system32\vnxbxebq.ini
2008-02-26 11:58 . 2008-02-26 12:46 67,844 --a------ C:\WINDOWS\BM8f0d834e.xml
2008-02-26 11:58 . 2008-02-26 12:41 22 --a------ C:\WINDOWS\pskt.ini
2008-02-26 11:40 . 2008-02-26 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-26 10:57 . 2008-02-26 10:57 <DIR> d-------- C:\Program Files\JavaCore
2008-02-25 23:02 . 2008-02-25 23:02 <DIR> d-------- C:\WINDOWS\system32\jk8
2008-02-25 23:02 . 2008-03-01 13:00 <DIR> d-------- C:\WINDOWS\system32\hc4
2008-02-25 23:02 . 2008-02-26 10:51 <DIR> d-------- C:\WINDOWS\system32\cb2
2008-02-25 23:02 . 2008-02-27 17:20 <DIR> d-------- C:\WINDOWS\system32\ax3
2008-02-25 23:02 . 2008-02-26 23:03 <DIR> d-------- C:\Temp
2008-02-25 22:07 . 2008-02-26 11:48 <DIR> d-------- C:\Program Files\uTorrent
2008-02-25 19:59 . 2008-02-25 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-02-25 19:58 . 2008-02-25 19:58 <DIR> d-------- C:\Program Files\Azureus
2008-02-25 18:47 . 2008-03-01 01:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-25 18:47 . 2008-02-25 18:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 18:44 . 2008-02-25 18:44 <DIR> d-------- C:\Program Files\Common Files\SONY Digital Images
2008-02-25 18:42 . 2008-02-25 18:42 <DIR> d-------- C:\SmartSound Software
2008-02-25 18:41 . 2008-02-25 18:41 <DIR> d-------- C:\Program Files\SmartSound Software
2008-02-25 18:41 . 2008-02-25 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-02-25 18:40 . 2008-02-25 18:40 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-02-25 18:40 . 2008-02-25 18:40 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-02-25 18:39 . 2008-02-25 18:41 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-25 18:39 . 2008-02-25 18:39 <DIR> d-------- C:\Program Files\Windows Media Components
2008-02-25 18:39 . 2008-02-25 18:40 <DIR> d-------- C:\Program Files\QuickTime
2008-02-25 18:39 . 2008-02-25 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-25 18:38 . 2008-02-25 18:38 <DIR> d-------- C:\Program Files\Ulead Systems
2008-02-25 18:38 . 2008-02-25 18:44 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-02-25 18:38 . 2008-02-25 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-25 18:33 . 2008-02-25 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-25 18:32 . 2008-02-25 18:32 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-25 18:30 . 2008-02-25 18:34 <DIR> d-------- C:\Program Files\Sonic
2008-02-25 18:30 . 2008-02-25 18:30 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-25 17:33 . 2008-02-25 17:33 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-25 17:13 . 2008-02-25 17:13 <DIR> d-------- C:\Program Files\Webteh
2008-02-25 17:10 . 2008-02-25 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-25 17:10 . 2008-02-25 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Anvsoft
2008-02-25 17:09 . 2008-02-25 17:09 <DIR> d-------- C:\Program Files\Wedding Album Maker Gold
2008-02-25 16:10 . 2008-02-25 16:10 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-02-25 16:06 . 2008-02-25 16:06 <DIR> d-------- C:\WINDOWS\Sun
2008-02-25 15:36 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 15:34 . 2008-02-25 15:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-23 20:58 . 2003-12-02 19:47 184,320 --a------ C:\WINDOWS\system32\drivers\rtl8180.sys
2008-02-23 14:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-23 14:08 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-23 14:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-23 14:08 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-02-21 22:07 . 2008-02-21 22:07 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\Program Files\Broadcom
2008-02-20 22:02 . 2008-02-21 22:07 <DIR> d-------- C:\SWSetup
2008-02-20 22:02 . 2007-06-28 15:11 53,248 --a------ C:\WINDOWS\iwlandrvxpver.dll
2008-02-20 19:27 . 2008-02-20 19:27 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 03:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 05:13 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DBD02A3-1428-4EC8-B98F-878E44D8FEA9}]
C:\WINDOWS\system32\ssqpo.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{632ba930-87b4-4caa-8abb-bdd123ae637e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC0CC7FA-46E7-4D7C-69B6-409F78574D3B}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-01 00:55 249896]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kgjyotcz]
kgjyotcz.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c3eb0d2]
C:\WINDOWS\system32\qbexbxnv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2007-08-23 14:48 53248 C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8f0d834e]
C:\WINDOWS\system32\ecstiptc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-03-23 13:13 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2007-10-03 15:15 480560 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-03-23 13:13 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-03-23 13:17 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-03-23 13:17 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
--a------ 2008-02-26 10:57 144896 C:\Program Files\JavaCore\JavaCore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MapEDC]
C:\Program Files\MapEDC\MapEDC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-03-23 13:17 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2007-08-06 19:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-25 18:40 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-08-10 15:21 16384000 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\cinemsup.sys [2003-12-19 02:00]
R3 TNET1130x;Wireless-G Notebook Adapter v.2.0;C:\WINDOWS\system32\DRIVERS\tnet1130x.sys [2004-03-10 21:54]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-05-14 12:21]
S3 igfx;igfx;C:\WINDOWS\system32\DRIVERS\igdkmd32.sys [2006-11-05 20:29]
S3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;C:\WINDOWS\system32\DRIVERS\rtl8180.SYS [2003-12-02 19:47]
S4 34121F39;34121F39;C:\WINDOWS\system32\57572621.EXE []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 16:10:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-01 16:13:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-01 21:13:18
.
