View Full Version : HiJackThis --> HiJacked ???
CaveatEmpty
2006-11-16, 19:33
Yeah, that title ought to make somebody chuckle -- sadly, it seems that it's happened !
As a long-time lurker & user of the great info here, I'm stumped on this one.
The (short) story: daughter's laptop .. boyfriend downloaded a bunch of stuff, including more than a few of those 'cleaners' we all love SO much. End result, the 'puter was completely choked ~ I think even the popups were fighting the scumware for CPU time <g>!
Sooo... Dad gets the honor of doing the cleanup, with the usual tools (S&D, AAW, Trend-Micro, etc), and things were looking pretty promising .. until .. I tried to save the HJT list. Nothing! Heck, the program quits cold. Tried a fresh download & install (ver 1.99.1) ~ same results. I'm in shock.
Fortunately, the scan-list is only about 20 items, with maybe a half-dozen that I'd call suspicious -- but what would crash HJT like that?
I *can* get it to do a MiscTools StartupList.log (huge).
FWIW: stuff that keeps coming back consistantly- CommandService & Web-Nexus, then smatterings of HotsearchBar, Smitfraud-C.888, TagASaurus... stupid stuff.
Currently, it's chugging away on CLEANMGR -- we'll see how that goes --
But back to the question: what's with crashing HJT ??
steamwiz
2006-11-16, 21:03
Hi
Well we need to see some logs ... so ... post the startup log for starters... + a full list of all the cleanup programs you've used so far...
steam
CaveatEmpty
2006-11-16, 22:09
Hi-Ya Steam ~
So far: multiple runs of (all current updates) S&D, AdAware, & HJT ~ which may -or- may not be actually removing things... and a run thru CCLEANER, which was probably premature.
CLEANMGR just spun its wheels for an hour or so ~ aborted.
Finally ~ just had a go with BitDefender, which claims to have taken out some stuff that Trend-Micro identified, but wouldn't deal with for free.
I have EWIDO, smitRem, VundoFix, KillBox, Qoofix, BruteForce and Combofix all available on hot-standby <g>
I do see the JAVA needs updating; one thing at a time...
Herewith, a fresh StartupList from immediately following all the above:
-----------------------------
StartupList report, 11/16/2006, 3:29:12 PM
StartupList version: 1.52.2
Started from : C:\Utilities\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ICROSO~1.NET\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Lissa\Application Data\?ppPatch\l?gonui.exe
C:\WINDOWS\Explorer.EXE
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Lissa\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,msuhfcx.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AGRSMMSG = AGRSMMSG.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Aaou = "C:\PROGRA~1\ICROSO~1.NET\wuauclt.exe" -vt ndrv
Ixu = C:\Documents and Settings\Lissa\Application Data\?ppPatch\l?gonui.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe, C:\WINDOWS\System32\cwnet.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
*No BHO's found*
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
<<< "POST TOO LONG" -- CONTINUED >>>
CaveatEmpty
2006-11-16, 22:10
<<< PART - II >>>
--------------------------------------------------
Enumerating Download Program Files:
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
[Microsoft Data Collection Control]
InProcServer32 = C:\WINDOWS\System32\odc.dll
CODEBASE = https://support.microsoft.com/OAS/ActiveX/odc.cab
[Slide Image Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.slide.com/uploader/SlideImageUploader.cab
[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab
[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader.cab
[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD Athlon64 Processor Driver: System32\DRIVERS\AmdK8.sys (system)
Alps Pointing-device Filter Driver: System32\DRIVERS\Apfiltr.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Broadcom 802.11 Network Adapter Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TI UltraMedia CardBus Controller Filter Driver: System32\DRIVERS\tiumflt.sys (system)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EABFiltr: \??\C:\WINDOWS\System32\drivers\EABFiltr.sys (system)
eabusb: \??\C:\WINDOWS\System32\drivers\eabusb.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
InCD File System: system32\drivers\InCDFs.sys (disabled)
InCDPass: system32\drivers\InCDPass.sys (system)
InCD Reader: system32\drivers\InCDRm.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver: System32\DRIVERS\Rtlnic51.sys (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{109124DD-59AF-4C9F-9415-2FB8ECBDE222} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tiumfwl: system32\drivers\tiumfwl.sys (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Windows Management Interface for ACPI: System32\DRIVERS\wmiacpi.sys (system)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\System32\mqfl.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
aaahtm = C:\WINDOWS\System32\aaahtm.exe
{30AAB153-063B-1033-0430-040323040001} = "C:\Program Files\Common Files\{30AAB153-063B-1033-0430-040323040001}\Update.exe" te-110-12-0000132
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 31,733 bytes
Report generated in 0.125 seconds
--------------------------------------------------
Thanks for your time & input :bigthumb:
/.
