View Full Version : Virtumonde
mjk90123
2008-04-23, 23:55
Hi,
I could not do a Kaspersky scan because my Internet explorer is broken for some reason. Also, i rebooted in safe mode and deleted almost everything that came up in red on Spybot. I could not get rid of this one virtumonde.dll thing.. it kept coming back..
here is my hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:11 PM, on 4/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\mpcjalyz.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C9C9447-3658-44C9-8490-D96B0AB57C88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {677C004A-E528-4984-B6B3-06CD34E16BD0} - C:\WINDOWS\System32\opnKARHb.dll (file missing)
O2 - BHO: (no name) - {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} - C:\WINDOWS\System32\urqnomMe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8B746D70-EB36-4BDE-A1B9-7CBCF9D2883C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eqpjwoal] C:\WINDOWS\system32\mpcjalyz.exe
O4 - HKLM\..\Policies\Explorer\Run: [scNHCXc3NG] C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O20 - Winlogon Notify: urqnomMe - C:\WINDOWS\SYSTEM32\urqnomMe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8449 bytes
thank you ahead of time!
Rorschach112
2008-04-24, 01:30
Hello
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
mjk90123
2008-04-24, 04:46
hi,
here is the log from the combofix:
ComboFix 08-04-22.5 - Owner 2008-04-23 9:17:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.117 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\PC-Cleaner
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191374278.old
C:\Program Files\WinBudget\bin\crap.1192236630.old
C:\Program Files\WinBudget\bin\crap.1192416340.old
C:\Program Files\WinBudget\bin\crap.1193186439.old
C:\Program Files\WinBudget\bin\crap.1193803034.old
C:\Program Files\WinBudget\bin\crap.1195094283.old
C:\Program Files\WinBudget\bin\crap.1195765298.old
C:\Program Files\WinBudget\bin\crap.1198543873.old
C:\Program Files\WinBudget\bin\crap.1199767056.old
C:\Program Files\WinBudget\bin\crap.1201125882.old
C:\Program Files\WinBudget\bin\crap.1201295969.old
C:\Program Files\WinBudget\bin\crap.1201897821.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1192236629.old
C:\Program Files\WinBudget\bin\matrix.dll.1192416340.old
C:\Program Files\WinBudget\bin\matrix.dll.1193186438.old
C:\Program Files\WinBudget\bin\matrix.dll.1193803033.old
C:\Program Files\WinBudget\bin\matrix.dll.1195094282.old
C:\Program Files\WinBudget\bin\matrix.dll.1195765297.old
C:\Program Files\WinBudget\bin\matrix.dll.1198543872.old
C:\Program Files\WinBudget\bin\matrix.dll.1199767055.old
C:\Program Files\WinBudget\bin\matrix.dll.1201125881.old
C:\Program Files\WinBudget\bin\matrix.dll.1201295969.old
C:\Program Files\WinBudget\bin\matrix.dll.1201897820.old
C:\Program Files\WinBudget\bin\matrix.dll.1202001824.old
C:\Program Files\WinBudget\bin\tempzor
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\ahqagbki.ini
C:\WINDOWS\system32\bHRAKnpo.ini
C:\WINDOWS\system32\bHRAKnpo.ini2
C:\WINDOWS\system32\ikbgaqha.dll
C:\WINDOWS\system32\ljJdExUN.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\NUxEdJjl.ini
C:\WINDOWS\system32\NUxEdJjl.ini2
C:\WINDOWS\system32\orbjhdou.ini
C:\WINDOWS\system32\uodhjbro.dll
C:\WINDOWS\system32\urqnomMe.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.
2008-04-23 17:15 . 2008-04-23 17:15 98,304 --a------ C:\WINDOWS\system32\jynuzypq.exe
2008-04-23 16:47 . 2008-04-23 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 00:22 . 2008-04-23 16:42 496 --a------ C:\WINDOWS\wininit.ini
2008-04-21 23:48 . 2008-04-21 23:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-21 23:48 . 2008-04-21 23:48 2,543 --a------ C:\WINDOWS\unins000.dat
2008-04-21 23:22 . 2008-04-21 23:28 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2008-04-21 21:25 . 2008-04-21 22:18 1,540,617 --ahs---- C:\WINDOWS\system32\ahykoqtl.ini
2008-04-21 21:14 . 2008-04-21 21:14 102,400 --a------ C:\WINDOWS\system32\afenkhyn.exe
2008-04-20 12:53 . 2008-04-20 12:53 106,496 --a------ C:\WINDOWS\system32\ihsrihgx.exe
2008-04-20 00:52 . 2008-04-20 20:49 294 --ahs---- C:\WINDOWS\system32\vkneanhi.ini
2008-04-19 19:30 . 2008-04-19 19:30 <DIR> d-------- C:\WINDOWS\resources
2008-04-19 16:08 . 2008-04-19 16:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-19 12:31 . 2008-04-19 12:31 <DIR> d-------- C:\Documents and Settings\michie\Application Data\TmpRecentIcons
2008-04-19 12:18 . 2008-04-19 12:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-19 11:34 . 2008-04-19 13:57 474 --ahs---- C:\WINDOWS\system32\jqodrsdc.ini
2008-04-18 21:37 . 2008-04-18 21:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-18 20:37 . 2008-04-18 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\kvsxqfav
2008-04-18 20:37 . 2008-04-18 20:37 106,496 --a------ C:\WINDOWS\system32\mpcjalyz.exe
2008-04-18 20:37 . 2008-04-18 11:48 98,304 --a------ C:\WINDOWS\rtqmekwg.exe
2008-04-18 20:37 . 2008-04-18 11:48 94,208 --a------ C:\WINDOWS\npqtsrak.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 03:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-13 02:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-02 04:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-28 05:40 --------- d-----w C:\Program Files\ArcSoft
2008-03-28 05:38 --------- d-----w C:\Program Files\Common Files\Real
2008-03-28 05:37 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-24 02:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-16 06:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-08 20:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2007-11-13 03:16 44,832 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-09-03 22:15 44,832 -c--a-w C:\Documents and Settings\michie\Application Data\GDIPFONTCACHEV1.DAT
2007-05-27 21:57 87,608 -c--a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-05-27 21:57 47,360 -c--a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.
