-
I get popups and Trojans, AVG and S&B dn't remove them, or they reappear
Logfile of HijackThis v1.99.1
Scan saved at 10:47:30 a.m., on 9/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\linkprd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\??sks\j?vaw.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ie/...arch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://au.rd.yahoo.com/customize/ie/...arch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ie/...arch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ie/...arch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C1093E6A-80AD-895A-DD7C-F9ADDCCF77CB} - C:\WINDOWS\system32\igej.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\linkprd.exe /res
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Bphleb] "C:\Program Files\??sks\j?vaw.exe"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/...x/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
-
Visiting Fellow
Hello,
* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
-
-
Visiting Fellow
Hi,
Looks like you were dealing with the Alcan/Alcra worm previously as well which created a dummy cmd.com.
Please close combofix and the cmd.com window.
Then,
Perform next step first to fix what the Alcan/Alcra worm modified.
* Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcom...planation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: 
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:
http://metallica.geekstogo.com/alcanshorty.bfu
Click Ok.
Then click execute in Brute Force Uninstaller.
Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.
Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program
Then try Combofix again. Please don't run Combofix in Windows safe mode, because it's not that effective there. Combofix should be run in Windows Normal mode..
-
U R Awesome!! Pg1
Wow, r u single?
Here's the combo fix log, I'll post the hijackthis one in a minute!
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-11 0:10:30 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{700B6110-7FEC-4883-96A2-2606E9432D8B}]
@=""
[HKEY_CLASSES_ROOT\clsid\{700B6110-7FEC-4883-96A2-2606E9432D8B}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{700B6110-7FEC-4883-96A2-2606E9432D8B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{700B6110-7FEC-4883-96A2-2606E9432D8B}\InprocServer32]
@="C:\\WINDOWS\\system32\\wahtcpip.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{2810488D-4DBC-49F1-B7F2-5FF052090171}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\clsid\{2810488D-4DBC-49F1-B7F2-5FF052090171}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{2810488D-4DBC-49F1-B7F2-5FF052090171}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{2810488D-4DBC-49F1-B7F2-5FF052090171}\InprocServer32]
@="C:\\WINDOWS\\system32\\pVpgasvc.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{586EC2AA-63D0-4FA7-8DE1-3406304EEB16}]
@=""
[HKEY_CLASSES_ROOT\clsid\{586EC2AA-63D0-4FA7-8DE1-3406304EEB16}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{586EC2AA-63D0-4FA7-8DE1-3406304EEB16}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{586EC2AA-63D0-4FA7-8DE1-3406304EEB16}\InprocServer32]
@="C:\\WINDOWS\\system32\\dBdim700.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
C:\WINDOWS\system32\aqi2cqag.dll
C:\WINDOWS\system32\avptif.dll
C:\WINDOWS\system32\cVpesnpn.dll
C:\WINDOWS\system32\FV20ENU.DLL
C:\WINDOWS\system32\ii32_32.dll
C:\WINDOWS\system32\j42qlef51h2.dll
C:\WINDOWS\system32\jt8207loe.dll
C:\WINDOWS\system32\jtjo0713e.dll
C:\WINDOWS\system32\mktscax.dll
C:\WINDOWS\system32\mxlbui.dll
C:\WINDOWS\system32\nlmkcert.dll
C:\WINDOWS\system32\p64u0gh9e64.dll
C:\WINDOWS\system32\sts.dll
Granting SeDebugPrivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Guest\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\Guest\APPLIC~1\Dxcuknwrd.dll
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\78463DRY\www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\78463DRY\www.broadcaster.com\played_list.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\78463DRY\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Owner\APPLIC~1.\pppatc~1
C:\DOCUME~1\Owner\APPLIC~1.\racle~1
C:\DOCUME~1\Owner\APPLIC~1\Dxccwrd.dll
C:\DOCUME~1\Owner\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\Owner\APPLIC~1\Dxcuknwrd.dll
C:\Program Files\Common Files\{AC22A~1
C:\Program Files\Common Files\{AC22A~1\Update.exe
C:\Program Files\Common Files\{AC22A~2
C:\Program Files\Common Files\{AC22A~2\system.dll
C:\Program Files\Common Files\{AC22A~2\Update.exe
C:\Program Files\deluxecommunications
C:\Program Files\deluxecommunications\Dxc.exe
C:\Program Files\deluxecommunications\DxcBho.dll
C:\Program Files\deluxecommunications\DxcCore.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\sks~1
C:\Program Files\sks~1\j?vaw.exe