steamwiz
2006-11-16, 23:34
HI
Well that gives us a starting point...
just had a go with BitDefender, which claims to have taken out some stuff that Trend-Micro identified, but wouldn't deal with for free.
Trend should have cleaned for you, Panda was the one requiring payment..
Can you post all the logs ...
Pandascan
trend
bitdefender
You can't post too many logs...
I've already seen several infections...
First... ( if the combofix you have isn't a new download, then download it again)
Please follow the instructions in this link to remove the Alcan Worm from your computer :-
http://www.geekstogo.com/forum/How_to_stop_and_undo_the_effects_of_the_Alcra_aka_Alcan_Worm-t98929.html
THEN...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
CaveatEmpty
2006-11-17, 01:13
"Trend should have cleaned for you, Panda was the one requiring payment.. "
Umm-kay ... the Trend log is (was?) around here somewhere, & it kicked maybe 10 of 80 hits .. whatever. Gone now. Cranking out a new one (or the other) wouldn't be an issue, tho. Advise.
Whileing away the time ~ we took a shot at the M$ Malicious thingy: talk about being worthless <g>.
BFU / Alcan & ComboFix - *check*
Ran fresh HJT-startup logs after each; no regular logs yet.
Actually did ComboFix twice & logged both ~ didn't get a reboot on the second go-round.
Here's the First:
========================================================
Lissa - 06-11-16 18:39:23.78 Service Pack 1
ComboFix 06.11.9 - Running from: "C:\Utilities"
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{86FD7C62-940D-4442-B032-BC006B55108B}]
@=""
[HKEY_CLASSES_ROOT\clsid\{86FD7C62-940D-4442-B032-BC006B55108B}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{86FD7C62-940D-4442-B032-BC006B55108B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{86FD7C62-940D-4442-B032-BC006B55108B}\InprocServer32]
@="C:\\WINDOWS\\system32\\pvrfctrs.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
C:\WINDOWS\system32\d2j00c1mef.dll
C:\WINDOWS\system32\pvrfctrs.dll
Granting sedebugprivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *
O4 - HKCU\...\Run C:\WINDOWS\system32\lnwytw.exe
O4 - HKLM\...\Run C:\WINDOWS\System32\lnwytw.exe
F2 -REG:system.ini: Shell C:\WINDOWS\System32\cwnet.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\msuhfcx.exe
* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *
C:\WINDOWS\system32\lnwytw.exe
C:\WINDOWS\system32\ruwalfj.dll
C:\WINDOWS\system32\msuhfcx.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eujab.exe
C:\WINDOWS\kjdgl.dll
C:\WINDOWS\system32\qlldg.dat
C:\WINDOWS\system32\cwnet.exe
* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
06-11-09 15:34 127488 eujab.exe.qoo
06-11-09 15:34 127488 lnwytw.exe.qoo
06-11-09 15:34 51712 ruwalfj.dll.qoo
06-11-09 15:34 28672 cwnet.exe.qoo
06-11-09 15:34 23552 msuhfcx.exe.qoo
06-11-16 17:51 349 kjdgl.dll.qoo
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\Lissa\Application Data\Dxccwrd.dll
C:\Documents and Settings\Lissa\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Lissa\Application Data\Dxcuknwrd.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\aaa00000.sys
C:\Program Files\Common Files\misc002
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{30AAB153-063B-1033-0430-040323040001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Lissa\Application Data\SKS~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\i?xplore_exe.vir
C:\QooBox\Purity\Program Files\ICROSO~1.NET\bak
C:\QooBox\Purity\Program Files\ICROSO~1.NET\ICROSO~1.NET
C:\QooBox\Purity\Program Files\ICROSO~1.NET\wuauclt.exe
