Malteazers
2006-08-31, 19:43
Foreground information: This worm is trying to start limewire and restricts me from opening the Cntrl,Alt+DEL thing.
I also (expectedly unrelated) Have probems with a w1006f56.dll on startup, if that means anything.
Logfile of HijackThis v1.99.1
Scan saved at 18:38:03, on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\outlook\outlook.exe
C:\dfndrff_15.exe
C:\kybrdff_15.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchnotify.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\A9OJ45Q5\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [defender] C:\\dfndrff_15.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_15.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [hgfd079a] RUNDLL32.EXE w1006f56.dll,n 003d07970000000a1006f56
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://nprotect.roseonlinegame.com/nProtect/Netizen/KeyCrypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by114fd.bay114.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\h8l2li3o18.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Documents and Settings\HP_Owner\Desktop\xampp-win32-1.5.3a\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe (file missing)
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Malteazers
2006-08-31, 19:44
Panda virus checker=
Incident Status Location
Adware:adware/look2me Not disinfected c:\windows\system32\guard.tmp
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/gator Not disinfected c:\windows\GatorPdpLoudInstaller.log
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\xvoqng5g.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\xvoqng5g.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\xvoqng5g.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\xvoqng5g.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@247realmedia[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adrevolver[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@advertising[2].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adviva[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@as-eu.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bfast[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bluestreak[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@casalemedia[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter6.sextracker[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ct.360i[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@drivecleaner[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@hitbox[2].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@kmpads[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@maxserving[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sextracker[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statcounter[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stats1.reliablestats[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statse.webtrendslive[1].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@targetnet[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@valueclick[2].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@weborama[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.drivecleaner[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@zedo[1].txt
LonnyRJones
2006-09-01, 11:14
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Malteazers
2006-09-01, 12:09
HP_Owner - 06-09-01 11:01:16.90
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\HP_Owner\Desktop
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Granting sedebugprivilege to Administrators ... successful
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\keyboard1.dat
C:\dfndrff_15.exe
C:\kybrdff_15.exe
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\45M5IZ0R\kybrdff_15[1].exe
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\CLABOPQ3\dfndrff_15[1].exe
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\ZP5KJ5ZJ\nwnmff_15[1].exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\outlook
C:\Program Files\winupdates
C:\Program Files\Common Files\{2418D034-0A6A-2057-0730-04081420002c}
((((((((((((((((((((((((((((((( Files Created from 2006-08-01 to 2006-09-01 ))))))))))))))))))))))))))))))))))
2006-08-31 12:37 61,952 --a------ C:\WINDOWS\system32\hgfd079a.dll
2006-08-31 12:37 1,233 --a------ C:\WINDOWS\system32\hgfd079a.sys
2006-08-30 20:03 0 ---hs---- C:\WINDOWS\system32\tasklist.com
2006-08-10 09:14 20,480 --a------ C:\WINDOWS\system32\UnInstall_KAccess.exe
2006-08-07 14:11 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-01 11:02 -------- d-------- C:\Program Files\Common Files
2006-09-01 09:40 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-31 18:10 -------- d-------- C:\Program Files\Windows Defender
2006-08-31 18:10 -------- d-------- C:\Program Files\QuickTime
2006-08-31 18:10 -------- d-------- C:\Program Files\Messenger
2006-08-31 18:10 -------- d-------- C:\Program Files\LimeWire
2006-08-31 18:10 -------- d-------- C:\Program Files\Internet Explorer
2006-08-31 18:10 -------- d-------- C:\Program Files\HighMAT CD Writing Wizard
2006-08-31 15:59 -------- d-------- C:\Program Files\Online Services
2006-08-31 15:59 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-31 14:58 -------- d-------- C:\Program Files\Trend Micro