C:\Program Files\smante~1
C:\Program Files\tclock\tclock_install.exe
C:\Program Files\windows
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\T1
C:\WINDOWS\system32\T1\nic32.exe
C:\WINDOWS\system32\T2
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\asdll.exe
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\windows.exe
C:\WINDOWS\system32\wnstsiit32.exe
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_NM
-------\LEGACY_NPF
-------\core
-------\nm
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))
2007-06-11 00:09 <DIR> d-------- C:\bintheredunthat
2007-06-11 00:02 <DIR> d-------- C:\BFU
2007-06-10 21:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 19:29 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-06-09 18:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-09 15:34 2,044 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-08 23:48 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-06-08 23:48 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-06-08 23:48 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-06-08 23:48 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-06-08 23:48 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-06-08 23:48 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-06-08 23:48 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-06-08 23:48 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-06-08 22:03 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-08 22:03 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-08 22:03 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-08 22:03 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-08 22:03 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-08 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-08 20:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-08 11:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-08 11:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-08 10:11 <DIR> d-------- C:\SmitRem
2007-06-08 08:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-06 18:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-31 18:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 18:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 18:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-28 20:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-27 12:29 60,928 --a------ C:\WINDOWS\system32\igej.dll
2007-05-27 12:29 <DIR> d-------- C:\WINDOWS\system32\T3QaSQ
2007-05-26 09:01 <DIR> d-------- C:\Program Files\DC++
2007-05-25 22:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-25 22:44 2,301 --a------ C:\WINDOWS\mozver.dat
2007-05-25 15:34 <DIR> d-------- C:\Program Files\Google
2007-05-25 15:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-05-25 15:28 15,714,552 --a------ C:\Program Files\Google_Earth_BZXV.exe
2007-05-23 03:15 <DIR> d--hs---- C:\UWA7P
2007-05-23 03:14 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-23 03:14 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-05-23 03:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007
2007-05-23 03:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-23 02:26 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Free
2007-05-23 01:57 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-05-23 01:57 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-05-23 01:57 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-05-23 01:57 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-05-23 01:57 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-05-23 01:57 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-05-23 01:57 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-05-23 01:57 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-05-22 23:44 <DIR> d-------- C:\Program Files\QuickTime
2007-05-22 23:43 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-21 04:08 <DIR> d--hs---- C:\DOCUME~1\Owner\Complete
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Ableton
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ableton
2007-05-14 18:54 <DIR> d-------- C:\Program Files\Vodei
2007-05-13 13:48 42,333 --a------ C:\WINDOWS\system32\xrljvnocxl.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-10 12:14:05 -------- d-----w C:\Program Files\TClock
2007-06-09 04:28:07 -------- d-----w C:\Program Files\Easy Internet signup
2007-06-08 10:06:32 -------- d-----w C:\Program Files\DivX
2007-05-31 16:32:21 -------- d-----w C:\Program Files\Common Files\wwmf
2007-05-30 07:48:40 -------- d-----w C:\Program Files\ErrorSafe Free
2007-05-29 09:59:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 09:58:06 -------- d-----w C:\Program Files\Microsoft Works
2007-05-25 06:12:21 10,706 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-05-25 01:27:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-05-22 12:25:47 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-05-20 10:04:54 -------- d-----w C:\Program Files\Cooledit