C:\QooBox\Purity\WINDOWS\CROSOF~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\MBOLS~1
C:\QooBox\Purity\WINDOWS\PPPATC~1
C:\QooBox\Purity\WINDOWS\SMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\PPPATC~1
((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))
2006-11-16 18:31 732,309 ---hs---- C:\WINDOWS\system32\klnmp.bak1
2006-11-16 17:16 126,996 --a------ C:\WINDOWS\system32\qptivimf.dll
2006-11-16 14:44 126,976 --a------ C:\WINDOWS\system32\rvxj.dll
2006-11-12 22:25 131,072 --------- C:\WINDOWS\system32\mqfl.dll
2006-11-12 01:35 732,526 ---hs---- C:\WINDOWS\system32\klnmp.ini2
2006-11-11 18:44 126,976 --------- C:\WINDOWS\system32\hncfmyog.dll
2006-11-11 18:43 110,612 --a------ C:\WINDOWS\system32\jhywcnsa.exe
2006-11-11 18:25 692,276 --------- C:\WINDOWS\system32\pmnlk.dll
2006-11-09 15:40 692,276 ---hs---- C:\WINDOWS\system32\ssttu.dll
2006-11-09 15:35 227,376 -r-hs---- C:\WINDOWS\xupcstgA.exe
2006-11-09 15:34 28,672 --a------ C:\WINDOWS\system32\pfbo0yj.exe
2006-11-09 15:34 28,672 --a------ C:\WINDOWS\system32\hlvi6wkjc.exe
2006-11-09 15:34 24,576 --a------ C:\WINDOWS\system32\ysjaevwx.exe
2006-11-09 15:34 200,704 --a------ C:\WINDOWS\system32\p2jlseh8.dll
2006-11-09 15:33 40,973 ---hs---- C:\WINDOWS\system32\wvuttrr.dll
2006-11-09 15:33 135,168 --a------ C:\WINDOWS\system32\e0pnii5i6.exe
2006-11-03 13:33 76,736 --a------ C:\WINDOWS\MySpaceIM_Setup.exe
2006-10-17 09:11 45,985 --a------ C:\WINDOWS\system32\ViscalcUninstaller.exe
2006-10-17 09:11 405,504 --a------ C:\WINDOWS\system32\vcbhoerh.dll
2006-10-17 09:11 36,864 --a------ C:\WINDOWS\system32\vismersb.exe
2006-10-17 09:11 118,784 --a------ C:\WINDOWS\system32\italfds.exe
2006-10-16 04:25 139,282 --a------ C:\set.exe
2006-10-16 04:16 918 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-16 04:16 44,888 --a------ C:\WINDOWS\system32\CAUnst.exe
2006-10-16 04:16 409,600 --------- C:\WINDOWS\system32\tcblusoh.dll
2006-10-16 04:16 36,864 --a------ C:\WINDOWS\system32\slimxcqy.exe
2006-10-16 04:16 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-10-16 04:16 221,523 --a------ C:\WINDOWS\1011_justin.exe
2006-10-16 04:16 1,259 --a------ C:\WINDOWS\system32\omcde359.sys
2006-10-16 04:11 2 --a------ C:\WINDOWS\system32\wtssvit.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-16 18:39 -------- d-a------ C:\Program Files\Common Files
2006-11-16 14:44 -------- d-------- C:\Documents and Settings\Lissa\Application Data\ąppPatch
2006-11-15 13:45 -------- d-------- C:\Program Files\QuickTime
2006-11-15 13:42 -------- d-------- C:\Program Files\Internet Explorer
2006-11-15 13:40 -------- d-------- C:\Program Files\Common Files\rzzo
2006-11-12 00:43 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-09 17:37 -------- d-------- C:\Program Files\Messenger
2006-11-07 15:49 -------- d-------- C:\Program Files\Morpheus
2006-11-03 13:36 -------- d-------- C:\Documents and Settings\Lissa\Application Data\MySpace
2006-11-03 13:35 -------- d-------- C:\Program Files\MySpace
2006-10-11 13:07 252752 --a------ C:\WINDOWS\system32\odc.dll
2006-10-11 12:56 115134 --a------ C:\WINDOWS\system32\justin.exe
2006-10-11 11:37 96911 --a------ C:\WINDOWS\system32\ts_www.exe
2006-09-29 01:24 73748 --a------ C:\WINDOWS\system32\loouoieg.dll
2006-09-29 01:24 45525 --a------ C:\WINDOWS\system32\nrkcklpo.dll
2006-09-27 22:49 45525 --a------ C:\WINDOWS\system32\nredfiot.dll
2006-09-27 22:14 45525 --a------ C:\WINDOWS\system32\oigqijoo.dll
2006-09-27 21:56 45525 --a------ C:\WINDOWS\system32\vrbfgvev.dll
2006-09-27 21:56 143380 --a------ C:\WINDOWS\system32\abclmnfd.exe