------- Sigcheck -------
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\bak\KBD.EXE
-c--a-w 28,176 2007-10-03 01:10:07 C:\hp\KBD\KBD.EXE
-c--a-w 67,112 2006-08-01 19:35:36 C:\Program Files\AIM\bak\aim.exe
----a-w 67,112 2006-08-01 19:35:36 C:\Program Files\AIM\aim.exe
-c--a-w 48,280 2006-03-10 22:22:57 C:\Program Files\Common Files\AOL\1183143937\EE\bak\AOLSoftware.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\Program Files\Common Files\AOL\1183143937\EE\AOLSoftware.exe
-c--a-r 34,904 2004-10-20 14:40:04 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
-c--a-w 155,648 2003-02-13 15:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
----a-w 68,856 2007-07-17 00:19:40 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
----a-w 28,176 2007-10-03 01:10:07 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
-c--a-w 69,632 2002-06-22 14:27:42 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe
----a-w 90,112 2002-10-07 05:23:20 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
-c--a-w 69,632 2002-04-18 00:42:56 C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
-c--a-w 271,672 2007-08-16 00:15:24 C:\Program Files\iTunes\bak\iTunesHelper.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\Program Files\iTunes\iTunesHelper.exe
-c--a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
-c--a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\bak\qttask.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\Program Files\QuickTime\qttask.exe
-c--a-w 208,953 2002-08-29 12:00:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
-c--a-w 208,953 2002-08-29 12:00:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe
-c--a-w 145,408 2002-08-29 12:00:00 C:\WINDOWS\PCHealth\HelpCtr\Binaries\bak\MSConfig.exe
-c--a-w 145,408 2002-08-29 12:00:00 C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
-c--a-w 212,992 2002-09-14 04:42:26 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
-c--a-w 28,176 2007-10-03 01:10:07 C:\WINDOWS\SMINST\RECGUARD.EXE
-c--a-w 185 2008-04-23 13:30:12 C:\WINDOWS\system\bak\hpsysdrv.DAT
-c--a-w 247 2007-09-12 02:44:48 C:\WINDOWS\system\hpsysdrv.dat
----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 28,176 2007-10-03 01:10:07 C:\WINDOWS\system\hpsysdrv.exe
-c--a-w 13,312 2002-08-29 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 13,312 2002-08-29 12:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 114,688 2003-03-12 00:11:56 C:\WINDOWS\system32\bak\hkcmd.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\WINDOWS\system32\hkcmd.exe
-c--a-w 81,920 2002-10-16 22:57:10 C:\WINDOWS\system32\bak\ps2.exe
-c--a-w 28,176 2007-10-03 01:10:07 C:\WINDOWS\system32\ps2.exe
-c--a-w 59,392 2002-08-29 12:00:00 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
-c--a-w 59,392 2002-08-29 12:00:00 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe
-c--a-w 455,168 2002-08-29 12:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
-c--a-w 455,168 2002-08-29 12:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{677C004A-E528-4984-B6B3-06CD34E16BD0}]
C:\WINDOWS\System32\opnKARHb.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 08:00 13312]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-02 21:10 28176]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 01:08 1511453]
"eqpjwoal"="C:\WINDOWS\system32\mpcjalyz.exe" [2008-04-18 20:37 106496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 08:00 145408]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-29 08:00 208953]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2007-10-02 21:10 28176]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-10-02 21:10 28176]
"HostManager"="C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe" [2007-10-02 21:10 28176]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-10-02 21:10 28176]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 23:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 08:00 59392]
"KBD"="C:\HP\KBD\KBD.EXE" [2007-10-02 21:10 28176]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 01:23 90112]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-10-02 21:10 28176]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2007-10-02 21:10 28176]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2007-10-02 21:10 28176]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2007-10-02 21:10 28176]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-10-02 21:10 28176]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-02 21:10 28176]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-10-02 21:10 28176]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2002-08-21 19:48:26 40960]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 10:11:14 27136]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2002-08-21 19:48:26 40960]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 10:11:14 27136]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 07:21:36 552960]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"scNHCXc3NG"= C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-21 01:08 1511453 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a--c--- 2003-03-03 14:44 4595712 C:\WINDOWS\System32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a--c--- 2003-03-03 14:44 831557 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2003-03-03 14:44 323584 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-10-02 21:10 28176 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-04-17 01:38:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-26 03:43:00 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2005-12-01 04:25:58 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1125457009.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-23 22:29:45 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1183088489.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 09:27:33
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\WINDOWS\system\bak\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-04-23 9:39:04 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-23 13:39:01
Pre-Run: 6,613,495,808 bytes free
Post-Run: 8,137,703,424 bytes free
258
and here is the new hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:23 AM, on 4/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mpcjalyz.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\windows\system\bak\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {677C004A-E528-4984-B6B3-06CD34E16BD0} - C:\WINDOWS\System32\opnKARHb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eqpjwoal] C:\WINDOWS\system32\mpcjalyz.exe
O4 - HKLM\..\Policies\Explorer\Run: [scNHCXc3NG] C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 7717 bytes
thank you so much for helping me!
Rorschach112
2008-04-24, 15:24
Hello
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\WINDOWS\system32\jynuzypq.exe
C:\WINDOWS\system32\ahykoqtl.ini
C:\WINDOWS\system32\afenkhyn.exe
C:\WINDOWS\system32\ihsrihgx.exe
C:\WINDOWS\system32\vkneanhi.ini
C:\WINDOWS\system32\jqodrsdc.ini
C:\WINDOWS\system32\mpcjalyz.exe
C:\WINDOWS\rtqmekwg.exe
C:\WINDOWS\npqtsrak.exe
Folder::
C:\Documents and Settings\All Users\Application Data\kvsxqfav
AWF::
C:\hp\KBD\bak\KBD.EXE
C:\Program Files\AIM\bak\aim.exe
C:\Program Files\Common Files\AOL\1183143937\EE\bak\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\bak\MSConfig.exe
C:\WINDOWS\SMINST\bak\RECGUARD.EXE
C:\WINDOWS\system\bak\hpsysdrv.DAT
C:\WINDOWS\system\bak\hpsysdrv.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\ps2.exe
C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Reboot and post a new HijackThis log
mjk90123
2008-04-25, 06:50
this time, when i did the combofix-- it rebooted, but the blue screen (of death.. =/) showed up.. i turned it off and on and set it to the last working configuration? then it worked. i did combofix again.. and here is the log:
ComboFix 08-04-22.5 - Owner 2008-04-23 23:05:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.179 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-23 22:20 . 2008-04-23 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-23 16:47 . 2008-04-23 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 09:57 . 2008-04-23 09:57 118,784 --a------ C:\WINDOWS\system32\hgzmvilo.exe
2008-04-22 00:22 . 2008-04-23 16:42 496 --a------ C:\WINDOWS\wininit.ini
2008-04-21 23:48 . 2008-04-21 23:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-21 23:48 . 2008-04-21 23:48 2,543 --a------ C:\WINDOWS\unins000.dat
2008-04-21 23:22 . 2008-04-21 23:28 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2008-04-19 19:30 . 2008-04-19 19:30 <DIR> d-------- C:\WINDOWS\resources
2008-04-19 16:08 . 2008-04-19 16:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-19 12:31 . 2008-04-19 12:31 <DIR> d-------- C:\Documents and Settings\michie\Application Data\TmpRecentIcons
2008-04-19 12:18 . 2008-04-19 12:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-18 21:37 . 2008-04-18 21:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 02:39 --------- d-----w C:\Program Files\QuickTime
2008-04-24 02:39 --------- d-----w C:\Program Files\iTunes
2008-04-24 02:39 --------- d-----w C:\Program Files\AIM
2008-04-24 02:20 --------- d-----w C:\Program Files\Apple Software Update
2008-04-23 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 03:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-13 02:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-02 04:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-28 05:40 --------- d-----w C:\Program Files\ArcSoft
2008-03-28 05:38 --------- d-----w C:\Program Files\Common Files\Real
2008-03-28 05:37 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-24 02:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-16 06:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-08 20:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2007-11-13 03:16 44,832 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-09-03 22:15 44,832 -c--a-w C:\Documents and Settings\michie\Application Data\GDIPFONTCACHEV1.DAT
2007-05-27 21:57 87,608 -c--a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-05-27 21:57 47,360 -c--a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.