2007-05-19 06:51:27 -------- d-----w C:\Program Files\VirtualDJ
2007-05-09 02:18:02 35,247 ----a-w C:\WINDOWS\system32\wlnwli.exe
2007-05-08 15:42:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\PCTurbo Pro Free
2007-05-08 15:16:10 151,320 ----a-w C:\DOCUME~1\Owner\APPLIC~1\pcturboproinstallerfree[2].exe
2007-05-08 01:39:28 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-05-06 06:43:04 -------- d-----w C:\Program Files\BitTorrent
2007-05-03 06:15:26 -------- d-----w C:\Program Files\WinPcap
2007-05-02 16:47:55 -------- d-----w C:\Program Files\Folder Lock
2007-05-01 10:58:00 -------- d-----w C:\Program Files\MSXML 4.0
2007-05-01 09:21:17 -------- d-----w C:\Program Files\MSN Messenger
2007-04-30 23:13:25 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-30 20:09:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:25 36,624 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 10:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 10:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 10:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 10:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 10:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 10:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 10:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 10:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 10:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 10:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 23:50:44 -------- d-----w C:\Program Files\City Interactive
2007-04-06 08:53:40 53,248 ----a-w C:\WINDOWS\system32\suppdll.dll
2007-04-06 08:53:40 35,363 ----a-w C:\WINDOWS\system32\windrvNT.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 00:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 00:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
-
Pg2
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{C1093E6A-80AD-895A-DD7C-F9ADDCCF77CB}=C:\WINDOWS\system32\igej.dll [2007-05-22 01:59]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-31 23:19]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-08 22:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 04:24]
"Bphleb"="C:\Program Files\??sks\j?vaw.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Magnify"=
"RunNarrator"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\PRESAR~1\Presario\XPHWWRS4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
C:\\dfndrff_e21.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glxmhsq]
C:\Documents and Settings\Owner\Application Data\?ppPatch\c?rss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\ipwins\ipwins.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
C:\\kybrdff_e21.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"c:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ncn3e446]
RUNDLL32.EXE w28ef03e.dll,n 0053e4410000000a28ef03e
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
C:\\nwnmc_4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
"C:\PROGRA~1\SMANTE~1\taskmgr.exe" -vt yazr
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
C:\Program Files\outlook\outlook.exe /auto
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVModule]
C:\PROGRA~1\PRINTV~1\pvmodule.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
C:\Program Files\TClock\tclock_install.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog]
winlog.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wwmf]
C:\PROGRA~1\COMMON~1\wwmf\wwmfm.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-06-06 07:43:13 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-22 08:52:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1090486217.job
2004-11-04 00:36:16 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 00:18:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\WNBackup
C:\WINDOWS\ws2setup.log
C:\WINDOWS\wsdu.log
C:\WINDOWS\WSST_Screen_Saver.ini
C:\WINDOWS\wwmf
C:\WINDOWS\xobglu16.dll
C:\WINDOWS\xobglu32.dll
C:\WINDOWS\xpsp1hfm.log
C:\WINDOWS\yacs.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
**************************************************************************
Completion time: 2007-06-11 0:21:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-11 00:21
--- E O F ---
-
U R AWESOME!! Hijack This Log
Logfile of HijackThis v1.99.1
Scan saved at 12:32:42 a.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C1093E6A-80AD-895A-DD7C-F9ADDCCF77CB} - C:\WINDOWS\system32\igej.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Bphleb] "C:\Program Files\??sks\j?vaw.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/...x/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
-
Visiting Fellow
Hi,
What a mess... We still have a lot to delete here though..