2006-09-27 21:51 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-27 21:44 94720 --a------ C:\WINDOWS\system32\dcdfami.dll
2006-09-27 21:44 72704 --a------ C:\WINDOWS\system32\aejgdii.dll
2006-09-18 00:34 -------- d-------- C:\Program Files\AIM
2006-09-15 16:21 53248 --a------ C:\WINDOWS\uninst108.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aaou"="\"C:\\PROGRA~1\\ICROSO~1.NET\\wuauclt.exe\" -vt ndrv"
"Ixu"="C:\\Documents and Settings\\Lissa\\Application Data\\?ppPatch\\l?gonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AGRSMMSG"="AGRSMMSG.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Common Files\\xunyk.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\vilohob.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="C:\\WINDOWS\\System32\\ad.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,ee,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ItalU"="C:\\WINDOWS\\System32\\italfds.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ItalU"="C:\\WINDOWS\\System32\\italfds.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C7CF1142-0785-4B12-A280-B64681E4D45E}"="z"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"aaahtm"="C:\\WINDOWS\\System32\\aaahtm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Chckup"="C:\\WINDOWS\\System32\\Netverchk.exe"
"Aaou"="\"C:\\PROGRA~1\\ICROSO~1.NET\\wuauclt.exe\" -vt ndrv"
"DeluxeCommunications"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DeluxeCommunications"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlk
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20061116-012921-468
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Utilities\Spybot-SD\SpybotSD.exe" /autocheck
backup-20061112-224354-634
O4 - HKCU\..\Run: [Aaou] "C:\PROGRA~1\ICROSO~1.NET\wuauclt.exe" -vt ndrv
backup-20061112-224354-413
O4 - HKCU\..\Run: [Icr] C:\Program Files\Common Files\F?nts\i?xplore.exe
backup-20061112-224354-717
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061112-184019-155
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20061112-184019-422
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20061112-184019-621
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20061112-183837-670
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20061112-183734-613
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20061112-183734-393
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20061112-183734-696
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
Completion time: 06-11-16 18:42:10.59
C:\ComboFix.txt ... 06-11-16 18:42
CaveatEmpty
2006-11-17, 01:19
++ And the Second / Last:
========================================================
Lissa - 06-11-16 18:45:07.89 Service Pack 1
ComboFix 06.11.9 - Running from: "C:\Utilities"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Lissa\Application Data\SKS~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\i?xplore_exe.vir
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1\rundll32.exe
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1\??sembly
C:\QooBox\Purity\Program Files\ICROSO~1.NET\bak
C:\QooBox\Purity\Program Files\ICROSO~1.NET\ICROSO~1.NET
C:\QooBox\Purity\Program Files\ICROSO~1.NET\wuauclt.exe
C:\QooBox\Purity\WINDOWS\CROSOF~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\MBOLS~1
C:\QooBox\Purity\WINDOWS\PPPATC~1
C:\QooBox\Purity\WINDOWS\SMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\PPPATC~1
((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))
2006-11-16 18:31 731,683 ---hs---- C:\WINDOWS\system32\klnmp.bak1
2006-11-16 17:16 126,996 --a------ C:\WINDOWS\system32\qptivimf.dll