------- Sigcheck -------
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-23_ 9.38.31.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-04-04 03:35:38 50,176 ----a-w C:\WINDOWS\ALCXMNTR.EXE
+ 2004-09-07 17:47:52 57,344 -c--a-w C:\WINDOWS\ALCXMNTR.EXE
- 2008-04-23 13:26:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 03:11:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2002-08-29 12:00:00 80,384 -c--a-w C:\WINDOWS\ime\imkr6_1\applets\imekrmbx.dll
+ 2004-08-04 03:04:34 86,016 -c--a-w C:\WINDOWS\ime\imkr6_1\applets\imekrmbx.dll
- 2005-01-28 17:44:28 192,512 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2002-12-12 05:08:28 192,512 -c--a-w C:\WINDOWS\inf\unregmp2.exe
+ 2008-04-24 02:20:23 27,136 ----a-r C:\WINDOWS\Installer\{02DFF6B1-1654-411C-8D7B-FD6052EF016F}\AppleSoftwareUpdateIco.exe
- 2007-10-03 01:10:07 28,176 -c--a-w C:\WINDOWS\SMINST\RECGUARD.EXE
+ 2002-09-14 04:42:26 212,992 -c--a-w C:\WINDOWS\SMINST\RECGUARD.EXE
- 2007-10-03 01:10:07 28,176 ----a-w C:\WINDOWS\system\hpsysdrv.exe
+ 1998-05-07 23:04:38 52,736 ----a-w C:\WINDOWS\system\hpsysdrv.exe
- 2005-01-28 17:44:28 8,192 -c--a-w C:\WINDOWS\system32\asferror.dll
+ 2002-12-12 05:16:58 7,680 -c--a-w C:\WINDOWS\system32\asferror.dll
- 2002-08-29 07:40:48 377,984 -c--a-w C:\WINDOWS\system32\ati2dvaa.dll
+ 2004-08-04 04:56:42 377,984 -c--a-w C:\WINDOWS\system32\ati2dvaa.dll
- 2002-08-29 07:40:48 202,496 -c--a-w C:\WINDOWS\system32\ati2dvag.dll
+ 2004-08-04 04:56:42 201,728 -c--a-w C:\WINDOWS\system32\ati2dvag.dll
- 2002-08-29 07:40:48 844,675 -c--a-w C:\WINDOWS\system32\ati3d1ag.dll
+ 2004-08-04 04:56:42 870,784 -c--a-w C:\WINDOWS\system32\ati3d1ag.dll
- 2005-01-28 17:44:28 294,912 -c--a-w C:\WINDOWS\system32\blackbox.dll
+ 2002-12-11 22:09:20 232,960 -c--a-w C:\WINDOWS\system32\blackbox.dll
- 2007-04-17 02:45:28 92,504 -c--a-w C:\WINDOWS\system32\cdm.dll
+ 2002-08-29 12:00:00 14,848 -c--a-w C:\WINDOWS\system32\cdm.dll
- 2005-01-28 17:44:28 164,864 -c--a-w C:\WINDOWS\system32\cewmdm.dll
+ 2002-11-27 09:03:32 159,232 -c--a-w C:\WINDOWS\system32\cewmdm.dll
- 2008-04-17 01:38:40 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-24 03:11:59 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-17 01:38:40 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-24 03:11:59 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-24 03:11:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-03-03 18:44:00 1,323,008 -c--a-w C:\WINDOWS\system32\dmcpl.exe
+ 2003-03-03 23:44:00 1,323,008 -c--a-w C:\WINDOWS\system32\dmcpl.exe
- 2005-01-28 17:44:28 258,296 -c--a-w C:\WINDOWS\system32\drmclien.dll
+ 2002-12-11 22:50:18 301,712 -c--a-w C:\WINDOWS\system32\drmclien.dll
- 2005-01-28 17:44:28 96,768 -c--a-w C:\WINDOWS\system32\drmstor.dll
+ 2002-12-11 21:34:42 82,432 -c--a-w C:\WINDOWS\system32\drmstor.dll
- 2005-01-28 17:44:28 502,272 -c--a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2002-12-11 22:09:22 678,912 -c--a-w C:\WINDOWS\system32\drmv2clt.dll
- 2002-11-26 18:15:52 166,912 -c--a-w C:\WINDOWS\system32\encdec.dll
+ 2002-08-29 12:00:00 155,648 -c--a-w C:\WINDOWS\system32\encdec.dll
- 2007-10-03 01:10:07 28,176 -c--a-w C:\WINDOWS\system32\hkcmd.exe
+ 2003-03-12 00:11:56 114,688 ----a-w C:\WINDOWS\system32\hkcmd.exe
- 2002-08-29 12:00:00 480,256 -c--a-w C:\WINDOWS\system32\IME\CINTLGNT\CINTSETP.EXE
+ 2004-08-04 02:31:56 480,256 -c--a-w C:\WINDOWS\system32\IME\CINTLGNT\CINTSETP.EXE
- 2002-08-29 12:00:00 827,438 -c--a-w C:\WINDOWS\system32\imjp81k.dll
+ 2004-08-04 02:31:50 811,064 -c--a-w C:\WINDOWS\system32\imjp81k.dll
- 2002-11-14 16:58:02 120,320 -c--a-w C:\WINDOWS\system32\ir41_qc.dll
+ 2004-08-04 04:56:44 120,320 -c--a-w C:\WINDOWS\system32\ir41_qc.dll
- 2002-11-14 16:58:02 338,432 -c--a-w C:\WINDOWS\system32\ir41_qcx.dll
+ 2004-08-04 04:56:44 338,432 -c--a-w C:\WINDOWS\system32\ir41_qcx.dll
- 2002-11-14 16:58:02 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll
+ 2004-08-04 04:56:44 755,200 -c--a-w C:\WINDOWS\system32\ir50_32.dll
- 2002-11-14 16:58:04 200,192 -c--a-w C:\WINDOWS\system32\ir50_qc.dll
+ 2004-08-04 04:56:44 200,192 -c--a-w C:\WINDOWS\system32\ir50_qc.dll
- 2002-11-14 16:58:04 183,808 -c--a-w C:\WINDOWS\system32\ir50_qcx.dll
+ 2004-08-04 04:56:44 183,808 -c--a-w C:\WINDOWS\system32\ir50_qcx.dll
- 2005-01-28 17:44:28 6,656 -c--a-w C:\WINDOWS\system32\laprxy.dll
+ 2002-12-11 19:16:58 6,656 -c--a-w C:\WINDOWS\system32\laprxy.dll
- 2005-01-28 17:44:28 96,768 -c--a-w C:\WINDOWS\system32\logagent.exe
+ 2002-12-11 19:04:20 81,408 -c--a-w C:\WINDOWS\system32\logagent.exe
+ 2003-12-08 17:58:22 94,208 -c--a-w C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
- 2005-01-28 17:44:28 142,336 -c--a-w C:\WINDOWS\system32\msnetobj.dll
+ 2002-12-11 22:09:22 253,952 -c--a-w C:\WINDOWS\system32\msnetobj.dll
- 2005-01-28 17:44:28 25,088 -c--a-w C:\WINDOWS\system32\MsPMSNSv.dll
+ 2002-11-27 09:03:32 52,224 -c--a-w C:\WINDOWS\system32\MsPMSNSv.dll
- 2005-01-28 17:44:28 173,568 ----a-w C:\WINDOWS\system32\MsPMSP.dll
+ 2002-11-27 09:03:32 201,728 -c--a-w C:\WINDOWS\system32\MsPMSP.dll
- 2005-01-28 17:44:28 364,784 -c--a-w C:\WINDOWS\system32\MSSCP.dll
+ 2002-12-12 08:09:22 358,912 -c--a-w C:\WINDOWS\system32\MSSCP.dll
- 2005-01-28 17:44:28 315,904 ----a-w C:\WINDOWS\system32\MSWMDM.dll
+ 2002-11-27 09:03:32 245,760 -c--a-w C:\WINDOWS\system32\MSWMDM.dll
- 2003-03-03 18:44:00 2,951,306 ----a-w C:\WINDOWS\system32\nv4_disp.dll
+ 2003-03-03 23:44:00 2,951,306 -c--a-w C:\WINDOWS\system32\nv4_disp.dll
- 2003-03-03 18:44:00 4,595,712 -c--a-w C:\WINDOWS\system32\nvcpl.dll
+ 2003-03-03 23:44:00 4,595,712 -c--a-w C:\WINDOWS\system32\nvcpl.dll
- 2003-03-03 18:44:00 831,557 -c--a-w C:\WINDOWS\system32\nview.dll
+ 2003-03-03 23:44:00 831,557 -c--a-w C:\WINDOWS\system32\nview.dll
- 2003-03-03 18:44:00 512,000 -c--a-w C:\WINDOWS\system32\nviewimg.dll
+ 2003-03-03 23:44:00 512,000 -c--a-w C:\WINDOWS\system32\nviewimg.dll