2006-08-31 13:44 -------- d-------- C:\Program Files\Autodesk
2006-08-31 12:41 -------- d-------- C:\Program Files\Outlook Express
2006-08-20 12:08 -------- d---s---- C:\Documents and Settings\HP_Owner\Application Data\Microsoft
2006-08-18 13:35 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Macromedia
2006-08-16 17:20 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-08-16 17:20 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-08-16 16:51 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-08-07 14:17 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-08-03 16:48 -------- d-------- C:\Program Files\Common Files\McAfee
2006-08-01 15:04 53888 --a------ C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 09:05 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-16 18:21 -------- d-------- C:\Program Files\MSN Messenger
2006-07-16 16:22 -------- d-------- C:\Program Files\Google
2006-07-16 16:22 -------- d-------- C:\Program Files\DivX
2006-07-04 15:21 -------- d-------- C:\Program Files\Macromedia
2006-07-04 15:15 -------- d-------- C:\Program Files\Common Files\Macromedia
2006-07-04 15:10 -------- d-------- C:\Program Files\Common Files\Macromedia Shared
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-06-15 22:55 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-06-15 22:55 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-06-15 22:55 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-06-15 22:55 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-14 18:49 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-12 20:22 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NI.UWA6P_0001_N822M1605"="\"C:\\Documents and Settings\\HP_Owner\\Local Settings\\Temporary Internet Files\\Content.IE5\\A9OJ45Q5\\WinAntiVirusPro2006FreeInstall[1].exe\" -nag "
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"hgfd079a"="RUNDLL32.EXE w1006f56.dll,n 003d07970000000a1006f56"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Acme.PCHButton"="C:\\PROGRA~1\\HELPAN~1\\Pavilion\\XPHWWBF4\\plugin\\bin\\PCHButton.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Acme.PCHButton]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pchbutton"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\HELPAN~1\\Pavilion\\XPHWWBF4\\plugin\\bin\\pchbutton.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AutoTBar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AUTOTBAR"
"hkey"="HKLM"
"command"="c:\\Program Files\\HP\\Digital Imaging\\bin\\AUTOTBAR.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Gadwin PrintScreen 3.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrintScreen"
"hkey"="HKCU"
"command"="C:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe /nosplash"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iMesh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iMesh"
"hkey"="HKCU"
"command"="C:\\Program Files\\iMesh\\iMesh5\\iMesh.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Lexmark X5100 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbabmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swdoctor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VTTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VTTimer"
"hkey"="HKLM"
"command"="VTTimer.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgf32
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: 01/09/2006 11:04:17.96
ComboFix.txt
LonnyRJones
2006-09-01, 12:39
Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\A9OJ45Q5\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [hgfd079a] RUNDLL32.EXE w1006f56.dll,n 003d07970000000a1006f56
O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete these files
C:\WINDOWS\system32\hgfd079a.dll
C:\WINDOWS\system32\hgfd079a.sys
C:\WINDOWS\system32\tasklist.com
Your antivirus might delete when you get close to them, thats fine.
Check for and fix any proglems found with SpyBot
afterwards do a full system scan with (updated) ewido then your antivirus program.
Post a fresh hijackthis log please, be sure to mention any current problems.
Malteazers
2006-09-01, 15:35
New Hijack log. There doesnt seem to be a problem now, thanks.
Logfile of HijackThis v1.99.1
Scan saved at 14:34:15, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Hijackthis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\A9OJ45Q5\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://nprotect.roseonlinegame.com/nProtect/Netizen/KeyCrypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by114fd.bay114.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Documents and Settings\HP_Owner\Desktop\xampp-win32-1.5.3a\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe (file missing)
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
LonnyRJones
2006-09-01, 20:14
Great
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NI.UWA6P_0001_N822M1605"=-
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Post back in a few days and let us know how that pc is please
Malteazers
2006-09-01, 22:25
Thanks ^.^ See you next week I guess
Malteazers
2006-09-08, 16:38
Seems to be working fine now. a bit slower (then before the attack) but hey..
Coulf be my imagination
LonnyRJones
2006-09-08, 17:21
Thanks for posting back
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).