2006-11-16 14:44 126,976 --a------ C:\WINDOWS\system32\rvxj.dll
2006-11-12 22:25 131,072 --------- C:\WINDOWS\system32\mqfl.dll
2006-11-12 01:35 731,747 ---hs---- C:\WINDOWS\system32\klnmp.ini2
2006-11-11 18:44 126,976 --------- C:\WINDOWS\system32\hncfmyog.dll
2006-11-11 18:43 110,612 --a------ C:\WINDOWS\system32\jhywcnsa.exe
2006-11-11 18:25 692,276 --------- C:\WINDOWS\system32\pmnlk.dll
2006-11-09 15:40 692,276 ---hs---- C:\WINDOWS\system32\ssttu.dll
2006-11-09 15:35 227,376 -r-hs---- C:\WINDOWS\xupcstgA.exe
2006-11-09 15:34 28,672 --a------ C:\WINDOWS\system32\pfbo0yj.exe
2006-11-09 15:34 28,672 --a------ C:\WINDOWS\system32\hlvi6wkjc.exe
2006-11-09 15:34 24,576 --a------ C:\WINDOWS\system32\ysjaevwx.exe
2006-11-09 15:34 200,704 --a------ C:\WINDOWS\system32\p2jlseh8.dll
2006-11-09 15:33 40,973 ---hs---- C:\WINDOWS\system32\wvuttrr.dll
2006-11-09 15:33 135,168 --a------ C:\WINDOWS\system32\e0pnii5i6.exe
2006-11-03 13:33 76,736 --a------ C:\WINDOWS\MySpaceIM_Setup.exe
2006-10-17 09:11 45,985 --a------ C:\WINDOWS\system32\ViscalcUninstaller.exe
2006-10-17 09:11 405,504 --a------ C:\WINDOWS\system32\vcbhoerh.dll
2006-10-17 09:11 36,864 --a------ C:\WINDOWS\system32\vismersb.exe
2006-10-17 09:11 118,784 --a------ C:\WINDOWS\system32\italfds.exe
2006-10-16 04:25 139,282 --a------ C:\set.exe
2006-10-16 04:16 918 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-16 04:16 44,888 --a------ C:\WINDOWS\system32\CAUnst.exe
2006-10-16 04:16 409,600 --------- C:\WINDOWS\system32\tcblusoh.dll
2006-10-16 04:16 36,864 --a------ C:\WINDOWS\system32\slimxcqy.exe
2006-10-16 04:16 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-10-16 04:16 221,523 --a------ C:\WINDOWS\1011_justin.exe
2006-10-16 04:16 1,259 --a------ C:\WINDOWS\system32\omcde359.sys
2006-10-16 04:11 2 --a------ C:\WINDOWS\system32\wtssvit.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-16 18:45 -------- d-a------ C:\Program Files\Common Files
2006-11-16 14:44 -------- d-------- C:\Documents and Settings\Lissa\Application Data\ąppPatch
2006-11-15 13:45 -------- d-------- C:\Program Files\QuickTime
2006-11-15 13:42 -------- d-------- C:\Program Files\Internet Explorer
2006-11-15 13:40 -------- d-------- C:\Program Files\Common Files\rzzo
2006-11-12 00:43 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-09 17:37 -------- d-------- C:\Program Files\Messenger
2006-11-07 15:49 -------- d-------- C:\Program Files\Morpheus
2006-11-03 13:36 -------- d-------- C:\Documents and Settings\Lissa\Application Data\MySpace
2006-11-03 13:35 -------- d-------- C:\Program Files\MySpace
2006-10-11 13:07 252752 --a------ C:\WINDOWS\system32\odc.dll
2006-10-11 12:56 115134 --a------ C:\WINDOWS\system32\justin.exe
2006-10-11 11:37 96911 --a------ C:\WINDOWS\system32\ts_www.exe
2006-09-29 01:24 73748 --a------ C:\WINDOWS\system32\loouoieg.dll
2006-09-29 01:24 45525 --a------ C:\WINDOWS\system32\nrkcklpo.dll
2006-09-27 22:49 45525 --a------ C:\WINDOWS\system32\nredfiot.dll
2006-09-27 22:14 45525 --a------ C:\WINDOWS\system32\oigqijoo.dll
2006-09-27 21:56 45525 --a------ C:\WINDOWS\system32\vrbfgvev.dll
2006-09-27 21:56 143380 --a------ C:\WINDOWS\system32\abclmnfd.exe
2006-09-27 21:51 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-27 21:44 94720 --a------ C:\WINDOWS\system32\dcdfami.dll
2006-09-27 21:44 72704 --a------ C:\WINDOWS\system32\aejgdii.dll
2006-09-18 00:34 -------- d-------- C:\Program Files\AIM
2006-09-15 16:21 53248 --a------ C:\WINDOWS\uninst108.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aaou"="\"C:\\PROGRA~1\\COMMON~1\\SEMBLY~1\\rundll32.exe\" -vt ndrv"