- 2003-03-03 18:44:00 126,976 -c--a-w C:\WINDOWS\system32\nvinstnt.dll
+ 2003-03-03 23:44:00 126,976 -c--a-w C:\WINDOWS\system32\nvinstnt.dll
- 2003-03-03 18:44:00 49,152 -c--a-w C:\WINDOWS\system32\nvmctray.dll
+ 2003-03-03 23:44:00 49,152 -c--a-w C:\WINDOWS\system32\nvmctray.dll
- 2003-03-03 18:44:00 3,653,632 -c--a-w C:\WINDOWS\system32\nvoglnt.dll
+ 2003-03-03 23:44:00 3,653,632 -c--a-w C:\WINDOWS\system32\nvoglnt.dll
- 2003-03-03 18:44:00 253,952 -c--a-w C:\WINDOWS\system32\nvrsda.dll
+ 2003-03-03 23:44:00 253,952 -c--a-w C:\WINDOWS\system32\nvrsda.dll
- 2003-03-03 18:44:00 262,144 -c--a-w C:\WINDOWS\system32\nvrsde.dll
+ 2003-03-03 23:44:00 262,144 -c--a-w C:\WINDOWS\system32\nvrsde.dll
- 2003-03-03 18:44:00 253,952 -c--a-w C:\WINDOWS\system32\nvrseng.dll
+ 2003-03-03 23:44:00 253,952 -c--a-w C:\WINDOWS\system32\nvrseng.dll
- 2003-03-03 18:44:00 249,856 -c--a-w C:\WINDOWS\system32\nvrses.dll
+ 2003-03-03 23:44:00 249,856 -c--a-w C:\WINDOWS\system32\nvrses.dll
- 2003-03-03 18:44:00 245,760 -c--a-w C:\WINDOWS\system32\nvrsfi.dll
+ 2003-03-03 23:44:00 245,760 -c--a-w C:\WINDOWS\system32\nvrsfi.dll
- 2003-03-03 18:44:00 262,144 -c--a-w C:\WINDOWS\system32\nvrsfr.dll
+ 2003-03-03 23:44:00 262,144 -c--a-w C:\WINDOWS\system32\nvrsfr.dll
- 2003-03-03 18:44:00 262,144 -c--a-w C:\WINDOWS\system32\nvrsit.dll
+ 2003-03-03 23:44:00 262,144 -c--a-w C:\WINDOWS\system32\nvrsit.dll
- 2003-03-03 18:44:00 3,383,296 -c--a-w C:\WINDOWS\system32\nvrsja.dll
+ 2003-03-03 23:44:00 3,383,296 -c--a-w C:\WINDOWS\system32\nvrsja.dll
- 2003-03-03 18:44:00 3,379,200 -c--a-w C:\WINDOWS\system32\nvrsko.dll
+ 2003-03-03 23:44:00 3,379,200 -c--a-w C:\WINDOWS\system32\nvrsko.dll
- 2003-03-03 18:44:00 258,048 -c--a-w C:\WINDOWS\system32\nvrsnl.dll
+ 2003-03-03 23:44:00 258,048 -c--a-w C:\WINDOWS\system32\nvrsnl.dll
- 2003-03-03 18:44:00 249,856 -c--a-w C:\WINDOWS\system32\nvrsno.dll
+ 2003-03-03 23:44:00 249,856 -c--a-w C:\WINDOWS\system32\nvrsno.dll
- 2003-03-03 18:44:00 241,664 -c--a-w C:\WINDOWS\system32\nvrspt.dll
+ 2003-03-03 23:44:00 241,664 -c--a-w C:\WINDOWS\system32\nvrspt.dll
- 2003-03-03 18:44:00 258,048 -c--a-w C:\WINDOWS\system32\nvrsptb.dll
+ 2003-03-03 23:44:00 258,048 -c--a-w C:\WINDOWS\system32\nvrsptb.dll
- 2003-03-03 18:44:00 253,952 -c--a-w C:\WINDOWS\system32\nvrssv.dll
+ 2003-03-03 23:44:00 253,952 -c--a-w C:\WINDOWS\system32\nvrssv.dll
- 2003-03-03 18:44:00 212,992 -c--a-w C:\WINDOWS\system32\nvrszhc.dll
+ 2003-03-03 23:44:00 212,992 -c--a-w C:\WINDOWS\system32\nvrszhc.dll
- 2003-03-03 18:44:00 212,992 -c--a-w C:\WINDOWS\system32\nvrszht.dll
+ 2003-03-03 23:44:00 212,992 -c--a-w C:\WINDOWS\system32\nvrszht.dll
- 2003-03-03 18:44:00 462,919 -c--a-w C:\WINDOWS\system32\nvshell.dll
+ 2003-03-03 23:44:00 462,919 -c--a-w C:\WINDOWS\system32\nvshell.dll
- 2003-03-03 18:44:00 65,536 ----a-w C:\WINDOWS\system32\nvsvc32.exe
+ 2003-03-03 23:44:00 65,536 -c--a-w C:\WINDOWS\system32\nvsvc32.exe
- 2003-03-03 18:44:00 159,744 -c--a-w C:\WINDOWS\system32\nvwrsda.dll
+ 2003-03-03 23:44:00 159,744 -c--a-w C:\WINDOWS\system32\nvwrsda.dll
- 2003-03-03 18:44:00 176,128 -c--a-w C:\WINDOWS\system32\nvwrsde.dll
+ 2003-03-03 23:44:00 176,128 -c--a-w C:\WINDOWS\system32\nvwrsde.dll
- 2003-03-03 18:44:00 147,456 -c--a-w C:\WINDOWS\system32\nvwrseng.dll
+ 2003-03-03 23:44:00 147,456 -c--a-w C:\WINDOWS\system32\nvwrseng.dll
- 2003-03-03 18:44:00 176,128 -c--a-w C:\WINDOWS\system32\nvwrses.dll
+ 2003-03-03 23:44:00 176,128 -c--a-w C:\WINDOWS\system32\nvwrses.dll
- 2003-03-03 18:44:00 163,840 -c--a-w C:\WINDOWS\system32\nvwrsfi.dll
+ 2003-03-03 23:44:00 163,840 -c--a-w C:\WINDOWS\system32\nvwrsfi.dll
- 2003-03-03 18:44:00 172,032 -c--a-w C:\WINDOWS\system32\nvwrsfr.dll
+ 2003-03-03 23:44:00 172,032 -c--a-w C:\WINDOWS\system32\nvwrsfr.dll
- 2003-03-03 18:44:00 172,032 -c--a-w C:\WINDOWS\system32\nvwrsit.dll
+ 2003-03-03 23:44:00 172,032 -c--a-w C:\WINDOWS\system32\nvwrsit.dll
- 2003-03-03 18:44:00 106,496 -c--a-w C:\WINDOWS\system32\nvwrsja.dll
+ 2003-03-03 23:44:00 106,496 -c--a-w C:\WINDOWS\system32\nvwrsja.dll
- 2003-03-03 18:44:00 102,400 -c--a-w C:\WINDOWS\system32\nvwrsko.dll
+ 2003-03-03 23:44:00 102,400 -c--a-w C:\WINDOWS\system32\nvwrsko.dll
- 2003-03-03 18:44:00 167,936 -c--a-w C:\WINDOWS\system32\nvwrsnl.dll
+ 2003-03-03 23:44:00 167,936 -c--a-w C:\WINDOWS\system32\nvwrsnl.dll
- 2003-03-03 18:44:00 159,744 -c--a-w C:\WINDOWS\system32\nvwrsno.dll
+ 2003-03-03 23:44:00 159,744 -c--a-w C:\WINDOWS\system32\nvwrsno.dll
- 2003-03-03 18:44:00 176,128 -c--a-w C:\WINDOWS\system32\nvwrspt.dll
+ 2003-03-03 23:44:00 176,128 -c--a-w C:\WINDOWS\system32\nvwrspt.dll
- 2003-03-03 18:44:00 172,032 -c--a-w C:\WINDOWS\system32\nvwrsptb.dll
+ 2003-03-03 23:44:00 172,032 -c--a-w C:\WINDOWS\system32\nvwrsptb.dll
- 2003-03-03 18:44:00 159,744 -c--a-w C:\WINDOWS\system32\nvwrssv.dll
+ 2003-03-03 23:44:00 159,744 -c--a-w C:\WINDOWS\system32\nvwrssv.dll
- 2003-03-03 18:44:00 86,016 -c--a-w C:\WINDOWS\system32\nvwrszhc.dll
+ 2003-03-03 23:44:00 86,016 -c--a-w C:\WINDOWS\system32\nvwrszhc.dll
- 2003-03-03 18:44:00 86,016 -c--a-w C:\WINDOWS\system32\nvwrszht.dll
+ 2003-03-03 23:44:00 86,016 -c--a-w C:\WINDOWS\system32\nvwrszht.dll
- 2003-03-03 18:44:00 323,584 -c--a-w C:\WINDOWS\system32\nwiz.exe
+ 2003-03-03 23:44:00 323,584 -c--a-w C:\WINDOWS\system32\nwiz.exe
- 2008-04-07 22:02:37 59,326 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-24 02:41:27 59,326 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-07 22:02:37 394,078 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-24 02:41:28 394,078 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-10-03 01:10:07 28,176 -c--a-w C:\WINDOWS\system32\ps2.exe
+ 2002-10-16 22:57:10 81,920 -c--a-w C:\WINDOWS\system32\ps2.exe
- 2002-08-29 08:41:10 150,528 ----a-w C:\WINDOWS\system32\ptpusd.dll
+ 2004-08-04 04:56:46 159,232 -c--a-w C:\WINDOWS\system32\ptpusd.dll
- 2005-01-28 17:44:28 221,184 -c--a-w C:\WINDOWS\system32\qasf.dll