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\igej.dll
C:\WINDOWS\system32\xrljvnocxl.exe
C:\DOCUME~1\Owner\APPLIC~1\pcturboproinstallerfree[2].exe
C:\WINDOWS\system32\wlnwli.exe
Folder::
C:\bintheredunthat
C:\BFU
C:\SmitRem
C:\UWA7P
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\Program Files\Common Files\DriveCleaner Free
C:\Program Files\TClock
C:\Program Files\Common Files\wwmf
C:\Program Files\ErrorSafe Free
C:\DOCUME~1\Owner\APPLIC~1\PCTurbo Pro Free
C:\WINDOWS\system32\T3QaSQ
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1093E6A-80AD-895A-DD7C-F9ADDCCF77CB}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"=-
"Bphleb"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glxmhsq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ncn3e446]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVModule]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wwmf]
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
-
My Hero
ComboFix 07-06-09.5 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-11 1:29:41 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\BFU
C:\BFU\alcanshorty.bfu
C:\BFU\BFU.exe
C:\BFU\bfu.zip
C:\bintheredunthat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat
C:\DOCUME~1\Owner\APPLIC~1\PCTurbo Pro Free
C:\DOCUME~1\Owner\APPLIC~1\PCTurbo Pro Free\Logs\update.log
C:\DOCUME~1\Owner\APPLIC~1\pcturboproinstallerfree[2].exe
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\avtasks.dat
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\CookieList.dat
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\history.db
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat
C:\Program Files\Common Files\DriveCleaner Free
C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\Program Files\Common Files\wwmf
C:\Program Files\Common Files\wwmf\wwmfa.lck
C:\Program Files\Common Files\wwmf\wwmfd\class-barrel
C:\Program Files\Common Files\wwmf\wwmfd\vocabulary
C:\Program Files\Common Files\wwmf\wwmfd\wwmfc.dll
C:\Program Files\Common Files\wwmf\wwmfl.lck
C:\Program Files\Common Files\wwmf\wwmfm.lck
C:\Program Files\ErrorSafe Free
C:\Program Files\ErrorSafe Free\activate.dat
C:\Program Files\ErrorSafe Free\appupdate.dat
C:\Program Files\ErrorSafe Free\bnlink.dat
C:\Program Files\ErrorSafe Free\DataBase.sav
C:\Program Files\ErrorSafe Free\errors.log
C:\Program Files\ErrorSafe Free\errorsafe.xml
C:\Program Files\ErrorSafe Free\ers.url
C:\Program Files\ErrorSafe Free\flash.ini
C:\Program Files\ErrorSafe Free\FRec.dll
C:\Program Files\ErrorSafe Free\FWraper.dll
C:\Program Files\ErrorSafe Free\FxCore.dll
C:\Program Files\ErrorSafe Free\InstHelp.exe
C:\Program Files\ErrorSafe Free\lapv.dat
C:\Program Files\ErrorSafe Free\license.rtf
C:\Program Files\ErrorSafe Free\lock.dat
C:\Program Files\ErrorSafe Free\MMFx.dll
C:\Program Files\ErrorSafe Free\Program.sav
C:\Program Files\ErrorSafe Free\pv.dat
C:\Program Files\ErrorSafe Free\sr.log
C:\Program Files\ErrorSafe Free\support.url
C:\Program Files\ErrorSafe Free\trace.log
C:\Program Files\ErrorSafe Free\UERS.dmp
C:\Program Files\ErrorSafe Free\unins000.dat
C:\Program Files\ErrorSafe Free\unins000.exe
C:\Program Files\ErrorSafe Free\update.log
C:\Program Files\ErrorSafe Free\updater.dat
C:\Program Files\ErrorSafe Free\wsres.sys
C:\Program Files\TClock
C:\Program Files\TClock\tcdll.tclock
C:\Program Files\TClock\tclock.exe
C:\Program Files\TClock\tclock.ini
C:\SmitRem
C:\SmitRem\delfiles.cmd
C:\SmitRem\Process.exe
C:\SmitRem\pv.exe
C:\SmitRem\RunThis.bat
C:\SmitRem\smitRem.exe
C:\SmitRem\swreg.exe
C:\UWA7P
C:\WINDOWS\system32\igej.dll
C:\WINDOWS\system32\T3QaSQ
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\wlnwli.exe
C:\WINDOWS\system32\xrljvnocxl.exe
((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))
2007-06-11 00:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-11 00:22 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-10 21:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 19:29 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-06-09 18:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-08 23:48 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-06-08 23:48 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-06-08 23:48 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-06-08 23:48 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-06-08 23:48 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-06-08 23:48 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-06-08 23:48 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-06-08 23:48 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-06-08 22:03 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-08 22:03 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-08 22:03 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-08 22:03 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-08 22:03 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-08 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-08 20:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-08 11:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-08 11:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-08 08:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-06 18:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-31 18:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 18:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 18:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 18:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-28 20:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-26 09:01 <DIR> d-------- C:\Program Files\DC++
2007-05-25 22:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-25 22:44 2,301 --a------ C:\WINDOWS\mozver.dat
2007-05-25 15:34 <DIR> d-------- C:\Program Files\Google
2007-05-25 15:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-05-25 15:28 15,714,552 --a------ C:\Program Files\Google_Earth_BZXV.exe