"Ixu"="C:\\Documents and Settings\\Lissa\\Application Data\\?ppPatch\\l?gonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AGRSMMSG"="AGRSMMSG.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Common Files\\xunyk.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\vilohob.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="C:\\WINDOWS\\System32\\ad.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,ee,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ItalU"="C:\\WINDOWS\\System32\\italfds.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ItalU"="C:\\WINDOWS\\System32\\italfds.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C7CF1142-0785-4B12-A280-B64681E4D45E}"="z"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"aaahtm"="C:\\WINDOWS\\System32\\aaahtm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Chckup"="C:\\WINDOWS\\System32\\Netverchk.exe"
"Aaou"="\"C:\\PROGRA~1\\ICROSO~1.NET\\wuauclt.exe\" -vt ndrv"
"DeluxeCommunications"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DeluxeCommunications"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlk
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-11-16 18:45:39.31
C:\ComboFix.txt ... 06-11-16 18:45
C:\ComboFix2.txt ... 06-11-16 18:42
================================================
:oops: I see DeluxeCommunications is popping in-- again --
I got the info on that from Bleepingcomputer, & thought we'd killed it two days ago. Guess not.
How's that phrase ~ "Bloody Hell" ?? :bigthumb:
/.
CaveatEmpty
2006-11-17, 17:05
Well, it's a new day ~ Hope you got some sleep, Steamwiz :)
We took another go at Trend last nite ~ wouldn't run: long-story-short, JAVA had been trashed.
Got an update, & voila ~ HJT actually gave up a log! Well, once.
** Got the new S&D defs ~ still giving me Command Service hits:
[ HKLM\SYSTEM\CurrentControlSet\Services\cmdService ]
[ HKLM\SYSTEM\ControlSet001\Services\cmdService ]
[ HKLM\SYSTEM\ControlSet002\Services\cmdService ]
~ the first two just will NOT go away ~ ever.
Registry search gives up some LEGACY_CMDSERVICE stuff; looks like it just goes round in circles. Ugh.
** S&D also spit out a fresh hit for Winhound (as PS?-something), another Smitfraud-C.Toolbar888, SaferSurfing, & SexList.
From another thread, ran VundooFix & got this log:
=========================================================
VundoFix V6.2.8
Checking Java version...
Scan started at 9:26:28 AM 11/17/2006
Listing files found while scanning....
C:\WINDOWS\system32\aejgdii.dll
C:\WINDOWS\system32\loouoieg.dll
C:\WINDOWS\system32\nredfiot.dll
C:\WINDOWS\system32\nrkcklpo.dll
C:\WINDOWS\system32\oigqijoo.dll
C:\WINDOWS\system32\vrbfgvev.dll
C:\WINDOWS\system32\abclmnfd.exe
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\aejgdii.dll
C:\WINDOWS\system32\aejgdii.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\loouoieg.dll
C:\WINDOWS\system32\loouoieg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nredfiot.dll
C:\WINDOWS\system32\nredfiot.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nrkcklpo.dll
C:\WINDOWS\system32\nrkcklpo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\oigqijoo.dll
C:\WINDOWS\system32\oigqijoo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vrbfgvev.dll
C:\WINDOWS\system32\vrbfgvev.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\abclmnfd.exe
C:\WINDOWS\system32\abclmnfd.exe Has been deleted!
Attempting to delete C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.tmp Has been deleted!
Performing Repairs to the registry.
Done!
=========================================================
;) ** S&D now hits only Command Service.