+ 2002-12-11 21:34:40 241,664 -c--a-w C:\WINDOWS\system32\qasf.dll
- 2002-11-26 18:15:50 219,136 -c--a-w C:\WINDOWS\system32\sbe.dll
+ 2002-08-29 12:00:00 218,112 -c--a-w C:\WINDOWS\system32\sbe.dll
- 2002-08-29 12:00:00 147,483 -c--a-w C:\WINDOWS\system32\scrrun.dll
+ 2003-01-14 17:18:30 147,456 -c--a-w C:\WINDOWS\system32\scrrun.dll
- 2002-08-29 12:00:00 72,192 -c--a-w C:\WINDOWS\system32\uniime.dll
+ 2004-08-04 03:04:12 76,288 -c--a-w C:\WINDOWS\system32\uniime.dll
- 2005-01-28 17:44:28 396,528 ----a-w C:\WINDOWS\system32\wmadmod.dll
+ 2002-12-11 23:11:02 410,248 -c--a-w C:\WINDOWS\system32\wmadmod.dll
- 2005-01-28 17:44:28 716,288 -c--a-w C:\WINDOWS\system32\wmadmoe.dll
+ 2002-12-11 21:34:40 670,208 -c--a-w C:\WINDOWS\system32\wmadmoe.dll
- 2005-01-28 17:44:28 224,768 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2002-12-11 21:23:48 218,112 -c--a-w C:\WINDOWS\system32\wmasf.dll
- 2005-01-28 17:44:28 28,160 ----a-w C:\WINDOWS\system32\WMDMLOG.dll
+ 2002-11-27 09:03:32 27,136 -c--a-w C:\WINDOWS\system32\WMDMLOG.dll
- 2005-01-28 17:44:28 33,792 -c--a-w C:\WINDOWS\system32\WMDMPS.dll
+ 2002-11-27 09:03:32 23,552 -c--a-w C:\WINDOWS\system32\WMDMPS.dll
- 2005-01-28 17:44:28 189,440 -c--a-w C:\WINDOWS\system32\wmerror.dll
+ 2002-12-12 05:16:56 167,936 -c--a-w C:\WINDOWS\system32\wmerror.dll
- 2005-01-28 17:44:28 150,016 -c--a-w C:\WINDOWS\system32\wmidx.dll
+ 2002-12-11 19:16:58 143,360 -c--a-w C:\WINDOWS\system32\wmidx.dll
- 2005-01-28 17:44:28 1,027,072 ----a-w C:\WINDOWS\system32\wmnetmgr.dll
+ 2002-12-11 21:23:58 981,504 -c--a-w C:\WINDOWS\system32\wmnetmgr.dll
- 2005-01-28 17:44:28 5,525,504 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2002-12-12 07:27:24 4,648,960 -c--a-w C:\WINDOWS\system32\wmp.dll
- 2005-01-28 17:44:28 135,168 -c--a-w C:\WINDOWS\system32\wmpasf.dll
+ 2002-12-12 07:34:40 106,496 -c--a-w C:\WINDOWS\system32\wmpasf.dll
- 2005-01-28 17:44:28 20,480 -c--a-w C:\WINDOWS\system32\wmpcd.dll
+ 2002-12-12 05:09:24 20,480 -c--a-w C:\WINDOWS\system32\wmpcd.dll
- 2005-01-28 17:44:28 20,480 -c--a-w C:\WINDOWS\system32\wmpcore.dll
+ 2002-12-12 05:09:24 20,480 -c--a-w C:\WINDOWS\system32\wmpcore.dll
- 2005-01-28 17:44:28 282,624 ----a-w C:\WINDOWS\system32\wmpdxm.dll
+ 2002-12-12 07:34:40 225,280 -c--a-w C:\WINDOWS\system32\wmpdxm.dll
- 2005-01-28 17:44:28 3,371,008 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2002-12-12 07:34:40 2,940,928 -c--a-w C:\WINDOWS\system32\wmploc.dll
- 2005-01-28 17:44:28 86,016 ----a-w C:\WINDOWS\system32\wmpshell.dll
+ 2002-12-12 07:34:40 98,304 -c--a-w C:\WINDOWS\system32\wmpshell.dll
- 2005-01-28 17:44:28 20,480 -c--a-w C:\WINDOWS\system32\wmpui.dll
+ 2002-12-12 05:09:24 20,480 -c--a-w C:\WINDOWS\system32\wmpui.dll
- 2005-01-28 17:44:28 774,904 -c--a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2002-12-11 23:12:50 760,968 -c--a-w C:\WINDOWS\system32\wmsdmod.dll
- 2005-01-28 17:44:28 1,119,744 -c--a-w C:\WINDOWS\system32\wmsdmoe2.dll
+ 2002-12-11 21:34:40 1,111,040 -c--a-w C:\WINDOWS\system32\wmsdmoe2.dll
- 2005-01-28 17:44:28 413,944 -c--a-w C:\WINDOWS\system32\wmspdmod.dll
+ 2002-12-11 23:07:54 486,536 -c--a-w C:\WINDOWS\system32\wmspdmod.dll
- 2005-01-28 17:44:28 940,544 -c--a-w C:\WINDOWS\system32\wmspdmoe.dll
+ 2002-12-11 21:34:40 892,416 -c--a-w C:\WINDOWS\system32\wmspdmoe.dll
- 2005-01-28 17:44:28 2,370,296 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2002-12-11 23:02:38 2,058,888 -c--a-w C:\WINDOWS\system32\wmvcore.dll
- 2005-01-28 17:44:28 895,736 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2002-12-11 23:10:00 816,264 -c--a-w C:\WINDOWS\system32\wmvdmod.dll
- 2005-01-28 17:44:28 1,003,008 -c--a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2002-12-11 21:34:40 997,888 -c--a-w C:\WINDOWS\system32\wmvdmoe2.dll
- 2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2002-08-29 12:00:00 139,776 -c--a-w C:\WINDOWS\system32\wuauclt.exe
- 2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2002-08-29 12:00:00 189,440 -c--a-w C:\WINDOWS\system32\wuaueng.dll
- 2005-05-26 08:19:32 173,536 -c--a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-04-17 02:45:36 203,096 -c--a-w C:\WINDOWS\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C9C9447-3658-44C9-8490-D96B0AB57C88}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{677C004A-E528-4984-B6B3-06CD34E16BD0}]
C:\WINDOWS\System32\opnKARHb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B746D70-EB36-4BDE-A1B9-7CBCF9D2883C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A356A469-5553-4CD4-8182-B146A7D1FC58}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 08:00 13312]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 20:19 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 01:08 1511453]
"eqpjwoal"="C:\WINDOWS\system32\mpcjalyz.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 08:00 145408]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-29 08:00 208953]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 20:11 114688]
"HostManager"="C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe" [2006-03-10 18:22 48280]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 10:40 34904]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 08:00 59392]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 10:27 69632]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 11:01 155648]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 20:42 69632]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00 455168]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2002-08-21 19:48:26 40960]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 10:11:14 27136]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2002-08-21 19:48:26 40960]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 10:11:14 27136]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 07:21:36 552960]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"scNHCXc3NG"= C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnomMe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-21 01:08 1511453 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a--c--- 2003-03-03 19:44 4595712 C:\WINDOWS\System32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a--c--- 2003-03-03 19:44 831557 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2003-03-03 19:44 323584 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-16 20:19 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 02:20:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-26 03:43:00 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2005-12-01 04:25:58 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1125457009.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-23 22:29:45 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1183088489.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 23:30:37