2007-05-23 03:14 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-23 01:57 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-05-23 01:57 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-05-23 01:57 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-05-23 01:57 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-05-23 01:57 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-05-23 01:57 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-05-23 01:57 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-05-23 01:57 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-05-22 23:44 <DIR> d-------- C:\Program Files\QuickTime
2007-05-22 23:43 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-21 04:08 <DIR> d--hs---- C:\DOCUME~1\Owner\Complete
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Ableton
2007-05-19 12:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ableton
2007-05-14 18:54 <DIR> d-------- C:\Program Files\Vodei
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-09 04:28:07 -------- d-----w C:\Program Files\Easy Internet signup
2007-06-08 10:06:32 -------- d-----w C:\Program Files\DivX
2007-05-29 09:59:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 09:58:06 -------- d-----w C:\Program Files\Microsoft Works
2007-05-25 06:12:21 10,706 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-05-25 01:27:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-05-22 12:25:47 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-05-20 10:04:54 -------- d-----w C:\Program Files\Cooledit
2007-05-19 06:51:27 -------- d-----w C:\Program Files\VirtualDJ
2007-05-08 01:39:28 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-05-06 06:43:04 -------- d-----w C:\Program Files\BitTorrent
2007-05-03 06:15:26 -------- d-----w C:\Program Files\WinPcap
2007-05-02 16:47:55 -------- d-----w C:\Program Files\Folder Lock
2007-05-01 10:58:00 -------- d-----w C:\Program Files\MSXML 4.0
2007-05-01 09:21:17 -------- d-----w C:\Program Files\MSN Messenger
2007-04-30 23:13:25 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-30 20:09:15 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:25 36,624 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 10:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 10:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 10:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 10:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 10:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 10:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 10:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 10:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 10:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 10:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 23:50:44 -------- d-----w C:\Program Files\City Interactive
2007-04-06 08:53:40 53,248 ----a-w C:\WINDOWS\system32\suppdll.dll
2007-04-06 08:53:40 35,363 ----a-w C:\WINDOWS\system32\windrvNT.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 00:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 00:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-31 23:19]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-08 22:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 04:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Magnify"=
"RunNarrator"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.1.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\PRESAR~1\Presario\XPHWWRS4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"c:\Program Files\Microsoft Money\System\mnyexpr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-06-06 07:43:13 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-22 08:52:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1090486217.job
2004-11-04 00:36:16 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 01:33:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\WNBackup
C:\WINDOWS\ws2setup.log
C:\WINDOWS\wsdu.log
C:\WINDOWS\WSST_Screen_Saver.ini
C:\WINDOWS\wwmf
C:\WINDOWS\xobglu16.dll
C:\WINDOWS\xobglu32.dll
C:\WINDOWS\xpsp1hfm.log
C:\WINDOWS\yacs.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
scan completed successfully
hidden files: 24
**************************************************************************
Completion time: 2007-06-11 1:34:14
C:\ComboFix-quarantined-files.txt ... 2007-06-11 01:33
C:\ComboFix2.txt ... 2007-06-11 00:21
--- E O F ---
-
Visiting Fellow
Hi,
Delete next folder: C:\Qoobox
* Clean your Cache and Cookies in IE:- Close all instances of Outlook Express and Internet Explorer
- Go to Control Panel > Internet Options > General tab
- Under Browsing History, click "Delete".
- Click "Delete Files", "Delete cookies" and "Delete history"
- Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):- Go to Tools > Options.
- Click Privacy in the menu..
- Click the Clear now button below.. A new window will popup what to clear.
- Select all and click the Clear button again.
- Click OK to close the Options window
* Clean other Temporary files + Recycle bin- Go to start > run and type: cleanmgr and click ok.
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Press OK to remove them.
I still want you to do an additional scan though, because there will be a lot of leftovers still present - especially since you are already dealing with some malware for at least 1 year 
Do next please..
Please download, install, and update AVG Anti-Spyware
- Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
- AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
- Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
- Close AVG Anti-Spyware and reboot!!
- Post the contents of the AVG Anti-Spyware log you saved in your next reply together with a new HijackThislog.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