2008-03-01 20:23:16 --- E O F ---
This is my hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:45 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DBD02A3-1428-4EC8-B98F-878E44D8FEA9} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {e736ea32-1ddb-bba8-aac4-4b78039ab236} - {632ba930-87b4-4caa-8abb-bdd123ae637e} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {AC0CC7FA-46E7-4D7C-69B6-409F78574D3B} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{08DA6C1D-2621-4231-B328-284AFF7CE9F5}: NameServer = 167.206.254.1,167.206.254.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08DA6C1D-2621-4231-B328-284AFF7CE9F5}: NameServer = 167.206.254.1,167.206.254.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{08DA6C1D-2621-4231-B328-284AFF7CE9F5}: NameServer = 167.206.254.1,167.206.254.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: kgjyotcz - kgjyotcz.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 6931 bytes
random/random
2008-03-02, 11:17
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
Then close all windows except HijackThis and click Fix Checked
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Folder::
C:\VundoFix Backups
C:\Program Files\JavaCore
C:\WINDOWS\system32\jk8
C:\WINDOWS\system32\hc4
C:\WINDOWS\system32\cb2
C:\WINDOWS\system32\ax3
C:\Program Files\MapEDC
C:\Program Files\NoDNS
File::
C:\WINDOWS\system32\vnxbxebq.ini
C:\WINDOWS\BM8f0d834e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\57572621.EXE
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DBD02A3-1428-4EC8-B98F-878E44D8FEA9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{632ba930-87b4-4caa-8abb-bdd123ae637e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC0CC7FA-46E7-4D7C-69B6-409F78574D3B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kgjyotcz]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c3eb0d2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8f0d834e]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MapEDC]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
Driver::
34121F39
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
thanks random for your help...here is my log after the procedures give above...
ComboFix 08-03-01.3 - jjh 2008-03-02 11:59:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.696 [GMT -5:00]
Running from: C:\Documents and Settings\jjh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jjh\Desktop\CFscript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\BM8f0d834e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\57572621.EXE
C:\WINDOWS\system32\vnxbxebq.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\VundoFix Backups
C:\WINDOWS\BM8f0d834e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ax3
C:\WINDOWS\system32\cb2
C:\WINDOWS\system32\hc4
C:\WINDOWS\system32\jk8
C:\WINDOWS\system32\jk8\propbar68.exe
C:\WINDOWS\system32\vnxbxebq.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_34121F39
-------\34121F39
((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.