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Common Files\AOL\1183143937\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\WINDOWS\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-04-23 23:42:26 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-24 03:42:23
ComboFix2.txt 2008-04-24 02:51:26
ComboFix3.txt 2008-04-23 13:39:05
Pre-Run: 11,652,849,664 bytes free
Post-Run: 11,669,602,304 bytes free
398
the new hijackthis log is this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:52 PM, on 4/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\AOL\1183143937\ee\aolsoftware.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1183143937\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C9C9447-3658-44C9-8490-D96B0AB57C88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {677C004A-E528-4984-B6B3-06CD34E16BD0} - C:\WINDOWS\System32\opnKARHb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8B746D70-EB36-4BDE-A1B9-7CBCF9D2883C} - (no file)
O2 - BHO: (no name) - {A356A469-5553-4CD4-8182-B146A7D1FC58} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eqpjwoal] C:\WINDOWS\system32\mpcjalyz.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [scNHCXc3NG] C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: urqnomMe - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8323 bytes
mjk90123
2008-04-25, 06:53
thank you so much for helping mee! (i have no idea how to fix my computer =/ but this infection or whatever is so annoying :sad:)
Rorschach112
2008-04-25, 14:40
Going good :)
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4C9C9447-3658-44C9-8490-D96B0AB57C88} - (no file)
O2 - BHO: (no name) - {677C004A-E528-4984-B6B3-06CD34E16BD0} - C:\WINDOWS\System32\opnKARHb.dll (file missing)
O2 - BHO: (no name) - {8B746D70-EB36-4BDE-A1B9-7CBCF9D2883C} - (no file)
O2 - BHO: (no name) - {A356A469-5553-4CD4-8182-B146A7D1FC58} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [eqpjwoal] C:\WINDOWS\system32\mpcjalyz.exe
O4 - HKLM\..\Policies\Explorer\Run: [scNHCXc3NG] C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
O20 - Winlogon Notify: urqnomMe - C:\WINDOWS\
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\hgzmvilo.exe
Folder::
C:\Documents and Settings\All Users\Application Data\kvsxqfav
Registry::
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Reboot and post a new HijackThis log
mjk90123
2008-04-27, 03:32
after i disabled teatimer and fixed the checked things in hijackthis, i ran the combofix... but when my comp rebooted, the blue screen came up again..
so i had to reboot again to the "last good configuration" that worked..
i didn't redo the combofix because i wasn't sure if my doing the last good configuration undid the combofix..
i ran a hijackthis after i rebooted to the last time windows ran normally and this is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08, on 2008-04-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1183143937\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
c:\program files\common files\aol\1183143937\ee\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C9C9447-3658-44C9-8490-D96B0AB57C88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {677C004A-E528-4984-B6B3-06CD34E16BD0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8B746D70-EB36-4BDE-A1B9-7CBCF9D2883C} - (no file)
O2 - BHO: (no name) - {A356A469-5553-4CD4-8182-B146A7D1FC58} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: urqnomMe - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8012 bytes
do you have any idea as to why the blue screen keeps popping up? this is the 2nd time its come up =/
thanks!
Rorschach112
2008-04-27, 15:08
This is caused by the malware trying to stop itself being removed. We will try a different way
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4C9C9447-3658-44C9-8490-D96B0AB57C88} - (no file)
O2 - BHO: (no name) - {677C004A-E528-4984-B6B3-06CD34E16BD0} - C:\WINDOWS\System32\opnKARHb.dll (file missing)
O2 - BHO: (no name) - {8B746D70-EB36-4BDE-A1B9-7CBCF9D2883C} - (no file)
O2 - BHO: (no name) - {A356A469-5553-4CD4-8182-B146A7D1FC58} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [eqpjwoal] C:\WINDOWS\system32\mpcjalyz.exe
O4 - HKLM\..\Policies\Explorer\Run: [scNHCXc3NG] C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
O20 - Winlogon Notify: urqnomMe - C:\WINDOWS\
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\WINDOWS\system32\hgzmvilo.exe
C:\Documents and Settings\All Users\Application Data\kvsxqfav
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Reboot and do this
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
mjk90123
2008-04-28, 02:53
hi~
there was no log in the folder from the OTMoveIT2...
here is the extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) XP 2800+
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 447.36 MiB / 169.25 MiB
Pagefile Memory (total/avail): 1058.58 MiB / 845.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.75 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 107.34 GiB total, 10.14 GiB free.