Finally ~ the last HJT 'Startup' report - shortened edition:
=========================================================
StartupList report, 11/17/2006, 9:54:59 AM
StartupList version: 1.52.2
Started from : C:\Utilities\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Explorer.EXE
C:\Utilities\HiJackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = c:\windows\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
AGRSMMSG = AGRSMMSG.exe
SunJavaUpdateSched = "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\System32\dcdfami.dll (disabled by BHODemon) - {284E6AAB-E798-A473-78E5-090AD41123F8}
(no name) - C:\Utilities\Spybot-SD\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\System32\pmnlk.dll (file missing) - {5430FCE2-B98E-416F-BDFA-C8D59B3F1AF3}
(no name) - C:\WINDOWS\System32\vcbhoerh.dll (disabled by BHODemon) - {59F4F380-01A0-4083-9FA4-E3B827319F7E}
(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\WINDOWS\System32\aejgdii.dll (disabled by BHODemon) (file missing) - {72662A35-91B9-AB38-ED74-076F63CC8993}
(no name) - (no file) - {790169F7-11A3-437E-8F9B-8132508ABFB4}
(no name) - C:\WINDOWS\System32\rvxj.dll (disabled by BHODemon) - {A1144F4C-848A-F42A-8BAB-A52896713BED}
(no name) - C:\WINDOWS\System32\p2jlseh8.dll (disabled by BHODemon) - {A16AC1F4-BCA7-4401-B5F5-22240F78E776}
(no name) - (no file) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B}
(no name) - C:\WINDOWS\System32\hncfmyog.dll (disabled by BHODemon) - {F8111919-8888-A62C-8CAB-A528967137EA}
--------------------------------------------------
Enumerating Download Program Files:
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[Microsoft Data Collection Control]
InProcServer32 = C:\WINDOWS\System32\odc.dll
CODEBASE = https://support.microsoft.com/OAS/ActiveX/odc.cab
[Slide Image Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.slide.com/uploader/SlideImageUploader.cab
[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader.cab
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163715720625
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Documents and Settings\Lissa\Local Settings\temp\~DFADCC.tmp||C:\Documents and Settings\Lissa\Cookies\index.dat||C:\Documents and Settings\Lissa\Local Settings\temp\~DFADCC.tmp||C:\Documents and Settings\Lissa\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Lissa\cookies\index.dat||C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\LocalService\cookies\index.dat
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
aaahtm = C:\WINDOWS\System32\aaahtm.exe
--------------------------------------------------
End of report, 6,355 bytes
Report generated in 0.031 seconds
=========================================================
;) and... it seems there's a HS folder stuck in RECYCLE: [S-1-5-21-117609710-436374069-725345532-500] ~ contains file INFO2 (no ext) ~ 20 bytes of HEX.
Maybe it'll be a good day afterall :)
Thanks!
/.
steamwiz
2006-11-17, 18:05
HI
Can't give it a complete looking over for a couple of hours yet ... 5pm here ... usually start working on logs about 8pm
don't worry about the CMDSERVICE ... that's not reinfecting anything .. we can deal with that last...
I'm glad you ran vundofix, that would have been my next request after seeing the combofix log...
But I'd like you to run it again and post a new log, I'm not sure it got everything...
did you notice in your first startuplist it said ...
--------------------------------------------------
Enumerating Browser Helper Objects:
*No BHO's found*
--------------------------------------------------
This time round we get ...
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\System32\dcdfami.dll (disabled by BHODemon) - {284E6AAB-E798-A473-78E5-090AD41123F8}
(no name) - C:\Utilities\Spybot-SD\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\System32\pmnlk.dll (file missing) - {5430FCE2-B98E-416F-BDFA-C8D59B3F1AF3}
(no name) - C:\WINDOWS\System32\vcbhoerh.dll (disabled by BHODemon) - {59F4F380-01A0-4083-9FA4-E3B827319F7E}
(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\WINDOWS\System32\aejgdii.dll (disabled by BHODemon) (file missing) - {72662A35-91B9-AB38-ED74-076F63CC8993}
(no name) - (no file) - {790169F7-11A3-437E-8F9B-8132508ABFB4}
(no name) - C:\WINDOWS\System32\rvxj.dll (disabled by BHODemon) - {A1144F4C-848A-F42A-8BAB-A52896713BED}
(no name) - C:\WINDOWS\System32\p2jlseh8.dll (disabled by BHODemon) - {A16AC1F4-BCA7-4401-B5F5-22240F78E776}
(no name) - (no file) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B}
(no name) - C:\WINDOWS\System32\hncfmyog.dll (disabled by BHODemon) - {F8111919-8888-A62C-8CAB-A528967137EA}
--------------------------------------------------
That's because you removed vundo (or at least most of it)
Can you find the hijackthis.exe file and rename it to CaveatEmpty.exe ... then see if it will produce a hijackthis log ?