2008-03-02 11:55 . 2008-03-02 11:55 <DIR> d-------- C:\Program Files\Java
2008-03-02 11:55 . 2008-03-02 11:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 11:55 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-01 21:36 . 2008-03-01 21:36 <DIR> d-------- C:\Program Files\Sygate
2008-03-01 21:36 . 2008-03-01 21:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 21:36 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-03-01 21:36 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-01 21:36 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-01 21:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-01 21:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-01 21:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-01 21:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-01 19:36 . 2008-03-01 19:36 <DIR> d-------- C:\Documents and Settings\jjh\Application Data\vlc
2008-03-01 15:48 . 2008-03-01 15:48 <DIR> d-------- C:\Documents and Settings\jjh\Application Data\ESET
2008-03-01 15:46 . 2008-03-01 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-01 15:36 . 2008-03-01 15:36 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-01 15:11 . 2008-03-01 15:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-01 13:17 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-01 13:17 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-01 13:17 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-01 13:17 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-01 13:17 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-01 13:17 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-01 13:17 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-01 13:17 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-01 13:17 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-01 13:09 . 2008-03-01 15:35 <DIR> d-------- C:\Documents and Settings\jjh\Contacts
2008-03-01 12:19 . 2008-03-01 23:55 <DIR> d-------- C:\Documents and Settings\jjh\Application Data\uTorrent
2008-03-01 01:38 . 2008-03-01 20:46 <DIR> d-------- C:\Documents and Settings\jjh\Application Data\Azureus
2008-03-01 00:53 . 2008-03-01 00:53 <DIR> d-------- C:\Program Files\Avira
2008-03-01 00:53 . 2008-03-01 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-01 00:51 . 2008-03-01 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-29 18:01 . 2008-03-01 15:23 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-02-29 17:43 . 2008-02-29 17:43 <DIR> d-------- C:\Program Files\Opera
2008-02-29 16:14 . 2008-03-01 15:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-29 15:45 . 2008-02-29 15:45 268 --ah----- C:\sqmdata02.sqm
2008-02-29 15:45 . 2008-02-29 15:45 244 --ah----- C:\sqmnoopt02.sqm
2008-02-29 15:16 . 2008-02-29 15:19 <DIR> d-------- C:\Program Files\PCDR5
2008-02-29 02:15 . 2008-02-29 02:15 268 --ah----- C:\sqmdata01.sqm
2008-02-29 02:15 . 2008-02-29 02:15 244 --ah----- C:\sqmnoopt01.sqm
2008-02-29 02:13 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-29 02:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-29 02:13 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-29 02:01 . 2008-02-29 02:01 268 --ah----- C:\sqmdata00.sqm
2008-02-29 02:01 . 2008-02-29 02:01 244 --ah----- C:\sqmnoopt00.sqm
2008-02-29 01:08 . 2008-02-29 01:08 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-29 00:27 . 2008-02-29 00:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-29 00:13 . 2004-03-10 21:54 385,536 --a------ C:\WINDOWS\system32\drivers\TNET1130x.sys
2008-02-29 00:13 . 2004-03-10 21:13 84,644 --a------ C:\WINDOWS\system32\drivers\FwRad17.bin
2008-02-29 00:13 . 2004-03-10 21:13 83,024 --a------ C:\WINDOWS\system32\drivers\FwRad16.bin
2008-02-27 20:43 . 2008-02-29 16:05 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2008-02-27 17:50 . 2004-08-04 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-27 17:36 . 2008-02-27 17:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-27 15:53 . 2008-02-27 16:34 1,242 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-27 15:41 . 2008-02-28 22:32 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-02-26 21:59 . 2008-02-26 22:20 261 --a------ C:\WINDOWS\wininit.ini
2008-02-26 12:49 . 2008-02-26 12:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 12:49 . 2008-02-26 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 11:40 . 2008-02-26 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-25 23:02 . 2008-02-26 23:03 <DIR> d-------- C:\Temp
2008-02-25 22:07 . 2008-02-26 11:48 <DIR> d-------- C:\Program Files\uTorrent
2008-02-25 19:59 . 2008-02-25 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-02-25 19:58 . 2008-02-25 19:58 <DIR> d-------- C:\Program Files\Azureus
2008-02-25 18:47 . 2008-03-01 01:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-25 18:47 . 2008-02-25 18:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 18:44 . 2008-02-25 18:44 <DIR> d-------- C:\Program Files\Common Files\SONY Digital Images
2008-02-25 18:42 . 2008-02-25 18:42 <DIR> d-------- C:\SmartSound Software
2008-02-25 18:41 . 2008-02-25 18:41 <DIR> d-------- C:\Program Files\SmartSound Software
2008-02-25 18:41 . 2008-02-25 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-02-25 18:40 . 2008-02-25 18:40 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-02-25 18:40 . 2008-02-25 18:40 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-02-25 18:39 . 2008-02-25 18:41 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-25 18:39 . 2008-02-25 18:39 <DIR> d-------- C:\Program Files\Windows Media Components
2008-02-25 18:39 . 2008-02-25 18:40 <DIR> d-------- C:\Program Files\QuickTime
2008-02-25 18:39 . 2008-02-25 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-25 18:38 . 2008-02-25 18:38 <DIR> d-------- C:\Program Files\Ulead Systems
2008-02-25 18:38 . 2008-02-25 18:44 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-02-25 18:38 . 2008-02-25 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-25 18:33 . 2008-02-25 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-25 18:32 . 2008-02-25 18:32 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-25 18:30 . 2008-02-25 18:34 <DIR> d-------- C:\Program Files\Sonic