D: is Fixed (FAT32) - 4.43 GiB total, 0.42 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
\\.\PHYSICALDRIVE0 - ST3120025A - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 4.44 GiB - D:
\PARTITION1 (bootable) - Installable File System - 107.34 GiB - C:
\\.\PHYSICALDRIVE1 - USB Reader USB Device
\\.\PHYSICALDRIVE2 - USB Reader USB Device
\\.\PHYSICALDRIVE3 - USB Reader USB Device
\\.\PHYSICALDRIVE4 - USB Reader USB Device
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MICHELLE
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\MICHELLE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCToolsDir=C:\Documents and Settings\All Users\Start Menu\Programs\Hewlett-Packard\HP Pavilion PC Tools
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=MICHELLE
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Owner (admin)
michie (admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {60E971B7-51A0-48CA-8687-C6B8F094A409}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Connectivity Services --> "C:\Program Files\Common Files\AOL\ACS\AcsUninstall.exe" /c
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
BUM --> MsiExec.exe /I{55937F00-A69B-4049-8D3A-1C7729742B6F}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DirectVobSub (remove only) --> "C:\Program Files\DirectVobSub\uninstall.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Deskjet printer preloaded drivers --> MsiExec.exe /X{48BD24F5-13DE-493A-A7CE-28A85113FF0C}
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Memories Disc --> MsiExec.exe /X{35E90FA5-2CB4-4039-A8BB-BE1B9DB94E21}
HP Photo and Imaging 1.2 - Photosmart Cameras --> MsiExec.exe /X{4F5FC172-F0E7-4EA5-902F-8D005DF9F000}
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 1200 series --> c:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
HP Photosmart printers preloaded drivers --> MsiExec.exe /X{9E88DAA4-1352-4272-BA3A-897668408400}
hp psc 1200 series --> MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{974C05A0-C76C-4724-A9A2-11D5D1355729}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
KODAK EASYSHARE Gallery Easy Upload, v2.1 --> C:\Documents and Settings\Owner\Local Settings\Application Data\KodakGallery\EasyShareSetup\$SETUP_140007_7b852c8\Setup.exe /APR-REMOVE
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Standard for Students and Teachers --> MsiExec.exe /I{913D0409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
OmniPass --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}\Setup.exe" -l0x9
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Pure Networks Port Magic --> C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
ShowBiz DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{60E80B13-8649-4A69-85E2-1AE99E061F43}\setup.exe" -l0x9
Sibelius Scorch --> MsiExec.exe /I{51C65CD6-A344-41B5-81E2-3CCAC8024F68}
Simple Backup for My Pictures --> MsiExec.exe /I{60E971B7-51A0-48CA-8687-C6B8F094A409}
Simple Installer - Multilanguage Version --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}\setup.exe"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpamSubtract --> C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
The KMPlayer (remove only) --> "C:\Program Files\The KMPlayer\uninstall.exe"
toolkit --> c:\Windows\HPTK\unhptkit.exe
Updates from HP --> C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VobSub v2.23 (Remove Only) --> "C:\Program Files\Gabest\VobSub\uninstall.exe"
Weblink --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4FCC384C-18EA-4E25-9281-A06AE006D219}\setup.exe" -l0x9
WildTangent GameChannel (remove only) --> "C:\Program Files\WildTangent\Apps\uninstallgamechannel.exe"
WordPerfect Productivity Pack --> c:\WINDOWS\Corel\Uninst32.exe
WordPerfect Productivity Pack --> C:\WINDOWS\Corel\uninst32.exe
-- Application Event Log -------------------------------------------------------
Event Record #/Type1269 / Error
Event Submitted/Written: 04/24/2008 04:48:51 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application OPXPApp.exe, version 0.0.0.0, faulting module atsc51.dll, version 6.1.5.0, fault address 0x00024798.
Event Record #/Type1268 / Error
Event Submitted/Written: 04/24/2008 04:48:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application OPXPApp.exe, version 0.0.0.0, faulting module atsc51.dll, version 6.1.5.0, fault address 0x00024798.
Event Record #/Type1267 / Error
Event Submitted/Written: 04/24/2008 02:14:36 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application olympus master.exe, version 2.0.1.3, faulting module olyqtlib.dll, version 1.0.0.5, fault address 0x000115a5.
Event Record #/Type1248 / Error
Event Submitted/Written: 04/23/2008 03:52:34 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.
Event Record #/Type1247 / Error
Event Submitted/Written: 04/23/2008 03:52:34 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type19569 / Error
Event Submitted/Written: 04/27/2008 07:43:43 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.2 for the Network Card with network address D2D53FDA7F30 has been
denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
Event Record #/Type19562 / Error
Event Submitted/Written: 04/27/2008 07:43:43 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The wscsvc service failed to start due to the following error:
%%1083
Event Record #/Type19561 / Error
Event Submitted/Written: 04/27/2008 07:43:43 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2
Event Record #/Type19560 / Warning
Event Submitted/Written: 04/27/2008 07:43:31 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address D2D53FDA7F30. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type19543 / Warning
Event Submitted/Written: 04/27/2008 07:30:01 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address D2D53FDA7F30. The IP address being used is 169.254.128.0.
-- End of Deckard's System Scanner: finished at 2008-04-27 19:45:47 ------------
here is the main.txt
Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-27 19:44:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
27: 2008-04-27 23:44:33 UTC - RP270 - Deckard's System Scanner Restore Point
26: 2008-04-27 15:51:27 UTC - RP269 - System Checkpoint
25: 2008-04-27 17:55:37 UTC - RP268 - System Checkpoint
24: 2008-04-25 19:21:15 UTC - RP267 - ComboFix created restore point
23: 2008-04-25 05:17:12 UTC - RP266 - System Checkpoint
-- First Restore Point --
1: 2008-04-19 00:43:09 UTC - RP244 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 448 MiB (512 MiB recommended).
System Drive C: has 10.14 GiB (less than 15%) free.