Catch you later...
steam
CaveatEmpty
2006-11-17, 21:36
OK Steamwiz ~
Gave VundoFix another run ~ came up dry :p:
I think the (disabled by BHODemon) items came compliments of [S&D > Tools > SystemStartup]: VERY cool feature, by the way!!
After any number of reboots with no apparent effect, we dumped 'em all.
=================================================
VundoFix V6.2.8
Checking Java version...
Scan started at 9:26:28 AM 11/17/2006
Listing files found while scanning....
C:\WINDOWS\system32\aejgdii.dll
C:\WINDOWS\system32\loouoieg.dll
C:\WINDOWS\system32\nredfiot.dll
C:\WINDOWS\system32\nrkcklpo.dll
C:\WINDOWS\system32\oigqijoo.dll
C:\WINDOWS\system32\vrbfgvev.dll
C:\WINDOWS\system32\abclmnfd.exe
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\klnmp.ini *
C:\WINDOWS\System32\klnmp.bak1 *
C:\WINDOWS\System32\klnmp.ini2 *
C:\WINDOWS\System32\klnmp.tmp *
<-- * (note: there were LOTS of these -- edited for the sake of the list )
Beginning removal...
Attempting to delete C:\WINDOWS\system32\aejgdii.dll
C:\WINDOWS\system32\aejgdii.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\loouoieg.dll
C:\WINDOWS\system32\loouoieg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nredfiot.dll
C:\WINDOWS\system32\nredfiot.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nrkcklpo.dll
C:\WINDOWS\system32\nrkcklpo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\oigqijoo.dll
C:\WINDOWS\system32\oigqijoo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vrbfgvev.dll
C:\WINDOWS\system32\vrbfgvev.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\abclmnfd.exe
C:\WINDOWS\system32\abclmnfd.exe Has been deleted!
Attempting to delete C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\pmnlk.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\klnmp.ini
C:\WINDOWS\System32\klnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\klnmp.bak1
C:\WINDOWS\System32\klnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\klnmp.ini2
C:\WINDOWS\System32\klnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\klnmp.tmp
C:\WINDOWS\System32\klnmp.tmp Has been deleted!
Performing Repairs to the registry.
Done!
=================================================
;) Trend is still showing some hits; BitDefender is a bit more positive: ~err... and I see it saved as HTML .. anyway, tagged & killed stuff that was parked by Trend, and earlier, Qoo; those entries & backups are now all deleted.
and the latest HJT ~ now working as renamed: (the bugs are getting smarter? )
=================================================
Logfile of HijackThis v1.99.1
Scan saved at 3:05:51 PM, on 11/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Utilities\HiJackThis\CaveatEmptyHJT.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot-SD\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Utilities\Spybot-SD\SpybotSD.exe" /autocheck
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163715720625
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
=================================================
;) For the moment, it appears that she's back in business ~ at least we can actually leave IE open & do some work/surfing!
I'm looking forward to seeing what's up the COMMAND situation ~ from the other threads, it may-or-may-not be entirely bad?
No rush ~ gonna be offline for the next 48 hrs or so anyway.
Enjoy the weekend. :D:
/.
steamwiz
2006-11-18, 01:01
HI
Your java is way out of date...
you have this running :-
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"
Didn't you get a lot of alerts in your systray telling you to update it ?
Go to add/remove programs and uninstall any earlier versions ...
Then You can go here and install the latest version of Java.
http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 5.0 Update 9 and press the 'Download' button.
Running an out-of-date version of java is an infection risk.
---
you've removed so much rubbish, the hijackthis log is clean
Trend is still showing some hits; BitDefender is a bit more positive: ~err... and I see it saved as HTML .. anyway, tagged & killed stuff that was parked by Trend, and earlier, Qoo; those entries & backups are now all deleted.
In fact you're run and removed so much, I've no idea what is left to do ...
Please post a new combofix ... there will be many more files to delete...
---
Please download and unzip Ren-cmdservice to your desktop.
It will only work if the folder is placed on your desktop and extracted.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the ren-cmdservice.bat file to run the program.
When the program finishes there will be a logit.txt file in the ren-cmdservice folder post the content of that file on the forum please, then restart your PC and do a check for problems with SpyBot.
steam
CaveatEmpty this topic is closed due to lack of a response.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.