2008-02-25 18:30 . 2008-02-25 18:30 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-25 17:33 . 2008-02-25 17:33 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-25 17:13 . 2008-02-25 17:13 <DIR> d-------- C:\Program Files\Webteh
2008-02-25 17:10 . 2008-02-25 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-25 17:10 . 2008-02-25 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Anvsoft
2008-02-25 17:09 . 2008-02-25 17:09 <DIR> d-------- C:\Program Files\Wedding Album Maker Gold
2008-02-25 16:10 . 2008-02-25 16:10 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-02-25 16:06 . 2008-02-25 16:06 <DIR> d-------- C:\WINDOWS\Sun
2008-02-23 20:58 . 2003-12-02 19:47 184,320 --a------ C:\WINDOWS\system32\drivers\rtl8180.sys
2008-02-23 14:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-23 14:08 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-23 14:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-23 14:08 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-02-21 22:07 . 2008-02-21 22:07 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\Program Files\Broadcom
2008-02-20 22:02 . 2008-02-21 22:07 <DIR> d-------- C:\SWSetup
2008-02-20 22:02 . 2007-06-28 15:11 53,248 --a------ C:\WINDOWS\iwlandrvxpver.dll
2008-02-20 19:27 . 2008-02-20 19:27 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-02-20 19:26 . 2008-02-20 21:30 <DIR> d-------- C:\Intel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 03:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 05:13 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-03-01 00:55 249896 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2007-08-23 14:48 53248 C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-03-23 13:13 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2007-10-03 15:15 480560 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-03-23 13:13 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-03-23 13:17 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-03-23 13:17 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-03-23 13:17 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2007-08-06 19:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-25 18:40 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-08-10 15:21 16384000 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\cinemsup.sys [2003-12-19 02:00]
R3 TNET1130x;Wireless-G Notebook Adapter v.2.0;C:\WINDOWS\system32\DRIVERS\tnet1130x.sys [2004-03-10 21:54]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-05-14 12:21]
S3 igfx;igfx;C:\WINDOWS\system32\DRIVERS\igdkmd32.sys [2006-11-05 20:29]
S3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;C:\WINDOWS\system32\DRIVERS\rtl8180.SYS [2003-12-02 19:47]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 12:03:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2008-03-02 12:05:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-02 17:05:28
ComboFix2.txt 2008-03-01 21:13:22
.
2008-03-01 20:23:16 --- E O F ---
random/random
2008-03-02, 23:07
Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems.
Hello
Online scanner long
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2918 (20080303)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=2e7151d1216caf4e8b8a28279f3bcfe8
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-03-03 10:27:56
# local_time=2008-03-03 05:27:56 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=200941
# found=0
# scan_time=6063
Hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:32 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08DA6C1D-2621-4231-B328-284AFF7CE9F5}: NameServer = 167.206.254.1,167.206.254.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08DA6C1D-2621-4231-B328-284AFF7CE9F5}: NameServer = 167.206.254.1,167.206.254.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{08DA6C1D-2621-4231-B328-284AFF7CE9F5}: NameServer = 167.206.254.1,167.206.254.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 6071 bytes
Problem i am having is that when ever i tried to delete any .exe file that I downloaded to install program it gives me error message saying it is being used by another program, even though they are not being used. I tried many .exe files sitting on my hard drive all of them same thing.
Secondly I have tooo many SVhost.exe files running in the task manager and they are using a lot memory.
I had some serious virus and trojan problem when i first started this thread, i figured until any one of you experts reply let me try to look through the forum and try to clean it up. since i am not expert at it i figured its better and safe to make suer that my system is clean rather than assuming.
I really appreciate you taking your time out and helping me.
log shoes 4 svchost.exe running but i counted them they are 7 all together. for 4 svchost it says user name: system and for 3 it says user name: network service.
also i was trying to add file to archive and was browsing through in C:\Documents and Settings i saw two more users folder 1-Network Service and 2-System. but they dont show when i browsed C:\Documents and Settings using my computer, i do have show hidden files folder option shown and i do see some semi visible files. I dont know if its normal and i am just being paranoid.
one last thing when i click on tools----folder options---view---in hidden file and folder options both Do Not show hidden files and folders and show hidden files and folders options are checked at the same time.
in the previouse post i meant to say svchost not svhost.
random/random
2008-03-04, 16:39
Most of what you've described is normal. However, there is one thing that really worries me and that's this, which may be an indication of a file infector:
Problem i am having is that when ever i tried to delete any .exe file that I downloaded to install program it gives me error message saying it is being used by another program, even though they are not being used. I tried many .exe files sitting on my hard drive all of them same thing.
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process.
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply
Also:
Can you delete files that are not exes?
How are you attempting to delete them?