-- HijackThis (run as Owner.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45, on 2008-04-27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\program files\common files\aol\1183143937\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1183143937\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 7551 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080425-151823-404 O2 - BHO: (no name) - {4C9C9447-3658-44C9-8490-D96B0AB57C88} - (no file)
backup-20080425-151823-436 O2 - BHO: (no name) - {A356A469-5553-4CD4-8182-B146A7D1FC58} - (no file)
backup-20080425-151823-501 O20 - Winlogon Notify: urqnomMe - C:\WINDOWS\
backup-20080425-151823-508 O4 - HKLM\..\Policies\Explorer\Run: [scNHCXc3NG] C:\Documents and Settings\All Users\Application Data\kvsxqfav\knkfgzad.exe
backup-20080425-151823-613 O2 - BHO: (no name) - {8B746D70-EB36-4BDE-A1B9-7CBCF9D2883C} - (no file)
backup-20080425-151823-703 O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
backup-20080425-151823-799 O2 - BHO: (no name) - {677C004A-E528-4984-B6B3-06CD34E16BD0} - C:\WINDOWS\System32\opnKARHb.dll (file missing)
backup-20080425-151823-902 O4 - HKCU\..\Run: [eqpjwoal] C:\WINDOWS\system32\mpcjalyz.exe
backup-20080425-151823-935 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080427-183111-487 O2 - BHO: (no name) - {8B746D70-EB36-4BDE-A1B9-7CBCF9D2883C} - (no file)
backup-20080427-183111-696 O20 - Winlogon Notify: urqnomMe - C:\WINDOWS\
backup-20080427-183111-707 O2 - BHO: (no name) - {677C004A-E528-4984-B6B3-06CD34E16BD0} - (no file)
backup-20080427-183111-728 O2 - BHO: (no name) - {4C9C9447-3658-44C9-8490-D96B0AB57C88} - (no file)
backup-20080427-183111-882 O2 - BHO: (no name) - {A356A469-5553-4CD4-8182-B146A7D1FC58} - (no file)
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-04-24 20:43:42 342 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1183088489.job
2008-04-23 22:20:22 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-25 23:43:00 272 --a------ C:\WINDOWS\Tasks\easy Internet sign-up.job
2005-12-01 00:25:58 342 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1125457009.job
-- Files created between 2008-03-27 and 2008-04-27 -----------------------------
2008-04-25 20:20:00 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-25 15:24:50 53248 --a------ C:\WINDOWS\PSEXESVC.EXE
2008-04-24 00:52:11 0 d-------- C:\Program Files\Sibelius Software
2008-04-23 22:20:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-23 20:56:48 68096 --a------ C:\WINDOWS\zip.exe
2008-04-23 20:56:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-23 20:56:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-23 20:56:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-23 20:56:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-23 20:56:48 98816 --a------ C:\WINDOWS\sed.exe
2008-04-23 20:56:48 80412 --a------ C:\WINDOWS\grep.exe
2008-04-23 20:56:48 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-23 16:47:34 0 d-------- C:\Program Files\Trend Micro
2008-04-21 23:48:09 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-21 23:48:07 2543 --a------ C:\WINDOWS\unins000.dat
2008-04-21 23:22:49 0 d-------- C:\Documents and Settings\Owner\Incomplete
2008-04-19 19:30:59 0 d-------- C:\WINDOWS\resources
2008-04-19 16:08:25 0 d-------- C:\Program Files\Enigma Software Group
2008-04-19 12:31:19 0 d-------- C:\Documents and Settings\michie\Application Data\TmpRecentIcons
2008-04-19 12:18:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-19 12:18:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-18 21:37:01 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
-- Find3M Report ---------------------------------------------------------------
2008-04-25 14:42:15 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-25 09:34:20 58944 --a----c- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-23 22:39:06 0 d-------- C:\Program Files\QuickTime
2008-04-23 22:39:06 0 d-------- C:\Program Files\iTunes
2008-04-23 22:39:03 0 d-------- C:\Program Files\AIM
2008-04-23 22:20:20 0 d-------- C:\Program Files\Apple Software Update
2008-04-19 23:45:21 4538 --a------ C:\WINDOWS\System32\tmp.reg
2008-04-12 22:03:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-06 01:27:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-04-02 00:30:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-28 01:40:44 0 d-------- C:\Program Files\ArcSoft
2008-03-28 01:38:43 0 d-------- C:\Program Files\Common Files
2008-03-28 01:38:43 0 d-------- C:\Program Files\Common Files\Real
2008-03-28 01:38:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-03-28 01:37:45 0 d-------- C:\Program Files\AviSynth 2.5
2008-03-23 22:25:06 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-08 16:31:23 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 08:00]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-29 08:00]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 20:11]
"HostManager"="C:\Program Files\Common Files\AOL\1183143937\ee\AOLSoftware.exe" [2006-03-10 18:22]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 10:40]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 08:00]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 10:27]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 11:01]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 20:42]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 08:00]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 08:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 20:19]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 01:08]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 07:21:36]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe
-- End of Deckard's System Scanner: finished at 2008-04-27 19:45:47 ------------
after i did the OTMoveIt2 and rebooted, i got the blue screen again =/
i rebooted again to the last working config.. and then ran the DSS.. is that okay?
thankyouu~
Rorschach112
2008-04-28, 03:06
Strange that you are getting BSODs, I wonder if it is hardware related
If it happens again can you write down the details and I will see if I can fix it
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also let me know how your PC is running
mjk90123
2008-04-29, 06:49
grrr.
it was scanning fine.. until it just shutdown and the blue screen showed up again..
STOP: 0x0000007E (0XC0000005, 0X805749D7, 0XF78D2954, 0XF78D2654)
and the next time it happened, the things in the parentheses changed..
other than that.. my internet is the only thing that is being weird.. it won't connect- and sometimes when it says it has excellent connection, i am not receiving a signal
do you know whats wrong with it??
thankyouu
Rorschach112
2008-04-29, 15:06
The BSODs seem to be related to this
http://support.microsoft.com/kb/330182
Can you run MBAM ?
Your problems aren't malware related, so you may need help from a tech person
mjk90123
2008-04-30, 08:15
What's MBAM?
should i contact microsoft for help??
Rorschach112
2008-04-30, 15:44
They aren't going to help you
See my post #11, that is MBAM
Can you run that ?
mjk90123
2008-05-02, 07:11
the MBAM scan works, but at some point, the blue screen pops up, so the scan never makes a log... and it's the same STOP: 0x0000007E one~
(the same thing happened the 1st time i tried running MBAM)
why does it keep popping up during the scan??
Rorschach112
2008-05-02, 14:18
Hello
Please download MGADiag.exe (http://go.microsoft.com/fwlink/?linkid=52012) to your desktop.
Double-click MGADiag.exe and click Continue in the bottom right of the window to run the tool.
Click the [Copy] button to copy the info to your clipboard.
Then come back here and paste the info in your next reply please.
mjk90123
2008-05-03, 17:11
Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {EB406446-6363-46AD-B1D4-14C1B3B2A868}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A
WgaER Data-->
ThreatID(s): N/A
Version: N/A
WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 101 Not Activated
Microsoft Office XP Standard for Students and Teachers - 101 Not Activated
OGA Version: Registered, 1.5.526.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-171-1_3E121E02-385-80004005_3E121E02-452-80004005_3E121E02-312-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{EB406446-6363-46AD-B1D4-14C1B3B2A868}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-2819140291-934122704-538974953</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>DF211A-ABA A230N</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3.07 </Version><SMBIOSVersion major="2" minor="3"/><Date>20030421******.******+***</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>631F30570184A05F</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>101</Result><Products><Product GUID="{913D0409-6000-11D3-8CFE-0050048383C9}"><LegitResult>101</LegitResult><Name>Microsoft Office XP Standard for Students and Teachers</Name><Ver>10</Ver><Val>B48657E55DA87D6</Val><Hash>p+RIsfLn8SnAhEEBSyusfyub20k=</Hash><Pid>55866-720-1924912-17182</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="10" Result="101"/><App Id="18" Version="10" Result="101"/><App Id="1A" Version="10" Result="101"/><App Id="1B" Version="10" Result="101"/></Applications></Office></Software></GenuineResults>
also~ every time i log in.. a box says there there is an error with OPXPA.exe:
C:\DOCUME~1\owner\locals~1\Temp\WER\4.tmp.dir00\OPXPApp.exe.mdmp
C:\DOCUME~1\owner\locals~1\Temp\WER\4.tmp.dir00\appcompat.txt
do you know what that means?
Rorschach112
2008-05-03, 17:24
Your problems aren't malware related that is for sure.
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
mjk90123
2008-05-05, 00:25
thank you- i will do that~
but if the problem with my computer is not malware related.. where should i post / do you know what the problem is?
thank you so much for all your help!
also~ i don't use internet explorer.. i use firefox (i actually don't know what happened to my explorer... its not on my computer at all anymore..) =/
Rorschach112
2008-05-05, 00:58
I will send you somewhere else to have the problem fixed
Can you tell me why haven't updated to Service Pack 2 ?
Are you using a legal version of Windows ? You won't get in trouble if you are
mjk90123
2008-05-05, 03:54
to be honest I have no idea... how would i update to service pack 2? (is it a lot better than/different from service pack 1?)
and i'm pretty sure im using a legal version.. like my whole computer? like of XP? i haven't changed anything since we bought this comp...??
(if you cant tell.. i really have no idea.. sorry =/)
Rorschach112
2008-05-05, 18:08
No problem, thought that may be responsible
Go here and update Windows to Service Pack 2
http://windowsupdate.microsoft.com/
Go to this site
http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html
Tell them I sent you over and list the problems you are having
They should be able to fix it
Any other questions for me ?
mjk90123
2008-05-06, 22:26
nope thank you so much for all your help!!! :D:
Rorschach112
2008-05-06, 22:27
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.